Preface

This document forms part of the ABBL’s action plan to fight money laundering, and is designed to bring its members up to the mark in meeting the requirements involved in combatting money laundering and terrorist financing, whilst at the same time helping to enhance Luxembourg’s image as a financial market-place.

For the purposes of this document, the expression combatting money laundering is used to cover not only the fight against money laundering in the strict sense of the term but also the fight against terrorist financing and the unlawful proliferation of weapons of mass destruction, known for short as AML/CFT.

Effective participation by credit institutions and other financial sector professionals in the fight against money laundering presupposes, and is dependent on, a thorough knowledge of the applicable legislation and regulations.

This document is intended to assist them in the effective performance of their obligations, in accordance with the statutory and regulatory provisions applicable in the matter, and to provide various details regarding the practical implementation of the legislation. ABBL is not hereby seeking to impose new professional obligations on credit institutions and other financial sector professionals, or to interpret the legal rules.

Preventing financial channels from being used for money laundering is a top priority, and the players in the financial market-place are cooperating with a view to the application of measures adopted at both national and international levels. In so doing, and in the application of the relevant rules, it is important to ensure that the steps taken strike the right balance between, on the one hand, extreme vigilance with regard to banking and financial operations which could prove to be suspect and, on the other hand, respect for privacy. Whilst the risk of the system being used for money laundering purposes should not be underestimated, it should not be overestimated either. A targeted approach to the real risk needs to be adopted by each and every financial sector professional. That approach must be based on a good knowledge of the level of risk involved and suitable adaptation of the professional’s internal procedures.

The Law of 5 April 1993 on the financial sector, as amended, and the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, (“the Law”) impose stringent requirements as regards combatting money laundering on, inter alia, credit institutions and the other financial sector professionals (FSPs). For the purposes of this document, the term “professional” is used without distinction to signify credit institutions and other financial sector professionals.

Under Article 39 of the Law of 5 April 1993 on the financial sector, as amended in particular by the Law of 13 February 2018, such institutions and other professionals are in essence subject, in the fight against money laundering, to three professional obligations, namely the obligation to know one’s customers, the obligation to have an adequate internal organisation and the obligation to cooperate with the authorities.

The first part of this document is devoted to an examination of certain particular aspects relating to the predicate offences on which money laundering is based and the material and personal scope of application of the relevant professional obligations. The second part deals with the content of those professional obligations, and the best practices identified to provide professionals with guidance in the implementation of the rules.

Since the Recommendations of the Financial Action Task Force (“FATF”) constitute the international standard on combatting money laundering and the financing of terrorism, a correlation table showing the equivalences between those recommendations and the structure of this AML Handbook appears in Annex I.

This AML Handbook is not intended to provide legal advice and has no normative value. Its aim is, in particular, to make it easier to follow the legal framework of AML/CFT on the basis of the interpretations, understanding and hypotheses accepted by financial actors.

Whilst every effort has been made to ensure that the information contained in this AML Handbook is pertinent and up-to-date as at the time of its publication, that information is not exhaustive.

Thus, the content of this document may change in line with the laws and regulations enacted and adopted and, as the case may be, any updates and clarifications issued by the CSSF, in the light of which this AML Handbook may be updated and supplemented in the future.

Using the interactive handbook

 

MATERIAL SCOPE OF APPLICATION

In order to determine whether a professional is required to lodge a suspected money laundering report, it is necessary to know in advance the offences the object or proceeds of which may give rise to a money laundering offence, but without necessarily circumscribing the offence (Section 1: Predicate offences).

The transposition into Luxembourg law of Directive (EU) 2018/1673 aimed at combating money laundering by means of criminal law will see the offence of money laundering extended to all crimes and offences.

Over and above the scope of application of Luxembourg law to certain categories of offences, professionals must in addition take account, in the context of cross-border activities, of the criminal law of the host country (Section 2: Risks connected with the cross-border transaction of banking and financial business).

Section 1. Money laundering and terrorist financing offences

1.Predicate offences

Article 506-1 of the Penal Code contains a list of predicate offences, made up of two parts: first, offences expressly designated as predicate offences, and second, an open-ended list defined according to a penalty threshold and including all offences punishable by a minimum term of imprisonment of more than six months.

This approach corresponds to Recommendation 3 (money laundering offence) and 5 (terrorist financing offence) of the FATF:

“Predicate offences may be described by reference to … a threshold linked either to a category of serious offences; or to the penalty of imprisonment applicable to the predicate offence (threshold approach); or to a list of predicate offences; or a combination of these approaches.”

“The concept of primary offence refers to all offences covered by Article 506-1 of the Penal Code. This list includes most of the serious offences contained in the Penal Code (for example bankruptcy, corruption, kidnapping, sexual exploitation, forgery, fraud, murder, human trafficking, theft, etc.) or contained in special acts of legislation (for example counterfeiting, criminal tax offences, environmental offences, trafficking of illicit narcotics and psychotropic substances, etc.)”.

Money laundering offences are also punishable where the predicate offence has been committed abroad. However, that offence must be punishable in the State where it has been committed.

2. The elements constituting the offence of money laundering

The offence of money laundering as laid down in Article 506-1 of the Penal Code, being a statutory offence, can only be found by a criminal court to have been committed if it is co-existent both with a material (substantive) element and an element of intent.

2.1  The material element

The material element corresponds to the materialisation of an act or behaviour which will ultimately result in the act of money laundering. The Guideline of the Financial Intelligence Unit (FIU) entitled “Suspicious operations report” sets out the three types of behaviour characterising money laundering offences:

“The offence of money laundering and associated predicate offences, defined in Article 506-1 of the Penal Code and Article 8 (1) (a) and (b) of the Law of 19 February 1973, as amended, on the sale of medicinal substances and measures to combat drug addiction, covers three different types of behaviour:

  1. those who knowingly facilitated, by any means, the misleading justification of the nature, origin, location, availability, movement or ownership of property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences,
  2. those who knowingly assisted in the placement, concealment, disguise, transfer or conversion of property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences,
  3. those who have acquired, held or used property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences.”

“Money laundering consists of any act relating to the proceeds or the object i.e. to any economic benefit drawn from the predicate offence. The legal definition of money laundering is very broad and encompasses a whole set of devices which all serve the purpose to provide a false justification of the origin of the property forming the object or proceeds of the predicate offences.”

2.2  The element of intent

The element of intent is a decisive factor for the commission of the offence of money laundering. Thus, any person who has “knowingly” committed a criminal act referred to in Article 506‑1 of the Penal Code, combined with the material element, will bring about the commission of the offence of money laundering. The person committing the act therefore knows that the funds used derive from an unlawful activity.

Judgment No 14/1 of the Cour d’Appel (Court of Appeal), Criminal Chamber, of 29 March 2017: proof of knowledge of the fraudulent origin of funds is derived from a body of evidence from which it may be concluded that the accused could not have been unaware of the existence of fraud, or must necessarily have known of the fraudulent origin thereof.

Even though a professional is not required to categorise the predicate offence when submitting a suspicious operation report to the FIU, it is a precondition of any reporting initiative that the professional must know the different types of predicate offences in respect of money laundering as set out in Annex II.

The professional submitting the report must do so on the website goAML (see https://justice.public.lu/fr/organisation-justice/crf.html) referring also to the instructions concerning the reporting formalities given by the FIU in its Guideline entitled “Suspicious operations report” (see the tab entitled “Documents” below the link https://justice.public.lu/fr/organisation-justice/crf.html).

Professionals submitting reports may configure their IT system in such a way as to export relevant information directly in a computerised file. That XML file – which must be in strict conformity with the technical requirements imposed by the FIU– may be downloaded in the form of a report (see https://faq.goaml.lu/manuels-dutilisation/faire-une-declaration/telecharger-fichier-xml).

The FIU encourages all professionals to lodge suspicious operations reports via the goAML tool, which enables it to gather invaluable information and data in the exercise of its prerogatives, even where it does not revert to the professionals concerned.

For the answers to all questions regarding the goAML tool, please refer to be the latter’s instruction manuals, available via the following link: FAQ goAML

Moreover, professionals are welcome to contact the FIU direct by telephone (+352 47 59 81-447), or e-mail at crf@justice.etat.lu

3. Elements specific to certain predicate offences

3.1  The offence of terrorist financing

“The offence of terrorist financing, defined in Article 135-5 of the Penal Code, is ‘the act of providing or collecting, by any means, directly or indirectly, unlawfully and intentionally, funds, assets, or properties of any nature, with a view to utilising them or knowing that they will be utilised, partly or in whole, for the purpose of committing or attempting to commit one or more of the offences referred to in paragraph (2) of the present Article (see Annex II), even if they have not actually been used to commit or attempt to commit any of these offences or if they are not related to one or more specific terrorist acts’.”

“The term ‘funds’ includes assets of any kind, whether tangible or intangible, comprising moveable or immoveable property, acquired by whatever means, and documents or legal instruments in whatever form, including electronic or digital form, showing a right of ownership of, or an interest in, such assets or in any bank credits, traveller’s cheques, bank cheques, money orders, shares, securities, bonds, drafts and letters of credit, without this list being exhaustive”.

Recommendation 5 of the FATF thus states that terrorist financing includes financing the travel of individuals who travel to a State other than their States of residence or nationality for the purpose of the perpetration, planning, or preparation of, or participation in, terrorist acts or the providing or receiving of terrorist training.

3.2  Tax crimes

The Fourth Anti-Money Laundering Directive includes, in the definition of “criminal activity” which may give rise to money laundering, the following:

“All offences, including tax crimes relating to direct taxes and indirect taxes, (…) which are punishable by deprivation of liberty or a detention order for a maximum of more than one year or, as regards Member States that have a minimum threshold for offences in their legal system, all offences punishable by deprivation of liberty or a detention order for a minimum of more than six months”.

That provision was transposed into Luxembourg law by the Law of 23 December 2016, which introduces two new offences in the list of predicate offences relating to money laundering:

  • aggravated tax fraud, which is defined according to the tax thresholds evaded or the level of reimbursement obtained;
  • tax evasion, the increased gravity of which is due not only to the amounts involved but also to the fact that means have been employed with a view to deceiving the tax authorities.

The offences of aggravated tax fraud and tax evasion relate both to direct taxes (income taxes, registration fees, inheritance taxes, etc.) and to indirect taxes (VAT).

The offence of money laundering is punishable in respect of the predicate offences of aggravated tax fraud and tax evasion committed as from 1 January 2017.

CSSF Circular 17/650 contains in particular, in Annex I, a list of indicators likely to reveal potential laundering of a predicate tax offence, to which professionals may usefully refer. It should be noted that the presence of an indicator does not in itself justify any conclusion that a predicate tax offence has been committed. A new list of indicators specific to collective investment activities was introduced on July 3, 2020 in CSSF Circular 20/744 (see appendix 2).

Although professionals are not required to specify the predicate offence when lodging a suspicious operations report with the FIU (see Article 5 (1) (a) of the Law), they should be aware of the applicable thresholds needing to be exceeded for the purposes of commission of the predicate tax offences in question.

In the case of a customer resident in Luxembourg for tax purposes, the thresholds applicable to the offences in question are as follows:

“Any person who fraudulently evades or attempts to evade payment of all or any taxes, duties and levies the collection of which is the responsibility of the Administration de l’enregistrement et des domaines apart from value added tax shall, where the fraud thus committed or attempted relates, per reporting period or triggering event, to an amount exceeding one quarter of the duties due, being not less than 10 000 euros or an amount exceeding 200 000 euros, be liable to punishment, for aggravated tax fraud, in the form of imprisonment for a term of between one month and three years and a fine of between 25 000 euros and an amount equal to six times the amount of the duties evaded.

If the person concerned has systematically used fraudulent acts with a view to concealing pertinent facts from the tax authorities or persuading them that inaccurate information is correct, and if such committed or attempted fraud relates, per reporting period or triggering event, to a significant amount, either in absolute terms or in relation to the duties due, the perpetrator shall be liable to punishment, for tax evasion, in the form of imprisonment for a term of between one month and five years and a fine of between 25 000 euros and an amount equal to ten times the amount of the duties evaded.

By contrast, the Luxembourg reporting thresholds are not applicable to non-residents, in respect of whom any potential suspicion should be reported, as the case may be, as from the very first euro, it being understood that the thresholds will vary depending on the customer’s tax residence.

However, money laundering is punishable in Luxembourg only if the offence is also a predicate offence in the country where the customer is resident, in accordance with the principle that the offence in question constitutes an offence in both countries.

4. From the original suspicion to the reporting of a suspicious operation

The obligation to cooperate with the authorities (Chapter 7) requires professionals to “inform the Financial Intelligence Unit (FIU) promptly, on their own initiative, (…) when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted (…)”.

That obligation is such that the idea of a suspicion must exist as a precondition for proceeding, as the case may be, to submit a report to the FIU.

4.1  The notion of suspicion

The FIU defines suspicion as “(…) a negative opinion of someone or of his/her behaviour, based on hints, impressions, intuitions, but without any specific evidence. This means that, when reporting a suspicion, no evidence of money laundering, an associated predicate offence or terrorist financing is required. All that is needed are circumstances which would make such a hypothesis likely”.

“The terms ‘suspect’ or ‘have reasonable grounds for suspecting’ mean that the financial institution must treat the funds involved, the operation concerned or the act in question as suspect where, in accordance with its vigilance obligations and in light of its analysis of the information gathered by it, it is prompted to harbour a suspicion (‘suspect’), or where the circumstances include elements which do not allow it reasonably to dismiss all doubt (‘have reasonable grounds for suspecting’), regarding the lawfulness of the origin of the funds or of the operation, or regarding their economic, legal or fiscal justification”.

“The determination of the suspicion must be the fruit of a process of intellectual reasoning and duly substantiated analysis. It cannot be carried out by means of automated systems alone, but instead requires human intervention founded on an analysis of the atypical facts and operations and the circumstances thereof, in order to decide whether those atypical facts or operations are likely to be linked to money laundering/terrorist financing and must therefore be the subject of a report to the FIU or conversely to conclude, on the basis of that analysis, that such suspicions can be dismissed and that the matter is to be closed without any further action being taken.”

4.2  The origins of the suspicion

The professional may suspect, or have reasonable grounds for suspecting, that money laundering is going on, “(…) in particular in consideration of the person concerned, its development, the origin of the funds, or the purpose, nature and procedure of the operation.

“(…) Reporting a suspicious transaction has no minimum monetary threshold. Several factors should be taken into account, which individually may seem irrelevant, but can generate doubts on the veracity of the operation when combined. In general, when a transaction or financial operation, whether only attempted or already executed, raises questions (from the professional) or raises a feeling of discomfort, worry or suspicion, it could potentially be linked to money laundering, an associated predicate offence or terrorism financing.”

It is best to use indicators that could reveal a possible link to money laundering, an associated predicate offence or terrorism financing. The report forms on goAML Web give three sets of indicators related (1) to the person of the customer or prospective customer, (2) to the operations or transactions, and (3) to the behaviour and profile of the customer or prospective customer.

4.3  Examples of suspected money laundering

The FIU has drawn up examples of indicators linked to the customer as a person, to an operation/transaction and to the customer’s behaviour/profile, relating to particular situations.

The indicators linked to the customer correspond, for example, to:

– criminal records or possession of the status of a PEP;

– suspicious or atypical behaviour;

–  reluctance to hand over supporting documents;

– barely credible evidence of the origin of the customer’s assets;

– insistence on the speedy opening of an account.

Professionals are invited to draw up a list of non-exhaustive list of criteria which will give rise to suspicions on their part.

The indicators linked to an operation or transaction are multi-faceted.

“The suspicion can arise from the fact that the operation or transaction in question is the consequence of fraudulent behaviour, from the frequency of the transaction or operation, from the amount in question, from the unusual use of certain means of payment, from the interference of certain persons, natural or legal, from an act executed by a non-regulated financial intermediary, from the identity of the recipient of the funds or from the price used. The combination of several of these indicators increases the likelihood that money laundering, an associated predicate offence or terrorist financing is being committed.”

4.4  Summary of the reporting process

The process of submitting a report to the FIU may be summarised as follows:

 

The starting point of the period for reporting suspicious transactions to the financial intelligence unit begins as soon as the professional concludes that a residual doubt remains about the prospect / client or the transaction, confirming the suspicion. This is how the professional’s obligation to report “without delay” to the financial intelligence unit is understood.

If the professional considers, given the complexity of the case, that it will not be possible for him to complete his declaration in due form on time, it is recommended to proceed in two stages:

(i) by first sending the financial intelligence unit a short statement with enough elements to enable it to make a decision on a possible blocking

(ii) then an additional declaration to be made as soon as possible to provide additional information.

Exceptionally, in matters of terrorist financing, with regard to preventing a serious danger, the professional will contact the financial intelligence unit by telephone in parallel with the declaration by goAML.

Section 2. Risks linked with the cross-border transaction of banking and financial business

In the context of cross-border business, the legal classification of facts and acts as categorised under foreign laws, which may differ from that under Luxembourg law, may involve enhanced legal risks, notably of a criminal and regulatory nature.

“Member States should ensure that there are no obstacles to carrying out activities receiving mutual recognition in the same manner as in the home Member State, provided that the latter do not conflict with legal provisions protecting the general good in the host Member State.”

“(…) professionals, their dirigeants (executives) and employees are required, on their own initiative, promptly to provide information to the FIU (…)”

The obligation to report suspicious operations incumbent on an institution incorporated under foreign law operating pursuant to its freedom to provide services (FPS) in Luxembourg or via a Luxembourg branch is determined in accordance with Luxembourg law, which means that reports concerning suspected money laundering are to be submitted to the Financial Intelligence Unit (FIU).

(…) the notion of a professional also covers branches in Luxembourg of foreign professionals as well as professionals incorporated under foreign law providing services in Luxembourg without setting up a branch in Luxembourg.

The cross-border transaction of banking business concerns two distinct situations:

  • professionals established in Luxembourg exercising their freedom to provide services (FPS) in other European Union Member States;
  • professionals established abroad operating on Luxembourg territory in the exercise of their FPS or having a branch in Luxembourg.

Professionals operating from Luxembourg in the exercise of their FPS are advised to acquaint themselves in advance of the statutory and regulatory provisions applicable in the territory of the host country/countries (being, inter alia, public order interest rules and overriding mandatory provisions) and their potential impact on the cross-border activities developed.

Professionals operating from or towards Luxembourg in the exercise of their FPS are bound not only to respect the rules designed to combat money laundering in their home country but also to take account of the criminal law and all general public interest rules in the host country.

Indeed, they could find that they are guilty of an offence against the rules laid down by the criminal anti-money laundering laws in the host country, and they must bear in mind that those laws, taken as a whole, encompass all behaviour likely to generate a profit, in so far as such behaviour contravenes the laws in question.

N.B. The Cour d’Appel, in its judgment of 3 June 2009, held that, if necessary or appropriate in accordance with the second paragraph of Article 506-3 of the Penal Code, save in the case of offences for which the law allows a prosecution even though they are not punishable in the State where they have been committed, where the predicate offence has been committed abroad, whether or not it is punishable in the State where it has been committed, its categorisation depends on the Luxembourg law as applied by the court seised of the money laundering offence and not on the law of the State where it was committed.

Professionals operating in the exercise of their FPS are invited to consult the list of supervisory authorities for the financial sector in the 28 Member States as drawn up by the European Banking Authority or the European Securities and Markets Authority.

They may also find it useful to refer to the dedicated sections contained in those authorities’ websites, compiling the relevant information regarding the legal framework in relation to financial crime, for example:

– the website of the Belgian FSMA;

– the website of the UK’s Financial Conduct Authority;

– the website of the German BAFIN

PERSONAL SCOPE OF APPLICATION

Section 1. Financial sector professionals operating in Luxembourg

The Law applies in particular to “credit institutions and financial sector professionals (FSPs) approved or authorised to carry on their activities in Luxembourg pursuant to the Law of 5 April 1993 on the financial sector as amended (…)”, payment institutions, electronic money institutions as well as “tied agents as defined in article 1 of the amended law of 5 April 1993 relating to the financial sector and agents as defined in article 1 of the law of 10 November 2009 on payment services established in Luxembourg ”.

The circle of persons subject to professional obligations in the combatting of money laundering and terrorist financing has now been extended to include all persons acting as family offices, persons carrying on, in Luxembourg, the activity of a provider of services to companies and fiducies, providers of gambling services and bailiffs.

The law of 25 March 2020 transposing the 5th Directive (EU) 2018/843 widened the list of subject professionals, in particular to providers of virtual asset services as well as custody or administration providers.

Section 2. Application of professional obligations to foreign subsidiaries and branches of professionals operating in Luxembourg

1. General principle

“Financial institutions should be required to implement programmes against money laundering and terrorist financing. Financial groups should be required to implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions should be required to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements implementing the FATF Recommendations through the financial groups’ programmes against money laundering and terrorist financing.”

Policies and procedures at group level:

Professionals forming part of a group are required to implement policies and procedures at group level, in particular data protection policies, as well as policies and procedures relating to the sharing of information within the group for the purposes of combatting money laundering and terrorist financing. Those policies and procedures must be implemented efficiently and in an appropriate manner, taking into account in particular the risks of money laundering and terrorist financing identified and the nature, particularities, size and activity of branches and subsidiaries, at the level of branches and subsidiaries in which a majority interest is held and which are established in Member States and third countries”.

“Group-wide policies and procedures include:

– the policies, controls and procedures provided for in Article 4, paragraphs (1) and (2);

the provision, under the conditions of Article 5, paragraphs (5) and (6), of information from branches and subsidiaries relating to customers, accounts and operations, when necessary, for the purposes from the fight against money laundering and the financing of terrorism, to the functions of compliance, audit and the fight against money laundering and the financing of terrorism at group level. This covers data and analyzes of transactions or activities that appear unusual, if such analyzes have been carried out, and information related to suspicious statements or the fact that such a statement has been transmitted to the FIU. Likewise, when relevant and appropriate for risk management, branches and subsidiaries also receive this information from the group’s compliance functions; and

– adequate guarantees in terms of confidentiality and use of the information exchanged, including guarantees to prevent the disclosure of information “.

Directive (EU) 2013/34 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings defines the term “group” as : “a parent undertaking and all its subsidiary undertakings”.

As regards credit institutions and investment firms falling within the scope thereof, it will be noted that Regulation (EU) 575/2013 defines the terms “parent company”, “subsidiary” and “branch”.

Professionals will thus be required, in consultation with their subsidiaries/branches based abroad, to define a group policy to be implemented by those subsidiaries/branches, even where differences and/or specific national characteristics exist within the legal framework for combatting money laundering on the territories where those subsidiaries/branches are based.

In the implementation of that group policy, professionals must duly take account of the provisions concerning the “professional secrecy obligation” as referred to in Article 41 of the Law of 5 April 1993 on the financial sector.

Moreover, where an exchange of personal data involves a transfer of such data from a professional established in Luxembourg to an entity based in a third country which is not the subject of an adequacy decision of the European Commission, that data transfer may only be effected if it includes the “appropriate safeguards” referred to in Article 46 of the General Data Protection Regulation.

Thus, the professional must use, in particular, the legal instruments provided for to that end, such as binding corporate rules or the standard data protection clauses adopted by the European Commission, alternatively by a supervisory authority.

The law of March 25, 2020 introduced article 4-1, para I, point (b) in the Law allowing professionals of credit / financial institutions of Member States belonging to the same group to exchange information customers / accounts / transactions between group entities (including branches / subsidiaries majority owned and located in third countries), in this case only information necessary for AML purposes, especially those relating to transactions or activities unusual or the fact that a suspicious transaction report has been transmitted to the financial intelligence unit.

1.1  In a Member State

“Professionals operating establishments in another Member State shall ensure that those establishments respect the national provisions of that other Member State transposing Directive (EU) 2015/849.”

A branch/subsidiary established in another Member State must respect the national provisions of that host Member State transposing the Fourth Anti-Money Laundering Directive as amended.

1.2  “Abroad”: in a third State

“Professionals shall apply in their branches and majority-owned subsidiaries located abroad measures at least equivalent to those laid down in Directive (EU) 2015/849 or by the measures taken for their execution with regard to risk assessment, customer due diligence, keeping information and documents, adequate internal management and cooperation with the authorities.”

“Where the minimum standards on combatting money laundering and the financing of terrorism in a country where professionals have branches or majority-owned subsidiaries differ from those applicable in Luxembourg, those branches and subsidiaries shall apply the higher standard, to the extent that the laws and regulations of the host country so permit.”

“In this context, if the standards of the country in which these branches and subsidiaries are located are less strict than those provided for in Luxembourg, the data protection rules applicable in Luxembourg in the fight against money laundering and the financing of terrorism must be respected “, to the extent that the laws and regulations of the host country allow.

“Professionals shall pay particular to ensuring that this principle is complied with in respect of their branches and subsidiaries in high-risk countries.”

Thus, where the legal framework for combatting money laundering by a subsidiary or branch based in a third State features certain lacunae or is less strict than in Luxembourg, that subsidiary or branch based abroad must apply the Luxembourg rules in force.

The models and procedures concerning risk management, customer due diligence, cooperation with the authorities and with the FIU, retention of documents, internal controls, governance, the independent audit function and training must therefore be in compliance with the applicable Luxembourg rules in that regard, taking into account, moreover, the specific national characteristics peculiar to the State in which the branch or subsidiary is established.

2. Subsidiaries and branches established in third countries whose rules do not permit the application of equivalent measures

“Where a third country’s law does not permit the implementation of the policies and procedures required under paragraph 1, professionals shall ensure that their branches and majority-owned subsidiaries in that third country apply additional measures to effectively handle the risk of money laundering or terrorist financing, and inform the supervisory authorities and self-regulation bodies. If those additional measures are not sufficient, the supervisory authorities and self-regulation bodies shall implement additional supervisory measures, including requiring that the group does not establish, or that it terminates, business relationships, and does not undertake transactions and, where necessary, requesting the group to close down its operations in the third country concerned.”

This obligation is particularly relevant in respect of “higher-risk countries” as identified by the FATF.

“Institutions should ensure that their subsidiaries and branches take steps to ensure that their operations are compliant with local laws and regulations. If local laws and regulations hamper the application of stricter procedures and compliance systems implemented by the group, especially if they prevent the disclosure and exchange of necessary information between entities within the group, subsidiaries and branches should inform the compliance officer or the head of compliance of the consolidating institution.”

The fact that a third State does not authorise the subsidiary/branch of a Luxembourg professional to apply the Luxembourg anti-money laundering rules, even where additional measures to mitigate that prohibition are in place, may prompt that professional to regard itself as prohibited from carrying out transactions involving the subsidiary/branch established abroad

Commission Delegated Regulation (EU) 2019/758 (regulatory technical standards) allows professionals to refer to certain standards in the following contexts:

(1) individual risk assessments

(2) customer data sharing and processing

(3) disclosure of information related to suspicious transactions

(4) transfer and retention of data

2.1  Individual AML/CFT assessments

“Where the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess adequately the money laundering and terrorist financing risk associated with a business relationship or occasional transaction due to restrictions on access to relevant customer and beneficial ownership information or restrictions on the use of such information for customer due diligence purposes”,

the professional must, at the very least:

  • inform the competent authority of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:
    • name of the third country concerned; and
    • how the implementation of the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess the money laundering and terrorist financing risk associated with a customer;
  • ensure that [its] branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers’ beneficial owners, can be used to legally overcome restrictions or prohibitions referred to [above];
  • ensure that [its] branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers’ beneficial owners, to give consent to overcome restrictions or prohibitions referred to [above] to the extent that this is compatible with the third country’s law.

Where the consent of the customer/beneficial owners is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures, to manage risk.”

  • EXAMPLES OF ADDITIONAL MEASURES:

Article 3 of Delegated Regulation 2019/758 provides that at least two additional measures must be taken where necessary: the measure set out in point (c) of Article 8 and at least one of the measures set out in points (a), (b), (d), (e) and (f).

Accordingly, the following measure must be taken:

  • carrying out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively identifies, assesses and manages the money laundering and terrorist financing risks.

That measure must be combined with at least one other pertinent measure, such as, for example:

  • ensuring that its branches or majority-owned subsidiaries that are established in the third country seek the approval of the credit institution’s or financial institution’s senior management for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher-risk occasional transaction;
  • ensuring that its branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided by the branch or majority-owned subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group’s AML/CFT risk exposure;
  • ensuring that its branches or majority-owned subsidiaries that are established in the third country carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the branches or majority-owned subsidiaries are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship.

Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to above, it must:

  • “ensure that the branch or majority-owned subsidiary terminates the business relationship;
  • ensure that the branch or majority-owned subsidiary not carry out the occasional transaction;
  • close down some or all of the operations provided by their branch and majority-owned subsidiary established in the third country”.

2.2  Customer data sharing and processing

The reader is referred to the Delegated Regulation, having regard to the prohibition of/restriction on sharing customers’ data imposed by the third State, and the measures prescribed in relation thereto, to be carried out within the group, are similar to those mentioned above.

In short, the professional must;

  •    inform the competent authority of its home Member State;
  •    where necessary obtain the consent of its customer/the beneficial owner(s) to the transmission of information; and
  •    if need be, take the requisite additional measures to overcome the problem in cases where such consent(s) cannot be obtained. Those additional measures include the ones referred to in points (a) and (c) of Article 8.
  • where the risk of money laundering/terrorist financing is sufficiently high to necessitate other additional measures, credit institutions and financial institutions must apply one or more of the other additional measures mentioned in points (a) to (c) of Article 8.

2.3 Intra-group disclosure of information related to suspicious transactions

“The prohibition (of communication to the customer of the fact that information concerning him/her/it has been disclosed to the FIU) shall not apply to disclosure between credit institutions and financial institutions in Member States, provided they belong to the same group, or between those institutions and their branches and majority-owned subsidiaries located in third countries, on condition that those branches and majority-owned subsidiaries fully respect the policies and procedures defined at the level of the group, including procedures for sharing information within the group, in accordance with Article 4-1 or Article 45 of Directive (EU) 2015/849, and that the group-wide policies and procedures comply with the requirements laid down in this Law or in Directive (EU) 2015/849”.

This exception is to be strictly construed, in that it is applicable only in an intra-group context.

“For professionals who are part of a group, they are required to include in their group-wide policies and procedures, the policies, controls and procedures required (by the Act) and the provision (…) of information from branches and subsidiaries relating to customers, accounts and transactions, where necessary for AML/CFT purposes, to the compliance, audit and AML/CFT functions at group level.

This includes data and analyses of transactions or activities that appear unusual, if such analyses have been carried out, and information relating to suspicious reports or the fact that such a report has been forwarded to the FIU.

Similarly, where relevant and appropriate for risk management purposes, branches and subsidiaries also receive such information from the group compliance functions. Adequate safeguards for the confidentiality and use of the information exchanged, including safeguards to prevent disclosure of information, should be provided.”

“Information on suspicions that funds are the proceeds of money laundering or of an associated predicate offence, or are related to terrorist financing, reported to the Financial Intelligence Unit shall be shared within the group, unless otherwise instructed by the Financial Intelligence Unit.”

2.4 Transfer of customer data to the Member States in the context of AML/CFT supervision

“Where the third country’s law prohibits or restricts the transfer of data related to customers of a branch or majority-owned subsidiary established in a third country to a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, (…)”, the professional must at least inform the competent authority of the home country as indicated in point 2.1 above.

The professional must, in addition, at least:

  • carry out enhanced reviews, on-site checks or independent audits of the branch or majority-owned subsidiary established in the third country;
  • require the branch or majority-owned subsidiary established in the third country regularly to provide relevant information to the credit institution’s or financial institution’s senior management, including:
    • the number of high-risk customers;
    • the number of suspicious transactions identified and reported;
  • make the information available to the competent authority of the home Member State upon request.

 

RISK BASED APPROACH

1There exist three levels of risk assessment:

  • a supranational risk assessment at European level, the results of which were published by the European Commission on 26 June 2017, updated on 24 July 2019.
  • a national risk assessment to be carried out by each Member State with a view to evaluating the level of risk attaching to activities carried out in its territory.

Luxembourg updated its national risk assessment concerning money laundering and terrorist financing on 15 December 2020. A concise summary of the national risk assessment is made available to professionals.

“Each Member State shall make appropriate information available promptly to obliged entities to facilitate the carrying-out of their own money laundering and terrorist financing risk assessments”:

  • Identification, assessment and proper understanding by the professional itself of the risks it faces, which must enable the latter to determine which due diligence measures will be applied to the business relationship on the basis of the materiality of the risk.

“To this end, the professional must integrate different sources into his risk management procedures, including:

  • The supranational report of the European Commission on the risks of money laundering and terrorist financing (“Supra National Risk Assessment”);
  • The national risk assessment for money laundering and terrorist financing (“National Risk Assessment”);
  • Sub-sector ML / FT risk assessments (“sub-sector Risk Assessments”);
  • The Joint Guidelines issued by the 3 European supervisory authorities (ESMA, EBA and EIOPA) on money laundering and terrorist financing risk factors (“Risk factor Joint Guidelines”);
  • Relevant CSSF publications ”.

(see below, “The obligation to carry out a risk assessment”).

The risk-based approach cannot be dissociated from the notion of risk appetite in the combatting of money laundering.

Risk appetite should at least take into consideration factors such as the business carried on, the target clientele and undesirable customers, the geographical countries/areas concerned, and prohibited structures (…).

“The professional’s determination of his risk-based approach is necessarily based on the definition of ML / FT risk appetite, as approved by the board of directors and transposed by authorized management.

The strategy must be consistent with this approach. The AML / CFT policies, procedures and controls put in place within the professional must be consistent with the appetite for the previously defined risk. This definition and strategy must be communicated in a precise, clear and understandable manner to all the personnel concerned “.

Section 1. Identification and assessment of risks

“(…) Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action (…) and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” This recommendation was updated by the FATF in November 2020 for professionals to identify, assess and mitigate the risks of potential breaches of non-application or bypassing of financial sanctions relating to proliferation financing.

Both the Law and CSSF Regulation n ° 12-02 require professionals to identify and assess the money laundering and terrorist financing risks to which they are exposed.

In addition to the professional’s obligation to assess the overall risk in relation to his activity, he also classifies individual risks concerning his business relationships.

The professional classifies all of his clientele according to a coherent combination of risk factors.

“Besides those cases where the risk level is to be considered as high pursuant to the Law or the Grand-Ducal Regulation, that level shall be assessed according to a consistent combination of risk factors defined by each professional according to the activity exercised and inherent to the following risk categories:

type of customers (including client, agent, beneficial owner);

countries and geographic areas;

products, services, transactions or;

– distribution channels.”

“Professionals determine the scope of due diligence measures (with regard to customers) according to their assessment of the risks associated with the types of customers, countries or geographical areas and with particular products, services, transactions or distribution channels”.

The Law draws a clear distinction between, on the one hand, the obligation to carry out an assessment of the risks of money laundering and terrorist financing which the institution concerned faces by virtue of the business areas in which it engages and, on the other hand, the obligation to apply due diligence measures in relation to its customers, the extent of which will depend on the assessment of the risks regarding each customer or prospective customer.

See Part 2, Chapter 1 : “Obligations vis à vis customers

“(1) Professionals shall take appropriate steps to identify, assess and understand the risks of money laundering and terrorist financing that they face, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or distribution channels. Those steps shall be proportionate to the nature and size of the professionals.”

That article is accompanied by three annexes (II to IV) in the Law, setting out, first, a non-exhaustive list of the risk variables which professionals should automatically take into consideration, followed by two lists of factors/elements indicative of a potentially lower risk and a potentially higher one.

(2) Professionals consider all relevant risk factors before determining the overall risk level and the level and type of appropriate measures to apply to manage and mitigate those risks. Professionals also ensure that the risk information contained in the national and supranational risk assessment or communicated by supervisory authorities, self-regulatory bodies or European supervisory authorities is included in their risk assessment.

Professionals shall document, keep up-to-date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulation bodies. The supervisory authorities and self-regulation bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.

(3) Professionals shall identify and assess the risks of money laundering and terrorist financing which may result from the development of new products and business practices, including new

distribution mechanisms, and the use of new or developing technologies related to new or pre-existing products.

Professionals shall: (a) assess the risks before the launch or use of these products, practices and technologies; and (b) take appropriate measures to manage and mitigate those risks.

THE OBLIGATION TO CARRY OUT A RISK ASSESSMENT

Risk factors

Subsection 1. Factors and elements indicative of a potentially higher risk as referred to in Article 3-2 (I), second subparagraph of the Law:

The specific risks listed here are discussed in greater detail later on in this Handbook, in dedicated sections dealing with the different sectors of activity.

Professionals will take note, in particular, of a potentially higher risk in the cases referred to below:

1.1 Risk factors inherent in customers

  1. business relationships occurring in unusual circumstances;
  2. customers residing in high-risk geographical areas (…);
  3. legal persons or legal arrangements which are structures for holding personal assets;
  4. companies whose capital is held by nominee shareholders or represented by bearer shares;
  5. activities necessitating large amounts of cash;
  6. companies whose ownership structure appears unusual or inordinately complex, having regard to the nature of their business;
  7. the customer is a third country national who applies for residence rights or citizenship in the Member State in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities in that Member State.

On 17 October 2018 , the OECD published Recommendations concerning lists of programmes of residence and citizenship that can be obtained by investment (“Citizenship by Investment” and “Residence by Investment”) which may pose a high risk to the integrity of the Common Reporting Standard (CRS).

According to the OECD, financial institutions are required to take that list duly into account when performing their due diligence obligations in relation to fiscal transparency.

Those programmes may also be misused to conceal offshore assets by circumventing the reporting obligation under the OECD’s Common Reporting Standard.

In addition to the higher-risk factors inherent in certain customers, professionals must invariably take full account of the risk variables mentioned below in relation to their customers:

 

“Professionals take into consideration, in their assessment of the risks of money laundering and terrorist financing, linked to the types of customers, to the countries and geographical areas and to the specific products, services, operations or distribution channels, the risk variables linked to these risk categories. These variables, taken into account individually or in combination, can increase or decrease the potential risk and, consequently, have an impact on the appropriate level of due diligence measures to be implemented ”.

In short, the risk factors are linked to the customer himself, in light of his behaviour and of any unusual circumstances characterising the business relationship.

In some cases, the professional will be unable to agree to enter into a business relationship with a customer, either because this is prohibited by law or because the risks inherent in the customer are too high, in particular:

– where the customer appears on an official list or lists of persons/entities/groups subject to restrictive measures in financial matters in the context of combating terrorist financing;

– where the nature of the activities carried on by the customer represents an excessively high risk which cannot be mitigated or which does not correspond to the risk policy previously defined by the professional;

– where the professional is unable to offer the product/service requested by the prospective customer (e.g. acting as the custodian bank for virtual currencies, or providing a money remittance service);

– where the professional finds that the prospective customer is unable to provide the requisite guarantees, as determined by the professional concerned, evidencing fiscal transparency/conformity;

– where the professional finds that the documentation enabling it to comprehend the structure of a company/chain of companies or the economic justification for a financial arrangement is insufficient;

– any other circumstance rendering it impossible to dispel any doubts existing in the mind of the professional.

1.2 Risk factors linked to products/services/transactions/distribution channels

(a) private banking

Private banking, or more precisely the management of assets consisting in the provision of banking services and other financial services to high-net-worth individuals, is cited as a high-risk factor. According to the European Banking Authority (EBA), the presence of this activity amongst the risk factors is due to the risk of tax evasion. The EBA states that wealth management firms’ services may be particularly vulnerable to abuse on the part of customers who wish to conceal the origin of their funds or, for example, evade tax in their home jurisdiction.

In the opinion of the Joint Committee of the European Supervisory Authorities, private banking/wealth management gives rise to a potentially higher risk. Professionals must assess in each case the risks relating to the customer, taking into consideration a series of risk criteria or circumstances peculiar to the business relationship.

Summary (in French) of the national money laundering risk assessment [/ left-bookmark]

Thus, different risk factors exist, depending on the profile of the customer wishing to enter into a business relationship.

The National Money Laundering and Terrorist Financing Risk Assessment 2020 notes that private banking is particularly exposed to money laundering risks, in particular for the complexity of certain products such as asset structuring activities.

(b) products or transactions that might favour anonymity;

(c) non-face-to-face business relationships or transactions, without certain safeguards, such as electronic identification means, relevant trust services within the meaning of Regulation (EU) No 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the authorities national concerned;

(d) payments received from unknown or unassociated third parties;

(e) new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products;

(f) transactions related to oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species”.

1.3 Geographical risk factors

The factors/elements indicative of a potentially higher risk are as follows:

“(a) (…) countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective anti-money laundering and counter-terrorist financing systems;

(see for example the mutual evaluations or assessment reports of the FATF)

(b) countries identified by credible sources as presenting significant levels of corruption or other criminal activity (see for example the list of countries (corruption) published by Transparency International);

(c) countries the subject of sanctions, embargoes or other similar measures imposed by, for example, the European Union or the United Nations (see the list of sanctions of the Security Council of the United Nations);

(d) countries financing or supporting terrorist activities or that have designated terrorist organisations operating within their territory”.

“The supervisory authorities and self-regulatory bodies provide professionals with information on countries which do not apply or insufficiently apply measures to combat money laundering and the financing of terrorism and in particular on the concerns raised by the failures of anti-money laundering and anti-terrorist financing systems in the countries concerned.

The supervisory authorities may require credit and financial institutions to adopt one or more enhanced due diligence measures proportionate to the risks (…), in the context of business relationships and transactions with natural persons or legal entities involving such countries ”.

In addition to the above, professionals should draw up a list of countries posing a high risk of money laundering or terrorist financing.

In practice, professionals usually draw up lists classifying countries in different categories: low risk, medium risk high risk. Certain countries may present risks regarded as unacceptable by certain institutions.

Annex III provides professionals with relevant links relating inter alia to lists of countries subject to prohibitions and restrictive measures in financial matters and third countries presenting a low risk of corruption/terrorist financing.

The professional will ensure that the instructions published by the CSSF are complied with, if applicable.

1.4 International financial sanctions

A) Essentials on International Financial Sanctions

Financial sanctions are restrictive measures in financial matters, taken against certain States, natural or legal persons, entities and groups about a change of policy (domestic or foreign) or activity on the part of the States or persons designated.

The Ministry of Finance is competent to deal with all questions relating to the implementation of financial sanctions raised both by those at whom those measures are targeted and those who are called upon to apply them. Accordingly, professionals shall inform the Ministry of Finance of the enforcement of each restrictive measure (including attempted transactions) taken in respect of a State, natural or legal person, entity or group designated according to the Law of 19 December 2020 on the implementation of restrictive measures in financial matters.

In the same vein, professionals who have reported a case of sanction to the Ministry of Finance shall simultaneously address to the CSSF a copy of this report.

The CSSF remains the competent supervisory authority, which will verify professionals’ compliance with the Law on financial restrictive measures. Consequently, the CSSF will be able to apply administrative sanctions to professionals, which would fail implementing appropriate procedures/processes in this regard.

Any notification to the Ministry of Finance and associated with restrictive measures shall be made without prejudice for professionals to make, as the case may be, suspicious activity/transaction reports to the Financial Intelligence Unit.

WHAT TO DO?

In order to avoid the eventuality that a customer or prospective customer may be subject to international sanctions, professionals must have in place stringent procedures for identifying persons and monitoring transactions involving, in particular, technical resources/filtering systems based on lists of international sanctions (filtering of names, transactions and the SWIFT messaging system).

In the specific context of combatting terrorist financing and proliferation financing, banks must take into consideration, in particular:

– the Law of 19 December 2020 relating to the implementation of restrictive measures in financial matters.

The Law of 19 December 2020 repealed the law of 27 October 2010 and implements in Luxembourg the restrictive measures in financial matters adopted against certain States, natural and legal persons, entities and groups by the provisions of the resolutions adopted by the Security Council of Nations and certain acts of the European Union.

– the consolidated electronic list of persons, groups and entities on which the EU has imposed financial sanctions;

– the list of sanctions of the Office of Foreign Assets Control (United States of America) in so far as these have extra-territorial scope;

The aforementioned procedures shall cover the customer due diligence measures set out in the Law, encompassing the identification of the customers/beneficial owners but also the scrutiny/monitoring of transactions throughout the course of the customers’ relationships, ”without delay”,  to ensure that funds will not be made available to States, persons, entities and groups subject to restrictive measures in financial matters.

As soon as a case of sanction is spotted, professionals should not hesitate to escalate it without delay to the Ministry of Finance and provide it with all necessary information linked to the case at hand.

The reporting of cases of sanctions to the Ministry goes hand in hand with the hard blocking of the account (cash & financial instruments) without delay, the latter being an obligation of result. Indeed, professionals shall apply without delay the required restrictive measures, hence proceed to the freezing of funds owned by the listed person.

The reporting made to the Ministry of Finance shall yet not be confused with a suspicious transaction/activity reporting made to the Financial Intelligence Unit.

Indeed, the “no-tipping off” rule obligates professionals not to inform their customers/prospects on the fact that their accounts are blocked, whereas such rule would not apply to restrictive measures in the event that no STRs/SARs were made. The list of sanctions being publicly available, customers under financial restrictive measures could eventually be informed on the fact that their accounts are frozen.  

The consequences of failure to take into consideration persons/groups/entities/countries featuring in particular on those lists may considerably impact the activities carried on, and the services provided, abroad by the professional (criminal prosecutions, administrative penalties, reputation risks, substantial fines, and/or suspension/withdrawal of an authorisation or licence).

The ABBL recommends that professionals should regularly check the list of resolutions of the Security Council of the United Nations and to sign up free of charge to the Financial Sanctions Newsletter published by the Ministry of Finance. Professionals may also consult and sign up for the consolidated list of sanctions imposed by the European Union. The Ministry of Finance also provide useful tools to help professionals keep up with processing international financial sanctions. So does the CSSF with its website dedicated to international financial sanctions.

The ABBL also recommends that professionals opt to put in place an internal system possibly resembling the one illustrated below:

The European Commission stated in an opinion of 7 June 2019 that all funds and economic resources belonging to the entities listed in Annex VI of Regulation 2016/44 include interest, dividends or other incomes from assets or capital gains stemming from frozen assets.

WHAT TO DO … when the professional conducts its research?

As regards measures to freeze assets, any indications relating to pseudonyms which feature in the ID information may be taken into account, depending on their reliability. The professional must conduct its research working on the basis of reliable pseudonyms, that is to say, high-value pseudonyms considered to be of great significance for identification purposes

Unreliable pseudonyms, that is to say, low-value pseudonyms considered to be of minor importance for identification purposes, help economic operators and other actors to confirm the ID of persons at whom sanctions are targeted.

A professional may be confronted with a homonymy situation, where the surname and first name of a prospective customer are the same as those of a person listed, including where the surname is not distinguishable from the first name.

In cases of homonymy, the accounts must be closely watched and movements must be suspended. The Ministry of Finance must be alerted so that it can decide on the situation.

The fact that the surname and first name of the person concerned are the same as those of a listed person is not enough to justify concluding that the case involves one and the same person. On the contrary, there may be other information showing very clearly that it involves quite different persons. For example, such information may reveal a different geographical location, different posts and occupations, different dates of birth and/or different passport numbers.

Professionals confronted with possible cases of homonymy must seek further information before taking any decision, and must keep a written record of the results of their research. If that information, taken as a whole, manifestly shows that another person is involved, it will not be necessary or appropriate to contact the Ministry of Finance.

Where there is any doubt or if the homonymy research proves unconclusive,, the professional should contact the Ministry of Finance and suspend movements on the account(s) concerned (cash and financial instruments) pending final clarification. The availability of a limited number of pieces of information will not by itself justify the pursuit of an operation.

B) Specific clarifications related to national/international financial sanctions regime

SCREENING SCOPE of CSSF Regulation 12-02:

Professionals should implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:

  • the persons as referred to in Articles 30, 31 and 33 of the regulation;
  • the funds coming from or going to  States, persons, entities or groups as referred to in Article 33 of this regulation (…)”

The name screening has to include all the accounts of customers and their transactions and shall apply to customers, proxies, initiators  and beneficial owners as well as, as regards the supervision of transfers of funds, to the payer of an incoming transfer of funds and the recipient of a transfer of funds going out of the customer’s account.

Remember:

The screening scope is not subject to the risk-based approach enshrined in the Law and cannot be invoked/used by professionals when applying sanctions screening.

The identification researches carried out shall be duly documented, including in cases where there are no positive results.

Professionals also have the obligation to identify the States, persons, entities and groups subject to restrictive measures in financial matters also with respect to the assets they manage and to ensure that the funds will not be made available to these States, persons, entities or groups.

SCREENING TIMING & SCREENING FREQUENCE

Professionals have to carry out a name screening :

  1. before establishing a new business relationship
  2. before carrying out wire transfers by debit of customer account or before crediting incoming funds to customer accounts;
  3. on longstanding business relationships.

In its annual activity report of 2014, the CSSF stated that « Controls such as “name matching”, i.e. controls on the client database performed in relation to:

  •  acts directly applicable in Luxembourg, as adopted by the EU (in particular, EU regulations) and including prohibitions and restrictive financial measures against certain persons, entities or groups respectively i. in the context of the fight against terrorist financing or ii. in the context of other financial embargoes; and
  • national regulatory texts concerning financial sanctions relating to the fight against terrorist financing based (on the law of 27 October 2010) implementing the United Nations Security Council resolutions (and Grand-ducal Regulation of 29 October 2010) enforcing the aforementioned law

« must be performed without delay after the publication of each new amendment ».

Such controls are independent from any other frequency of controls, of whatever type (for example, in relation to the detection of PEPs), which may have been put in place by the professional ».

“Without delay” means, in the context of the implementation of the financial sanctions, including the freeze of assets or other economic resources or other restrictive measures taken in application of the above-mentioned texts :

« a delay of, ideally, a few hours following the publication of the measures by the CSSF and/or the Ministry of Finance ». In any case, it should be interpreted in relation to the need to prevent the outflow or the dispersion of funds or other goods linked to the designated persons, entities and groups.

WHAT TO DO?

Professionals must ensure that their screening tools are updated without any delay with the names of newly designated or de-listed persons or entities after the publication of the measures by the CSSF and/or the Ministry of Finance.

Professionals must also carry out a name screening on longstanding business relationships without any delay after the publication of the measures by the CSSF and/or the Ministry of Finance and to take into account the amendments also when entering new business relationships or executing in/out wire transfers. 

1.5 Risks surrounding Virtual Assets (a.k.a. crypto assets) and Virtual Asset Service Providers

Overview

In the current ecosystem of growing cross-border/digital transactions and the rapid rise of trades involving crypto assets, there is a need to understand and mitigate the ML/TF risks associated with crypto asset providers/activities. The 2018 and 2020 Luxembourg national risk assessments highlighted virtual assets (“VAs”) as one of the key emerging and evolving risks of ML/TF.

Banks are exposed to risks stemming from VAs as they are the point of contact of centralised exchange users with the traditional finance sector. Criminals using VAs for ML/TF activities need to convert VAs to fiat, or vice-versa. For these purposes, criminals use exchanges, the deposits and withdrawals from which are usually done to and from bank accounts.

Credit institutions are exposed to the risks arising from virtual currencies (“VAs”) mainly in circumstances where customers of regulated credit and financial institutions deal in VAs or where they are VASPs. The main factors contributing to the increased exposure to the ML/TF risks is the limited transparency of VAs transactions and the identities of the individuals involved in these transactions.

The FATF indeed draws attention to the top two threats related to the VAs risk landscape:

  • The continued use of of tools and methods to increase the anonymity of VAs transactions putting at risk the “travel rule” (i.e., identification of the originators and beneficiaries of VA transactions), hence potentially the KYC procedures set-up by VASPs;
  • VASPs registered or operating in jurisdictions that lack effective AML/CFT regulation, possibly revealing weak AML/CFT systems and procedures.

Definitions

Professionals may be involved in VAs activities or even act as Virtual Asset Service Providers (VASPs).

A virtual asset is “a digital representation of value, including a virtual currency, that can be digitally traded, or transferred, and can be used for payment or investment purposes, except for virtual assets that fulfil the conditions of electronic money and the virtual assets that fulfil the conditions of financial instruments”.

A VASP is any person providing, on behalf of or for its customer, one or more of the following services:

(a) the exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies;

(b) the exchange between one or more forms of virtual assets;

(c) the transfer of virtual assets;

(d) the safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service;

(e) the participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset

Understanding VAs and VASPs

For financial institutions to better apprehend the ML/TF risks of their VASPs customers, it is necessary to briefly understand the ML/TF risks the latter must deal with. VASPs’ exposure to ML/TF threats is due to multiple factors, to the extent that those financial institutions are exposed to:

  • Non-face-to-face business relationships
  • International nature of business
  • High volume of transactions
  • Technological complexities of VAs/VASPs
  • Anonymous properties of VAs
  • High volatility and complex valuation of VAs

Potential exposure of VASPs at each ML/TF step:

 

Mitigation of risks (overall)

WHAT TO DO

Even though the activities of some VASPs may present a higher level of risk, professionals can adapt their risk-based approach accordingly, with a view of avoiding the kind of de-risking that may restrict digital innovation and hinder the growth of distributed ledger technology in Luxembourg. Overall, the risk appetite of professionals needs to take into consideration the various aspects of VAs and VASPs’ activities.

Professionals can mitigate the risks at hand notably by:

  • Making sure that the VASPs have strong AML/CFT processes and procedures, esp. regarding compliance with the travel rule in the presence of crypto exchange platforms (“CEP”), the percentage of transactions linked to unhosted/private wallets, and the mechanisms used for sanctions screening; 
  • Bearing in mind that the ML/TF core red flags indicators for VASPs do not substantially differ from those encountered by financial institutions. Red flags indeed relate to transactions (size/frequency/patterns), customers’ anonymity, irregularities observed during the CDD process, source of funds or geographical risks;
  • Getting acquainted with the VASPs’ business models, e.g., the counterparties they are dealing with, whether they are registered/licensed in a jurisdiction adequately supervised for AML/CFT purposes; 
  • Asking VASPs for a charter of compliance with AML/CFT requirements, especially for VASPs not established in Luxembourg. Luxembourg VASPs have to abide to the Law of 12 November 2004 like other local professionals; this might yet not be the case for VASPs located in other EU Member States or in third countries. 
  • Assessing, based on the VASPs’ location and business model, if they have adequate regulatory oversight.

You may find some additional resources related to VASPs in Annex IV (“useful links” – Virtual Assets)

Mitigation of risks for customers dealing with virtual/crypto currencies

Professionals should consider the business model of each VASP and whether or not they are:

  • Operating as a VA trading platform that effects exchanges between fiat currency and virtual currency;
  • Operating as a VA trading platform that effects exchanges between virtual currencies;
  • Operating as a VA trading platform that allows peer-to-peer transactions;
  • Providing custodian wallet services;
  • Arranging, advising or benefiting from ‘initial coin offerings’ (ICOs).

WHAT TO DO

To ensure that the level of ML/TF risk associated with such customers is mitigated, professionals  should not apply simplified due diligence measures.

At a minimum as part of their CDD measures, firms should:

Enter into dialogue with the customer to understand the nature of the business and the ML/TF risks it poses.

In addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management, including the consideration of any adverse information.

Understand the extent to which these customers apply their own customer due diligence measures to their clients either under a legal obligation or on a voluntary basis.

Establish whether the customer is registered or licensed in an EEA Member State, or in a third country, and take a view on the adequacy of that third country’s AML/CFT regime.

Find out whether businesses using ICOs in the form of VA to raise money are legitimate and, where applicable, regulated.

Should the professional associate its VASP customer/prospect with higher ML/TF risks, further mitigating measures should be considered.

 

Credit institutions wishing to provide Virtual assets’ services

Credit institutions  that intend to offer virtual asset services, either in scope of article 1 (20c) of the Law or any other activity in relation to virtual assets (e.g. issuance of asset-referenced tokens and e-money tokens or dematerialised record-keeping via DLT), shall submit and present beforehand a detailed business case to the CSSF including a risk-benefit assessment, required adaptations to their governance and risk management frameworks, the effective handling of counterparty and concentration risk and the implementation of investor protection rules.
 
Furthermore, if professionals would like to provide one or more of the services in scope of article 1 (20c) of the Law, a complete application file for registration as a VASP needs to be submitted beforehand to the CSSF. Further details with respect to the VASP registration procedures can be found under Registration of a virtual asset service provider (VASP) – CSSF.

1.6 COVID 19 Threats

The COVID-19 sanitary crisis, which is constantly evolving around time, is an opportunity for criminals to exploit the fears and threats pertaining thereto, adapting their modus operandi and engaging into new criminal activities.

Professionals should put their best efforts to maintain effective systems and controls to ensure that they are not being abused by such criminals redesigning pre-existing frauds.

  • Rising ML/TF threats stemming from COVID-19:

Three core threats have been identified by the public authorities, the latter recalling that the technical means and the expertise used by criminals to fraud customers/banking employees were sky rockecting.

  • Specific areas of particular vulnerability:

Six areas in the financial sector may especially be exploited by emerging threats, as follows:

    • Online payment services

The surge in online purchases is increasing both the volume and value of online payments services, including the use of internet banking. This may create more opportunity for criminals to conceal illicit funds within a greater amount of legitimate payments made online.

    • Clients in financial distress

Customers (individuals and legal entities) may be put in a financial distress due to the economic outcome/waves of the current sanitary crisis and therefore more inclined to to be exploited by criminals seeking to launder illicit proceeds.

    • Mortgages and other forms of collateralised lending implying a regular repayment schedule leading to customers’ financial distress
    • Credit backed by government guarantees whereby funds could be obtained without the intention to ever pay back the government.
    • Distressed investment product (loss of significant value) whereby investors could be looking to minimise the losses and give criminals the opportunity to purchase/refinance the distressed assets.
    • Delivery of aid through non-profit organisations:

Where there are increased financial flows through NPOs to higher risk countries, there may be an increased risk of illicit activity and special attention should be paid to the risks of TF

WHAT TO DO (mitigating actions)

Professionals should maintain effective systems and controls to ensure that the financial system is not abused or misused for ML/TF purposes.

The areas that professionals should pay a particular attention to are as follows:

  • Transaction monitoring

Pay particular attention to any unusual or suspicious patterns in customers’ behaviour and financial flows. Professionals should take risk-sensitive measures to establish the legitimate origin of unexpected financial flows, in particular where these flows stem from customers in sectors that are known to have been impacted by the economic downturn and COVID-19 mitigation measures.

  • Customer due diligence measures (CDD)

Consider how CDD measures could be strengthened, having due regard to the risk-based approach, to mitigate the impact of a lack of face-to-face contact with prospects/customers (e.g., more frequent checks against PEPs lists, performing overall additional checks for EDD purposes etc.…).

In its COVID circular, the CSSF refers to its FAQs on AML/CFT and IT requirements for specific customer on-boarding/KYC methods for the identification/verification through video chat. It is there being stated that “the verification of customer identity via live video-chat, or the use of electronic identification means, could be considered an appropriate safeguard in view of the above-mentioned requirements (i.e., lack of face-to-face contact)”. 

Professionals having recourse to remote video onboarding should nonetheless still use other mitigations measures and collect additional documents for clients/BOs due diligence purposes.

  • ML/TF risk assessment

Take a dynamic approach to ML/TF risk assessments and incorporate the risks associated with COVID-19 within your risks’ matrixes.

  • Cooperation with authorities

Cooperation with the national authorities is key to deter ML/FT.  Professionals shall regularly consult any guidance provided by either the CRF or the CSSF and try to be involved in any public private partnerships (or similar) involving national public representatives.

The FATF, in both of its COVID 19 guidance, sets out a range of actions that States and financial stakeholders could consider taking in response to the COVID 19 challenges, notably in dealing with new COVID 19 threats.

Section 2. Management and mitigation of risks

The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities on 26 June 2017 contain specific recommendations regarding certain particular sectors of activity, whereby the risks encountered can in the right circumstances be mitigated. They are set out in CSSF circular 21/782 of 24 September 2021.

In addition, the risk management principles set out in CSSF Regulation No 12-02 must first of all be borne in mind before sectoral suggestions, as encouraged by the European Supervisory Authorities, are submitted.

2.1 Reminder of the statutory and regulatory provisions of Article 4 of the Law and of CSSF Regulation No 12-02

“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves.”

(…) These policies must be approved by the professional’s board of directors. The related procedures must be approved by the authorized management or by the board of directors for funds under the supervision of the CSSF “.

“Controls” covers all controls, in the broad sense of the term, put in place within the professional’s institution for the purpose of effectively managing and mitigating the ML/FT risks to which the professional is exposed, including the implementation of all procedures and monitoring of compliance by the professional with all its professional obligations in the matter

“(2) Professionals shall set the extent of the due diligence measures laid down in Article 3(2) of the Law according to the risk level assigned to each customer (…). Where enhanced due diligence measures are required pursuant to the Law or the Grand-Ducal Regulation (of 1st February 2010) or of this Regulation (CSSF n ° 12-02), all such measures shall be applied although the extent of such measures may vary according to the specific level of risk set by the professional.”

“(3) The adaptation of the extent of due diligence measures to the risk level shall take place during the identification and identity verification period (…)”

As regards Member States of the EU, there is a presumption of equivalence, accompanied by a proviso: that presumption is displaced where relevant information indicates that that presumption cannot be maintained.

The assumption that a country is to be regarded as equivalent cannot be maintained over time without regular analysis. The conclusion that obligations are equivalent must be regularly reviewed, in particular where fresh relevant information is available regarding the country concerned.

Lastly, even where a country is considered by a professional to be equivalent, this does not absolve that professional from the obligation to carry out a risk assessment upon agreeing to accept a new customer, and does not relieve it of the obligation to apply enhanced due diligence measures in high-risk cases.

2.2 Summary table of the key elements of risk mitigation

(according to the guidelines on risk factors published by the European Banking Authority on 1 March 2021)

(See also Annex III of the Law: “Indicators of a potentially lower risk”.)

Product/services risk

  • the product has limited functionality or is low value (e.g. limited cash withdrawals);

  • the services/payments for the product cannot be realised for the benefit of a third party;

  • the benefits of the product are only realisable in the long term or for a specific purpose;

  • the product can only be held by certain categories of customers, according to criteria determined by the public authorities;

  • the product does not feature an overpayment facility;

  • the product/fund is open only to small-scale investors and the investments are capped;

  • introduction of thresholds for the product (low-value limits on payments/loading/redemption, including cash withdrawal, limits on payments/loading/redemption over a given period; limit on the amounts that can be stored on the product);

  • the utility/negotiability of the proceeds paid out is limited (domestic utilisation only, settlement mode possible only for a limited number of products/services);

  • it is only possible to invest in the product through a bank account located in the European Economic Area;

  • the product meets transparency criteria and must be subject to reporting;

Transaction risks

  • transactions linked to the product must be carried out via an account held in the name of the customer with a credit or financial institution subject to AML/CFT requirements at least equivalent to those required by the 4th AML Directive as amended;

  • rather than handling transactions in the name of their underlying customers, banks act for their own account (e.g. in the case of foreign exchange services between two banks, where the business is transacted on a principal-to-principal basis between the banks and where the settlement of a transaction does not involve a payment to a third party);

  • the transaction relates to the selling, buying or pledging of securities on regulated markets (for example where the bank acts as a custodian or uses a custodian having direct access, usually through a local participant, to an EU or non-EU securities settlement system;

  • transactions take place between regulated financial institutions;

Distribution channel risks

  • the product is available only for customers meeting specific eligibility criteria fixed by national public authorities, as in the case of recipients of State benefits or specific savings products for children registered in a particular Member State;

  • the correspondent banking relationship is limited to a SWIFT RMA capability (designed to manage communications between financial institutions;

  • the intermediaries (especially in the context of the distribution of life insurance products in units of account) are well known to the financial institution, which has satisfied itself that the intermediary applies customer due diligence measures in relation to customers commensurate with the risk associated with the relationship and in line with those required under Directive (EU) 2015/849;

  • Banks act for their own account and not on the instruction of a third party customer, the settlement of the transaction does not involve payment to a third party;

Customer risks

  • the customer relationship manager must facilitate the gathering of customer information, playing a key role in assessing risk (the customer's source of wealth, reasons why complex or unusual arrangements may none the less be legitimate), etc.;

  • the customer is a long-standing customer whose previous transactions have not given rise to suspicion or concern, and the product or service sought is in line with the customer's risk profile;

  • the customer is an existing customer whose business is well known to the bank and the transaction is in line with that business;

  • the customer is listed on a stock exchange with disclosure requirements similar to those of the EU;

  • the customer is a credit institution/financial institution which is subject to AML/CFT requirements and supervised for compliance with those requirements in accordance with Directive (EU) 2015/849;

  • the customer is a public administration or a public enterprise from an EEA jurisdiction;

  • the customer is an institutional investor whose status has been verified by an EEA government agency;

Country risks

  • the third country has AML/CFT requirements at least equivalent to those prescribed by the 4th AML Directive and ensures that they are effectively implemented;

  • the country concerned has an AML/CFT regime that is not less robust than that required by the 4th AML Directive and is associated with low levels of predicate offences;

  • the country is a member of the EEA;

  • the country is identified by credible sources, such as mutual evaluations or detailed assessment reports, as having effective AML/CFT systems;

  • the country is identified by credible sources as having a low level of corruption and other criminal activity.


Moreover, Article 7(1) of CSSF Regulation No 12-02 provides: “it is for each professional to assess if a Member State or a third country imposes obligations which are equivalent to those laid down in the Law or in Directive (EU) 2015/849, according to the particular circumstances of the case.

The reasons for concluding that a Member State or a third country imposes equivalent obligations shall be documented when the decision is taken and shall be based on relevant and up-to-date information (…)”.

2.3 Mitigation of specific risk factors according to the business sectors concerned

Title II of the final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities lays down sector-specific guidelines.

It features, for example, the activities of correspondent banks, retail banks, wealth management (private banking) and electronic money issuers.

Generally, the guidelines define, first of all, the enhanced risk factors in the various sectors, going on to mention the criteria which may reduce the attendant risks.

The risk factors set out below are not exhaustive. They may be useful in supplementing those determined by the professional, who will carry out an analysis on a case-by-case:

Retail banking:

Factors increasing risk Factors helping to reduce risk
Products, services, transactions

  • product favouring anonymity

  • payment to un-associated/not previously identified third parties

  • back-to-back loans

  • volume of the transaction

  • cash


 

  • new products/new technologies

  • product without limit in cross-border transactions and without ceiling


 

(The Law incorporates Recommendation 15 of the)

  • product having limited functionality (product realisable in the long term or for a specific purpose) ; low value product, including one that does not transfer ownership to the customer - leasing type);

  • fixed-term savings product;

  • product held for a particular category of customers (pensioners/rules for representing minors);

  • product not transferable;

  • product payment made from a bank account of a financial institution of the EEA





“Professionals must identify and assess the ML or TF risks that may result from the development of new products and new business practices, including new distribution mechanisms as well as the use of new or developing technologies in connection with new or pre-existing products ”.

“Professionals must:

a) assess the risks before the launch or use of these products, practices and technologies;

b) take appropriate measures to manage and mitigate these risks ”.
Customers
(natural/legal persons)

  • nature of the customer, activity/business, higher risk of corruption (PEP);

  • customer is in business in extractive industries/arms trade/an activity necessitating cash, games, "money remitters…

  • client is a not-for-profit organisation/non-resident;

  • beneficial owner of the customer cannot be easily identified (opaque, complex structure)

  • behaviour (reluctance to provide information; transactions diverging from the investor profile, suspicious transaction);


  • long-standing customers;

Countries

  •  higher risk (AML/CFT deficiencies, support for terrorist activities, embargoes, financial sanctions);


  • AML/CFT regime that is not less robust than that required under the 4th AML Directive + low level of predicate offences;

Distribution channels

  • parties not physically present and no adequate safeguards (electronic signatures, Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the internal market);

  • due diligence measures taken by a third party;

  • new distribution channels not yet tested.


  • product available only for customers meeting eligibility criteria fixed by national public authorities;

Wealth management/private banking

Factors increasing risk Factors helping to reduce risk
Products, services, transactions

  • significant amounts of the transactions

  • financial arrangements involving countries with a higher ML/FT risk (non-compliance with international tax transparency standards, culture of banking secrecy);

  • complex structures interposed, making it more difficult to identify the beneficial owner

  • cross-border arrangements where the assets are deposited in an institution whose head office is located in a country with an enhanced ML/FT risk.

  • dedicated products and services which may give rise to higher ML/FT risks


  • product having limited functionality

  • (product realisable in the long term or for a specific purpose);

  • fixed-term savings product;

  • product held for a particular category of customers (pensioners/rules for representing minors);

  • product not transferable;

Customers

  • the customer's wealth derives from high-risk sectors;

  • from countries that are associated with high ML/FT risks or from countries subject to international

  • sanctions;

  • PEPs and their relatives and associates;

  • demanding a discreet service or an investment without economic logic;

  • having a number of substantial accounts;

  • business activities carried on in a country having a culture of banking secrecy or not respecting international fiscal transparency standards;

  • the customer resides in those countries;

  • the funds come from those countries;

  • the degree of complexity and transparency of the structure put in place for the customer's benefit (use of shell-type companies, etc.);

  • difficulty in entering the "expected" (standard) investment profile of the client



  • it is for the customer to ensure, first of all, an initial line of defence, by avoiding all conflicts of interest;

  • knowledge, critical assessment and documentary evidence of the origin of funds and, where appropriate, the source of assets;

  • documentation in respect of rights of representation and representatives;

  • documentation regarding the ultimate beneficial owner, the structure of the share ownership or control of the customer (including the declaration provided for by Article 17 of CSSF Regulation 12-02);

  • critical and regular reassessment of the business relationship;

  • monitoring of, and documentation regarding, risky transactions and consistency with the purpose of the business relationship;

Countries

  • higher risk

  • (AML/CFT deficiencies, support for terrorist activities, embargoes, financial sanctions,

  • corruption, judicial system inadequate to prosecute money laundering offences);

  • see also the criteria set out in Annex 1 to CSSF Circular No 17/650, for example:

  • jurisdiction not subject to AEOI/CRS/FATCA reporting;

  • risky country from a tax point of view;


  • AML/CFT regime that is not less robust than that required under the 4th AML Directive + low levels of predicate offences;

  • involvement of the head of the group, including coordination of risk-taking not covered by the CRS with the head office;

Distribution channels

  • parties not physically present and no adequate safeguards (electronic signatures, Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the internal market);

  • due diligence measures taken by a third party;

  • new distribution channels not yet tested.


  • product available only for customers meeting eligibility criteria fixed by national public authorities;

In the context of private banking activities in particular, professionals are referred to Annex I and to CSSF Circular No 17/650 as recently amended by Circular 20/744 of 3 July 2020 containing indicators likely to reveal possible laundering of a predicate tax offence.

Criminal tax offences and CSSF Circular No 17/650 are discussed in section 3 of Chapter 1 above.

WHAT TO DO … to detect possible laundering of aggravated tax fraud or tax evasion?

Professionals must take into account a series of indicators (listed in CSSF Circular No 17/650 and also containing indicators specific to collective investment activities) which may give rise to doubt and prompt them to submit a suspicious operation report to the FIU, in particular where:

– the customer is a legal person or legal arrangement established in a jurisdiction which is not subject to AEOI/CRS/FATCA reporting and that entity has no real economic or property-related existence;

– the customer is a legal person which has been the subject of numerous changes to its legal status over a short period of time;

– there exists a multiplicity of companies which have been set up in a State other than the State of the beneficial owner;

– the documentation provided by the customer shows anomalies or the customer refuses to produce documents evidencing his compliance with tax rules, or the documentation raises doubts as it has been issued by someone close to the customer;

– the professional notes a substantial increase in the movements on the account(s) occurring over a short period of time or an inconsistency between the volume of business and the movements on the bank accounts;

the customer has recourse to a complex arrangement without any economic or property-related justification, or requests a form of assistance the aim of which could be to circumvent his tax obligations;

the customer transfers his funds from a country regarded by the professional as risky from the point of view of fiscal transparency or resides for tax purposes in a country not subject to AEOI/CRS/FATCA reporting

(…).

It must be stressed that the presence of an indicator does not, of and in itself, justify concluding that a predicate tax offence has been committed.

Correspondent banks:

Factors increasing risk Factors helping to reduce risk
Products, services, transactions

  • the “correspondent” account may be used by other client banks having a direct relationship with the customer establishment but not with the correspondent bank;

  • the account may be used by other entities within the customer establishment’s group which have not been subject to any due diligence measures;

  • payable-through account enabling customers of the customer establishment to carry out transactions directly on that account;

  • significant transactions with sectors to which risk attaches;

  • significant money remittance activity;


  • limiting the relationship to the SWIFT RMA capability (no payment account relationship);

  • the professional must act for its own account (rather than handling transactions in the name of its customer);

  • the transaction concerns the sale, purchase or pledging of securities on regulated markets;

Customers

  • the customer establishment is not subject to adequate AML/CFT supervision;

  • the customer establishment has recently been the subject of administrative/criminal measures on account of the inadequacy of its AML/CFT procedures/offences committed by it;

  • PEP(s) within the structure/share ownership of the customer establishment;

  • the client establishment is not able to provide the documents / evidence necessary as part of the due diligence measures applied to it


  • where the correspondent institution ensures that the AML/CFT checks carried out by the customer/client are equivalent to those under the 4th AML Directive;


 

 

 

  • professionals should carry out due diligence measures in relation to the customer establishment by obtaining, for example, relevant information concerning the latter (involvement of PEPs featuring among its customers, its core business, documenting the nature and purpose of the service provided and the respective responsibilities of the parties, identifying changes in the risk profile of the business relationship, accounts of the client bank not used in connection with fictitious banks);

  • the professional applies enhanced due diligence measures in relation to the customer, as set out in Article 3-2(3) of the Law;

Countries

  • higher risk

  • (AML/CFT deficiencies, support for terrorist activities, embargoes, financial sanctions, corruption (…);


 

  • see also the criteria set out in Annex 1 to CSSF Circular No 17/650;


  • customer institution established in the EEA;

  • customer institution established in a third country whose AML/CFT requirements are at least equivalent to those laid down by the 4th AML Directive;

Distribution channels

  • parties not physically present and no adequate safeguards (electronic signatures, Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the internal market);

  • due diligence measures taken by a third party;

  • new distribution channels not yet tested.


  • product available only for customers meeting eligibility criteria fixed by national public authorities.

Issue of electronic money:

It will be recalled that electronic money is defined as monetary value as represented by a claim on the issuer which is (i) stored on an electronic device, including a magnetic medium, (ii) issued on receipt of funds for the purposes of payment operations, and (iii) accepted by a natural or legal person other than the electronic money issuer.

It must not be confused with virtual currencies, also called “cryptocurrencies” or “virtual money”.

Factors increasing risk Factors helping to reduce risk
Products, services, transactions

  • consider the thresholds involved (high amounts, unlimited thresholds);

  • funding methods (anonymity, funding by payments from unidentified third parties or by other electronic money products);

  • negotiability (commonly accepted as a means of payment, useful for cross-border transactions, allows cash withdrawals);


  • setting low-value limits on payments/loading/redemption, including cash withdrawals;

  • the payment method is accepted by a limited number of identified merchants;

  • limiting the number of transactions;

  • the funds credited for the purchase/loading should come from an account of the customer held in an EEA institution;


 

 

  • the professional is authorised, subject to conditions, not to apply certain due diligence measures in relation to customers as regards e-money in a number of defined cases (for example: no reloading possible, maximum monthly limit of €250 for payment operations, maximum storage amount (…);

Customers

  • purchase of several products with frequent reloadings and cash withdrawals without an economic rationale;

  • the customer's home address or IP address changes frequently;

  • the product is not used for the purpose for which it was designed;

  • the same product appears to be used by several people whose identities remain unknown to the issuer

  • use of the product always within the limits of the declaration thresholds

  • limiting access to the product to certain categories of persons.

Countries

  • higher risk (AML/CFT deficiencies, support for terrorist activities, embargoes, financial sanctions, corruption (…);

Distribution channels

  • online and non-face-to-face distribution without adequate safeguards, such as electronic signatures;


 

  • distribution through intermediaries not subject to the professional obligations prescribed by the 4th AML Directive or not having adequate AML/CFT controls.

  • Enter into a distribution contract with all the appropriate guarantees with the partner establishment.

Custodian banks

The sectoral guidelines for providers of investment funds are directed primarily at investment fund managers and investment funds marketing their own shares or units, pursuant to Article 3(2), points (a) and (d) of the 4th AML Directive. They are none the less relevant for custodian bankers of investment funds:

Factors increasing risk Factors helping to reduce risk
Products, services, transactions

  • the fund is designed for a limited number of individuals or family offices;


 

  • the investor can subscribe to the fund and then quickly redeem the investment without incurring significant administrative costs;


 

  • units of or shares in the fund can be traded without the fund or fund manager being informed at the time of the trade and, as a result, information about the investor is divided among several actors (as is the case with closed-end funds traded on secondary markets);


 

  • the fund invests in risky countries;


 

  • the fund invests in private equity in questionable countries or sensitive sectors or its economic reality is difficult to monitor/establish;


  • payments by third parties are not authorised;


 

  • the investments are capped;

Customers

  • unusual behaviour on the part of the customer;

  • the investment logic is inconsistent, with no specific economic goal / not in line with the client's investment profile;

  • the customer asks to redeem or repurchase an investment within a short time after making the initial investment;

  • the customer uses multiple accounts without previous notification;

  • the customer structures the relationship in such a way as to have recourse to multiple parties (e.g. nominees), especially established in countries with high ML risks

  • the customer suddenly changes State of residence and requests payment in this new country;


  • the customer is an institutional investor whose status has been verified by an EEA governmental agency;

  • the customer is a firm in an EEA or a third country that has AML/CFT requirements that are not less robust than those prescribed by the 4th AML Directive;

Countries

  • the investors' funds come from higher-risk countries

  • (AML/CFT deficiencies, corruption …)


 

  • the fund invests in sectors exposed to a higher corruption risk in countries/territories with significant levels of corruption/other predicate offences underlying ML/FT;

Distribution channels

  • unclear or complex distribution channels (e.g. with numerous sub-distributors);

  • distributor located in a jurisdiction associated with higher ML/FT risk.


  • the fund admits only a designated type of low-risk investor;

  • the fund can be subscribed for and redeemed only through a firm, for example a financial intermediary, in an EEA country or a third country that has AML/CFT requirements that are not less robust than those prescribed by Directive (EU) 2015/849.

In brief:

Depending on the activity carried on/the services provided, the professional must identify all the attendant risks, preparing a summary thereof in order to determine the overall risk attaching to the business relationship or the transaction envisaged.

It is that risk assessment, carried out in accordance with the criteria laid down by, in particular, the Law, the regulations and circulars of the CSSF, the joint guidelines published by the European Supervisory Authorities, the European Commission, and the recommendations of the FATF or other European and international sources, which will enable the professional to assess, in its own discretion, the level of risk that it is facing.

As soon as the acceptable risk level is exceeded, the professional must strive to take appropriate due diligence measures to manage and mitigate those risks (see Article 2‑2(3) of the Law).

ASSESSMENT OF ML/FT RISKS BY THE CSSF

Since 2017, the CSSF has each year been carrying out an inquiry by gathering standardised key information concerning money laundering and terrorist financing risks to which the professionals under its supervision are exposed, as well as the measures to mitigate the risks taken on by those professionals.

The CSSF refers, in particular, to FATF Recommendation 1 with regard to the risk-based country approach, and to the 4th AML Directive.

The answers provided by the professionals to the CSSF’s “risk questionnaires” allow the latter to assess whether the prevention/mitigation measures put in place by the professional concerned are appropriate to counter the risks actually facing that professional. The CSSF gives each institution an account of the results of that analysis.

RISKS AND DUE DILIGENCE MEASURES

The due diligence measures are set out in Chapter 2 below, under the heading Obligations vis-à-vis customers. However, it is useful already at this point to briefly cite the three levels of risk of money laundering set out in the Law:

(1) Low risk (lower risk of money laundering): Article 3-1 of the Law describes, in a non-exhaustive manner, the conditions in which simplified due diligence measures are sufficient. The application of simplified due diligence measures must be based on a risk assessment demonstrating the low level of the risk.

(2) Real risk (due diligence obligation de vigilance as prescribed by Article 3 of the Law)

Apart from in high-risk situations as defined by the authorities, it is for each professional to determine its own risk-management policy, reflecting its type of business relationships, its customer base, the services and products offered by it and the countries with which it has dealings.

That approach must take into consideration both the elements increasing risk and those reducing it.

The classification of customers in a risky customer category will not necessarily arise from a single criterion but may result from a bundle of risk factors. An accumulation of risk factors should prompt the professional to investigate in greater detail the reasons for the business relationship, to obtain additional documentation, to examine attentively the operations carried out, to pursue follow-up measures and to carry out periodic reviews.

(3) High risk (enhanced due diligence measures): Article 3-2 of the Law determines those situations in which professionals are required to apply enhanced due diligence measures in relation to their customers.

In addition to those levels of due diligence, an absolute prohibition may be imposed, forbidding all contact concerning persons or entities subject to an embargo (measures to freeze funds or other terrorist assets – see in particular the European Union’s consolidated list of sanctions).

Annex IV provides various additional references and tools relating to the risk-based approach

 

OBLIGATIONS VIS-À-VIS CUSTOMERS

Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names”. Thus, professionals are obliged to take due diligence measures vis-à-vis their customers in certain clearly defined situations, in particular: 

(i) when establishing business relations;

(ii) when carrying out occasional transactions (subject to conditions);

(iii) where there is a suspicion of money laundering or terrorist financing;

(iv) where there is any doubt about the veracity or adequacy of previously obtained customer identification data.

The professional must identify and verify, in particular, the identity of its customer and that of the beneficial owner, including legal persons and legal arrangements, obtain information on the purpose and intended nature of the business relationship and conduct ongoing due diligence with regard to that relationship.

The identification operation consists in possessing the name and identity of the customer. Thus, the identification can be done by the fact of completing a form requesting entry into a business relationship and indicating on that form the number of an identity document.

“The verification operation, for its part, consists in making the link between the information provided and the reality of the situation by making sure that the identity stated does indeed relate to the person with whom one is dealing, that that person really exists and that the documents, data and information are respectively reliable and probative.” ref. T. POULIQUEN, La lutte contre le blanchiment d’argent, Promoculture-Larcier 2014, p. 250.

WHAT DOES THE DUE DILIGENCE OBLIGATION CONSIST OF?

“Customer due diligence measures shall comprise

  1. identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source including, where applicable, electronic identification means and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions within the internal market (…), or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned;
  2. identifying (…) the beneficial owner and taking reasonable measures to verify his identity, using information or data obtained from a reliable and independent source, so that the professionals are satisfied that they know who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer; (…)
  3. assessing and understanding of the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
  4. conducting ongoing due diligence with regard to the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer, the business and risk profile, and by ensuring that documents, data or information used in the exercise of customer due diligence remain up-to-date and relevant. To this end, the professionals examine the existing elements, and this in particular for the categories of customers presenting the higher risks ”.

Section 1. Customer due diligence measures

WHEN IS DUE DILIGENCE TO BE EXERCISED?

Professionals shall apply customer due diligence measures in the following cases:

a) when establishing a business relationship;

b) when carrying out an occasional transaction that:

    • amounts to EUR 15 000 or more, whether this transaction is carried out in a single operation or in several operations which appear to be linked; or
    • constitutes a transfer of funds, as defined in Article 3, point (9) of Regulation (EU) 2015/847 (…), exceeding EUR 1 000.

“The threshold of EUR 1,000 (…) is also applicable to occasional transactions by virtual asset service providers.”

There exists no definition in Luxembourg law of the terms “occasional transaction” or “occasional customer”.

WHAT TO DO?

The ABBL recommends that professionals should refer to the following definitions:

“An occasional customer is a passing customer who requests the intervention of a financial organisation for the carrying-out of an isolated operation or a series of linked operations (…).”

“(…) where a person hands over cash to a financial organisation with a view to its being paid into an account of one of the latter’s customers, and that person has not been mandated by that customer to act on his or her account, the person in question shall be regarded as an occasional customer. The organisation shall identify that person and verify his or her identity, save where it is already in a business relationship with that person.”

“(…) a person shall be deemed to be an occasional customer where he or she approaches (a professional subject to supervision) exclusively with a view to preparing or carrying out a one-off operation or obtaining assistance in the preparation or carrying-out of such an operation, whether the same is carried out in a single transaction or in a series of apparently linked operations.”

The professional must carry out the due diligence measures prescribed in relation to “occasional customers” or customers carrying out an occasional transaction, in accordance with the risk(s) identified.

(…)

c) when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;

d) when there are doubts about the veracity or adequacy of previously obtained customer identification data.

Professionals are required to apply the customer due diligence procedures not only to all new customers but also, “at appropriate times”, to existing customers based on their risk assessment, taking into account the existence and timing of previous customer due diligence procedures, or when the relevant elements of a client’s situation change or when the professional, during the calendar year under review, is required, due to a legal obligation, to contact the client in order to review any relevant information in relation to the beneficial owner(s) or if this obligation fell to the professional pursuant to the amended law of 18 December 2015 on the Common Reporting Standard (CRS)”.

The definition of “appropriate times based on risk assessment” is given in the Grand Ducal Regulation of 1 February 2010 as amended.

“This includes one of the following situations:

“- a significant transaction occurs ;

-the standards relating to customer identification documents change substantially;

in the field of banking, a significant change occurs in the way a client’s account operates; – the professional becomes aware of a change in the way a client’s account is managed

-the trader becomes aware that he does not have adequate information about a client.

Professionals must be able to demonstrate to the supervisory authorities or self-regulatory bodies that the extent and frequency of customer due diligence measures are appropriate in view of the risks of money laundering and terrorist financing.

Subsection 1. The acceptance process

1. Policy for accepting new customers

The notion of entering into contact with a customer covers all possible forms of contact, including conversations taking place within the bank’s premises, correspondence by post, telephone calls and exchanges by electronic means (for example the internet).

Mere requests for information which are not followed up by the prospective customer are not to be regarded as an entry into contact.

By contrast, the pre-contractual phase, which begins with an exchange of information and is characterised by the commencement of negotiations concerning the conditions for entering into a business relationship, is to be defined as an “entry into contact”.

1.1  Implementation of the appropriate procedures

“Professionals shall decide on and put in place a customer acceptance policy which is adapted to the activities they carry out, so that the entry into business relationship with customers  may be submitted to a prior identification, assessment and understanding of risks (…)”.

The customer acceptance procedure must, in concrete terms, take the form of an analysis of the risk factors carried out in advance by the professional concerned, since the risks concerning the business relationship or the transaction will (or may not) result in the conclusion of the proposed business relationship/transaction.

1.2  Anticipatory nature of the identification and of verification of identity process

Professionals are required to formalise the procedure for identifying prospective customers/customers (natural/legal persons) in their “KYC: Know your customer” documents.

The identification of the customer/beneficial owner forms only a part of the “KYC” procedure, which contains a plethora of crucial supplementary information for assessing the attendant risks and proceeding, where appropriate, with the entry into a business relationship.

“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship. When entering into a new business relationship with a company or other legal entity, a trust or a legal arrangement with a structure or functions similar to those of a trust for information on beneficial owners should be registered under Article 30 or 31 of Directive (EU) 2015/849, professionals collect proof of registration or an extract from the register ”.

“The verification of the identity of the customer and of the beneficial owner shall take place before the establishment of a business relationship or the carrying-out of the transaction.”

“However, the verification of the identity of the customer and the beneficial owner may be completed during the establishment of a business relationship if this is necessary in order not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing occurring. In such situations these procedures shall be completed as soon as practicable after the initial contact and professionals take measures to effectively manage the risk of money laundering and terrorist financing ”.

“(…) Professionals can enter into a business relationship, open a customer account or carry out a transaction for an occasional customer before or while the identity of the customer and the beneficial owner is verified (…) provided that the following conditions are met:

  • the risk of money laundering and terrorist financing is low and managed effectively;
  • it is necessary not to interrupt the normal course of business;
  • identity verification is carried out as soon as possible after the first contact with the customer. The impossibility of verifying the identity of the client and the beneficiary within the time limit prescribed by internal rules must be the subject of an internal report which will be sent to the control manager for the required purposes
  • sufficient measures are in place so that no outflow of assets from the account can be made before the completion of the verification check

(…)”

It may be “permissible for verification to be completed after the establishment of the business relationship, because it would be essential not to interrupt the normal conduct of business”, for example in the case of:

  • “non face-to-face business”;
  • “securities transactions. In the securities industry, companies and intermediaries may be required to perform transactions very rapidly, according to the market conditions at the time the customer is contacting them, and the performance of the transaction may be required before verification of identity is completed.”

1.3  The Acceptance Committee or “written authorisation from a specifically appointed superior or body”

“(…) The acceptance of a new customer shall be submitted to a superior or to a specifically appointed professional body for written authorisation by providing for an adequate hierarchical decision-making level, and for customers with a higher level of risk, at least the systematic intervention of the compliance officer”.

“The acceptance of a new client with a low ML / FT risk, following the risk-based approach as implemented by the professional, can be carried out on the basis of an automated acceptance process. ‘not involving the intervention of a natural person on the professional’s side, so as to constitute an effective and reliable alternative to validation by a natural person of the professional.

This process must have been configured and professionally tested beforehand and regularly through the analysis of its robustness. This process must be in line with the professional’s AML / CFT policies and procedures and the instructions to be issued by the CSSF ”.

In accordance with current practice, an examination by a so-called new business relationships committee (or “acceptance committee”) is recommended, particularly in certain cases requiring the authorisation of an executive, but also depending on the nature of the relationships or persons concerned. Not all account openings need to be referred to the new business relationships committee, but it must be called upon to examine at least those which meet certain criteria, particularly those involving a degree of risk. The determination of the risk level must take into account, in particular, the risk factors set out above in Chapter 1 of Part II (“Identification and assessment of risks”) of this Vade Mecum.

It is recommended that responsibility for the entry into a business relationship should not lie with a single person and that the new business relationships committee should be composed of persons from different departments within the professional’s organisation (for example the executive management, the sales and marketing department, the legal department, the compliance officer, etc.).

As regards risky customers, the requirements relating to documentary evidence, particularly documents proving the origin of funds, are more stringent. The quantity and quality of the information (supporting documents) required in relation to the customer and the beneficial owner must likewise meet a high standard.

For clients who present a low risk in terms of money laundering, CSSF Regulation No. 20-05 of 14 August 2020 introduces the possibility of using an automated acceptance system that does not require human intervention. This formalizes a market practice, at least encouraging the system when the risk of money laundering is low and given the increasing digitalisation of services.

1.4  Questionnaire concerning entry into a business relationship

“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship.

The customer acceptance policy shall also provide for procedures to be followed when there is a suspicion or reasonable grounds for suspicion of money laundering, an associated predicate offense or terrorist financing in case contact with a possible customer fails. The reasons for a customer or professional to refuse to enter into a business relationship or to execute a transaction shall be documented and kept (in accordance with the terms of CSSF regulation no.12-02), even if the professional’s refusal does not ensue from the observation of a money laundering or terrorist financing indication.”

2. Identification of customers and verification of their identity

The customer must be identified, and his/her identity verified, on the basis of documents, data or information emanating from a reliable and independent source, including, where applicable, electronic identification means and relevant trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and services of trust for electronic transactions within the internal market (…) ” or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned”..

2.1  Customers who are natural persons

2.1.1  The account-holder

“For the purposes of the identification of customers pursuant to Article 3 paragraph 2, subparagraph 1, point a) and subparagraph 2 of the Law, the professionals shall gather and register at least the following information:

  • surname(s) and first name(s);
  • place and date of birth;
  • nationality (-ies);
  • full address of the customer’s main residence;
  • where appropriate, the official national identification number.”

“The information listed in point 1 above is to be collected and recorded also for the initiators, the promoters who are at the basis of the launch of an investment fund under the supervision of the CSSF who will be the professional’s client” .

Verification of the identity of a customer who is a natural person

(1) “The verification of the identity, within the meaning of Article 3(2)(1)(a) of the Law, of customers who are natural persons shall be made at least with one valid authentic identification document issued by a public authority and which bears the customer’s signature and picture such as, for instance, the customer’s passport, his ID , (…) his residence permit, his driving license or any other similar document.”

“Electronic identification means, including the relevant trust services provided for by Regulation (EU) No. 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned may be used by the trader to fulfill his obligation of vigilance referred to in Article 3 (2), subparagraph 1, point a) of the Law ”.

(2) “According to the risk assessment, and without prejudice to other enhanced due diligence obligations,the professionals shall take additional verification measures such as, for example, the verification of the address indicated by the customer through the proof of address or by contacting the customer, among others, per registered letter with acknowledgement of receipt.”

See the tables contained in Annex V “Documents” relating to the due diligence obligations with regard to customers who are natural persons. 

The practice regarding documentary requirements may vary from one establishment to the next, and may sometimes be more restrictive than the regulatory requirements. The legislative and regulatory framework in Luxembourg allows professionals, in appropriate circumstances, a certain discretion as regards the choice of the documentation to be used for the purposes of identifying a customer who is a natural person.

Thus, the professional may usefully refer to the recommendations/good practices concerning the identification of customers published by professional associations (e.g. ALCO, IRE) or by the supervisory authorities for the banking/financial sector or others (AED).

Exceptional situations:

Some customers may also hold specific documents (e.g. a “carte de forain” (travelling showman’s card), “carte de séjour” (residence permit), “livret de famille” (family record book), etc.), assessment of the relevance of which is left to the discretion of the professional, but which do not in themselves provide complete identification. In such situations, it is appropriate, as indicated above, to obtain other documents emanating from a reliable and independent source which supplement the documents of a specific nature provided by the customer.

Where an official identity document does not contain a signature, the professional must demand an additional supporting document. A clear link must be established between the identity of the customer and his/her signature. The additional supporting document must, in such cases or in an exceptional situation, contain the requisite confirmatory information with regard to the identification of the customer.

A few examples of possible supplementary documentation requirements regarding customers who are natural persons:

– Document of title proving ownership of the principal residence, rent receipt less than three months old, home insurance certificate, documents evidencing liability to pay housing tax, property tax, municipal taxes, official document showing entitlement to subsidies from the State;

– Certificate of nationality, naturalisation certificate, veteran’s card, movement card issued by the military authorities, invalidity card;

– Internet/mobile telephone invoices less than three months old (on paper or in dematerialised form);

– Most recent notice of assessment/non-assessment to tax, pay slips indicating the principal residence, official pension document indicating the principal residence, official grant of a tax credit, various State allowances (family allowances, invalidity allowances, etc.);

– Administrative summons, formal notice to pay or perform, process served by a bailiff/process server, etc.

A driving licence may also constitute an official document proving the customer’s identity or supplementing other documents in the customer’s file, especially for customers residing in third countries.

A few examples of various situations:

  • In order to be able to deal with the documentary evidence efficiently, it is current practice systematically to take copies of ID documents.
  • Professionals must pay special attention to unusual situations, such as the absence or temporary nature of the place of residence of a customer (for example, a suite in an hotel, a post office box, etc.). Professionals must check to ensure consistency between all the items of information received by them regarding the identification details. Where there is any inconsistency (for example as to the address) or insufficient information, the provision of additional supporting documents must be requested.

Entry into a business relationship may only be agreed to by a professional if the latter is in possession of all the documents which it has asked its customer to provide.

2.1.2  The authorised agent/attorney of a customer who is a natural person lacking legal capacity or a minor

The powers of representation of the legal representatives of customers who are natural persons lacking legal capacity, i.e. who are the subject of guardianship/supervision measures (or analogous measures), or minors, must be verified by means of documents evidencing the situation.

The identification and verification of the identity of the customer’s authorised agent/attorney must, in addition, be done in the manner described in point 2.1.1. The professional must take copies of the documents provided.

A “livret de famille” (family record book) is sometimes used in the case of the opening of an account in the name of a minor by a person of full age. In such cases, the identity of the latter must be verified, together with the link between that person and the minor.

It is recommended that a copy of the minor’s identity document be obtained, if he/she possesses one, and by no later than the time when he/she reaches full age. Generally, it is recommended that professionals ask the customer to inform them of any change occurring in the customer’s legal status.

2.1.3  The particular case of the status of a refugee or an AIP (applicant for international protection)

Although attestation of the lodging of an application for international protection constitutes only part of the verification of the identity of a customer within the meaning of the Law, it will be noted that this bears the stamp of the Ministry of Foreign Affairs as well as the signature of an official within that Ministry, together with the ID photograph of the applicant for protection, his/her signature and ID indications as required by Article 16 of CSSF Regulation No 12-02.

Subject to its being valid, such an attestation may be regarded as acceptable for the purposes of opening a bank account in Luxembourg offering basic financial services, on condition that the risks resulting therefrom are mitigated by the terms and conditions of use of that account and the application of enhanced due diligence measures in the particular cases concerned.

Banks should also monitor the behaviour of the applicant for asylum in terms of the nature, amount, origin/purpose of the transaction concerned, etc. so as to be able to spot potentially suspicious transactions and to intervene in an adequate manner, where necessary in accordance with Article 5(1)(a) of the Law.

Banks should regularly review the risk profile of the applicant for asylum in question, with a view to checking that his/her profile is still appropriate, in particular after several months have elapsed, in order to verify any development in the status of the person concerned.  

Banks should also reject a request for the opening of a bank account offering basic services where the opening of such an account would entail a breach of the provisions applicable in relation to the prevention of money laundering and the combatting of terrorist financing.

It is suggested that any request for the opening of an account by or for an applicant for international protection, or any identity check carried out in the context of a banking transaction, should be dealt with on the basis of a document fulfilling the following characteristics:

1 – Statement of the main ID information details prescribed by Article 16 of CSSF Regulation No 12-02 (bearing in mind that it is not mandatory to state the address), AND

2 – Presence of an ID photograph of the applicant for protection, AND

3 – Presence on the document of a stamp of the Ministry of Foreign Affairs or of the OLAI (Luxembourg Reception and Integration Agency), OR

4 – Presence on the document of a signature of a representative of the Ministry of Foreign Affairs or of the OLAI.

Any documentation not including all of the characteristics set out above will be accepted by the professional at its own risk, it being understood that an exception may be made as regards any attestation of the lodging of an application for international protection which bears a stamp or the words “Rejected” or “Annulled”, but only provided the following conditions are fulfilled:

– the acceptance of such an attestation (bearing the stamp or the words “Rejected” or “Annulled”) is permissible only for the identification of the applicant for international protection in the context of transactions carried out on or from an account (and not for the opening of that account);

– as long as the account of the applicant for international protection records the crediting of sums coming from the Ministry of Foreign Affairs and/or the OLAI.

The absence of payments coming from those authorities may mean that the application has been rejected and warrant further research/checks on the part of the establishment concerned.

2.1.4  The validity of a French identity card which expired less than 5 years ago

Under the French rules, since 1 January 2014, the duration of the validity of the national identity card has been extended from 10 to 15 years for persons of full age (aged over 18). The five-year extension for identity cards concerns:

  • new secure identity cards (plastic cards) issued as from 1 January 2014 to persons of full age;
  • secure identity cards (plastic cards) issued between 2 January 2004 and 31 December 2013 to persons of full age.

If the identity card was issued between 2 January 2004 and 31 December 2013, the five-year extension of the validity of the card is automatic. The validity date appearing on the document will not be changed. For cards that appear on their face to have expired but the validity of which has been extended for 5 years, the Luxembourg State has officially confirmed that these will be accepted by it as travel documents.

A French national may validly use the above-mentioned French identity card, appearing on its face to have expired but still valid in consequence of its having been extended for a further 5 years following an initial issue/validity period of 10 years, in the context of entering into a business relationship with a credit institution.

The professional must determine, in its discretion and applying a risk-based approach, whether to accept a French identity card that has expired, and must, where necessary, request other documentary evidence relating to the identification of its customer.

2.1.5  Electronic means of identification and of verifying the customer’s identity

A. The due diligence measures in relation to customers include the following:

“identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from reliable and independent sources, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services (…), or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities”.

Professionals may have recourse to video conferencing by using a software developed by themselves or by an external supplier, or may delegate that “on-boarding” video function to a third party. Only a natural person trained for that purpose may use the video conferencing system and deal directly with the prospective customer, thereby de facto excluding the sole intervention of a robot without any additional safeguards.

Only natural persons (the customer, the customer’s statutory representative or authorised agent/attorney, a co-holder of the account or a beneficial owner) may use the function and be identified by the professional.

The video conferencing tool may only be used if the professional has no suspicion of any money laundering/terrorist financing and there can be no dispute as to the veracity and relevance of the documents submitted in advance by the customer.

During the identification of the customer, the data appearing on the identity documents must be clearly legible and clearly identifiable (good lighting conditions, the customer must not be disguised or wearing any headgear that covers part of his or her face, etc.). Only official identity documents emanating from the issuing country and containing optical security devices (holograms, special printing features, etc.) are authorised for the verification procedure. Annex V of the Vademecum contains a convenient link to the online public register of authentic identity and travel documents for citizens worldwide, as established by the Council of the European Union.

The professional must guarantee the efficacy and reliability of the system and remains at all times answerable for compliance with the due diligence obligations incumbent on it in relation to its customers.

WHAT TO DO?

Professionals wishing to make use of video facilities/systems to the purposes of onboarding customers remotely shall get in touch with the CSSF to describe the systems they intend to operate. The CSSF may come with useful comments, which should be duly taken into consideration before making use of the system.

The opinion of the Joint Committee explores, in particular, the ways in which the innovative solutions currently used by financial sector professionals can help them to better fulfil their AML/CFT obligations. For example, the solutions involving non-face-to-face verification of the identity of customers may contain special functionalities making it possible to determine whether the identity document produced really belongs to the person producing it, by combining a number of parameters such as, in particular, biometric facial recognition, document security features and optical character recognition.

Those innovations can also considerably improve the transaction monitoring processes of credit and financial institutions by automating them and making it possible instantaneously to extract relevant data from a number of different databases.

At the national level, as regards the interoperability/cross-border use of trust services supplied by “trust services providers” as defined in Regulation (EU) No 910/2014 and consisting notably in the creation, verification and validation of electronic signatures, electronic seals (…), electronic registered delivery services and certificates related to those services, the Luxembourg portal “qualité.lu” of ILNAS (the national control body) produces the Luxembourg list of such trust service providers (that is to say, in practice, LuxTrust).

At the European level, the European Commission likewise publishes a list of trust service providers.

The customer’s identity must be verified by the professional by means of real-time audio-visual communication, making sure that appropriate technical media are used. The professional must take care to check the authenticity of the customer’s ID documents, in particular via the reading and decryption of the optical security devices contained in the documents supplied by the customer and other elements chosen by the professional.

Under Regulation (EU) No 910/2014, since 1 July 2016:

“1.  An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.”

In addition, the legal value attaching to an electronic signature is stated in the Civil Code:

“The signature required for the perfection of a private document shall identify the person appending it and shall manifest his/her willingness to adhere to the content of the document. It may be in manuscript or electronic form.

B. Specific measures to be adopted by the trader in the case of a non-face-to-face business relationship

“Where the client is not physically present or has not been met by or on behalf of the trader for the purpose of identification, a so-called “non-face-to-face” relationship, and the trader has not taken the necessary guarantees as set out in Annex IV, point 2) c) of the Law (i.e. not accompanied by guarantees such as electronic means of identification within the meaning of Regulation (EU) No 910/2014 or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities) specific measures must be applied by the trader to compensate for the potentially higher risk presented by this type of relationship”.

The specific measures to be taken in this case may include

“measures to ensure that the identity of the client is established by means of additional documents, data or identifying information

additional measures ensuring verification or certification by a public authority of the documents provided

a confirmation statement from a credit or financial institution subject to the Act or subject to equivalent professional obligations in relation to AML/CFT

measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional anti-money laundering and anti-terrorist financing requirements.

This list of additional measures to be adopted in case of entering into a business relationship at a distance and in the absence of the necessary guarantees as referred to in particular in Regulation (EU) n°910/2014 was introduced by CSSF Regulation n°20-05 and is not exhaustive. The professional is free to adopt other measures that he deems useful.

2.1.6  FATF Guidance on digital identity

Digital ID simply refers to the use of technology in asserting and proving identity.

Section III of the Guidance is the most relevant one as pertaining to standards regarding customer due diligence standards. Overall, the guidance should help professionals understand if a digital ID is fit for customer due diligence purposes, having firstly understood the attributes of a digital ID systems.

A. Briefly summarising the digital ID process (appendix A of the FATF guidance)

As shown above, the digital ID process mostly entails two components:

  • Identity proofing and enrolment

The firs step consists in answering the mere question “who are you”, with the collection of attribute evidence related to the customer being here an individual (documentary or digital, bearing in mind that biophysical, biomechanical and behavioral biometrics do exist).

Validation will then come to make sure that the evidence collected is genuine followed by the verification process whereby there will be a confirmation as to the validated identity indeed relates to the customer undergoing the process.

  • Authentication and identity lifecycle management

This part of the ID process could be briefly summarised as “Are you the one you say you are? “.

As stated by the FATF, “the more factors an authentication process employs, the more robust and trustworthy the authentication system is likely to be”. Once the customer has been successfully proofed and enrolled in a digital ID system, the authentication process guarantees to the professional that the person presenting the credential is really the person to whom it belongs.

The common authentication factors can be best summarised as follows:

Lifecycle management merely refers to steps professionals will have to take in response to events occurring to credentials (loss, theft, etc).

B. Making sure that a Digital ID system is suitable for customer due diligence purposes

Apart from the CSSF guidance on video chat and the fact that the CSSF will eventually be consulted on any digital ID onboarding system used or set-up by a professional, there is no specific Luxembourg guidance on the suitability of a digital ID system which will be used to onboard customers.

Therefore, the FATF illustration below, combined with a risk-based approach, will come handy for professionals to elect the right system and make sure that the latter comes with the right assurance level:

WHAT TO DO?

  • Use antifraud and cybersecurity systems/processes to support digital identity proofing and/or authentication to support AML/CFT quest.
  • Make sure that the CSSF can obtain the underlying identity information and evidence or digital information needed to identify and verify the identity of your customer/prospect.

2.2 Customers that are legal persons

2.2.1   Identification of customers that are legal persons

“For the purposes of the identification of customers [that are legal persons or legal arrangements], professionals shall gather and register at least the following information:

  • name
  • legal form;
  • address of the registered office and, if different, a principal place of business;
  • where appropriate, an official national identification number;
  • the name of the directors (dirigeants) (for legal persons) and directors (administrateurs) or persons holding/occupying similar positions (for legal arrangements) and involved in the business relationship with the professional;
  • provisions governing the power to bind the legal person or arrangement;
  • authorisation to enter into a relationship.”

“The information listed in point 1 above must also be collected and recorded for the initiators, promoters who are behind the launch of an investment fund under the supervision of the CSSF which will be the client of the professional.”

Opening an account for a company in the process of incorporation before completion of the identity verification measures

A professional may open an account for a company in the process of incorporation, insofar as the following conditions are met:

“- the professionals shall identify and verify the identity of the company’s founders pursuant to (…) the Law. They shall receive a declaration from the founders stating that they act, either for their own account or for the account of beneficial owners which they name, and where appropriate, the professionals shall take measures to identify and verify the identity of the beneficial owners pursuant to (…) the Law;

– at the earliest opportunity after the incorporation of the company, the professionals shall complete the measures for the identification and verification of the company’s identity (…) as well as, where applicable, of the beneficial owners (…). The impossibility to verify the identity of the founders, the company and the beneficial owners within the timeframe set by the internal rules shall be subject to an internal report which will be transmitted to the AML/CFT compliance officer for the required purposes;

– sufficient measures shall be put in place so that no exit of assets from the account can be carried out before completing this verification.”

A professional may be held liable if it allows a customer which is a legal person to make use of funds before the identification of that customer to be completed.

It is recommended that professionals refrain, at least until they have received the documents or information required, from activating the accounts of legal persons that have not yet been satisfactorily identified. In such cases, the professional concerned must take the requisite measures, inter alia by blocking the account so as to prevent any outflow of funds.

2.2.2  Measures for the identification and verification of the identity of the proxy/proxies (“mandataire(s)”) of a customer which is a legal person

The proxy (“mandataire”) holds an authority from the legal person empowering the former to act in the latter’s name; the professional must proceed to identify, and to verify the identity of, the proxy or proxies in question, including where the proxy is itself a company (that is to say, a legal person), applying a risk-based approach. The identification and verification of the identity of the statutory representative of a proxy which is a company acting as proxy must also be undertaken.

Only the powers of representation of the person(s) acting on behalf of the client “in the context of the business relationship with the professional” will be subject to verification. Professionals will thus not have to systematically identify and verify the identity of all persons holding a power of attorney on behalf of the legal person client.

The proxy or proxies (“mandataire(s)”) must not be confused with the person or persons appearing on a list of authorised signatories provided by a customer that is a legal person. In practice, professionals are given the names of numerous authorised signatories (either in a printed list or in computerised form). Those persons are neither statutory representatives of the legal person nor its beneficial owners. Thus, they are not subject to the same identification obligations as the proxies (“mandataires”) of a customer that is a legal person.

Accordingly, there is no need to verify the identity of the persons appearing on a list of signatories, but professionals are recommended to register their names, not least for the purposes of “name screening”. 

“Professionals shall also take note of the powers of representation of the person(s) acting on behalf of the client within the framework of the business relationship with the professional and shall verify them by means of documents likely to be used as evidence, of which they shall take a copy, if necessary in electronic (digital) form.

“This includes (…) :

  • “(…) natural or legal persons authorised to act on behalf of customers pursuant to a mandate;
  • persons authorised to represent customers which are legal persons or legal arrangements in the relations with the professional.”

See the tables in Annex V
“Documents” relating to the due diligence obligations in respect of customers that are legal persons

  • For companies:

The complete documentation relating to a legal person must be such as to make it possible to trace the logical sequence of appointments and delegations of powers, by reference to the articles of association and the designation of the members of the board and thence to the delegation of power(s) to the persons who bind the company vis-à-vis the professional.

As regards the gathering of information concerning the identity of the executives and directors of companies, professionals must, as a minimum, identify and verify the identity of those executives and directors (even those without signing powers) who are in contact with the credit institution. 

Duly adapted procedures should be applied to accounts opened in the name of financial institutions, subject to the obligations in respect of correspondent banks.

  • For other legal persons:

The identification procedure should be applied, on a case-by-case basis, in exceptional situations, such as the opening of an account in the name of an association, foundation or trade union.

As regards the delegation of powers, the ABBL recommends that professionals should verify the powers of any person who acts on behalf of the customer, and that they should obtain a document evidencing the capacity of the representative in question.

By way of example:

  • for the representative of a company or association: the articles of association of the company or association or a delegation of power(s) in due and proper form;
  • for the representative of an undertaking for collective investment: the fund prospectus or equivalent documents enabling the management company to be identified;
  • for the statutory representative of a municipality/territorial authority: the instrument of appointment (as the case may be), or the delegation of power(s) to named persons.

Depending on its risk analysis, the professional may provide for a reduction in the identification and verification measures to be taken with regard to the proxy (“mandataire”) in the context of simplified due diligence obligations.

2.2.3  Verification of the identity of a customer that is a legal person

“Identifying the customer and verifying the customer’s identity [must be done] on the basis of documents, data or information obtained from a reliable and independent source, including, where appropriate, the relevant means of electronic identification and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (…) or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities”.

“(…) the verification of the identity of customers who are legal persons or other legal arrangements shall be made at least with the following documents of which a copy shall be kept, Where appropriate, in electronic (digital) form:

  • the last coordinated or up-to-date articles of incorporation (or an equivalent incorporation document);
  • a recent and up-to-date extract from the companies register (registre des sociétés) (or equivalent supporting evidence).”

The professional may use a certificate of incorporation, a certificate of conformity, a company contract, (…) or any other document emanating from an independent and reliable source indicating the name, form and existence of the customer.

“According to the risk assessment, the professionals shall take additional verification measures, such as, for example:

  • an examination of the last management report and the last accounts, where appropriate certified by a réviseur d’entreprises agréé (approved statutory auditor);
  • verification, after consulting the companies register or any other source of professional data, that the company was not or is not subject to any dissolution, deregistration, bankruptcy or liquidation;
  • verification of the information collected from independent and reliable sources such as, among others, public and private databases;
  • a visit to the company, if possible, or contact with the company through, among others, registered letter with acknowledgement of receipt.”

The professional may supplement the above-mentioned documents in accordance with its assessment of the attendant risks. It may also, where necessary or appropriate, apply simplified customer due diligence measures where its customer is a legal person (see above, Chapter 5 of Part 2 of this Handbook).

It is possible, in certain circumstances, for legal persons originating from certain countries to obtain extracts from the commercial register by internet (for example in Switzerland, Belgium and the Netherlands). Care should be taken to ensure the reliability of the source providing such documents. Luxembourg Business Registers, an economic interest grouping, makes it possible to get hold of numerous extracts from European business registers, by virtue of its participation in the “European Business Register”.

It is current practice for the identification of a legal person to be based on a recent extract from a business register, that is to say, an extract which is preferably less than 12 months old at the time of the opening of the account.

It is recommended that, when identifying legal persons, a distinction be drawn between companies which are clearly actively engaged in a commercial activity (large commercial groups, listed companies, SMEs) and small-scale companies, in particular those set up to hold assets and/or those which may function as shell companies. The fact that a legal person is well known as such a company may be noted in the file.

Where multiple accounts are opened by one and the same legal person, the professional may rely on the verification of its identity carried out at the time of the first opening of an account, unless essential elements of the identification are likely to have changed (change of company name) or the professional has doubts about the accuracy of the information provided. Where a business relationship has been definitively terminated and a new business relationship is subsequently entered into, the professional must proceed afresh with the identification of the customer and verification of the latter’s identity.

Subsection 2. Identification and verification of the identity of the beneficial owners

1. Definition of the concept of beneficial owner

1.1. Definition of the term “beneficial owner”

The obligation to identify the beneficial owners encompasses the identification of:

(a) the beneficial owners of companies;

(b) the beneficial owners of fiducies and trusts;

(c) the beneficial owners of legal entities such as foundations and legal arrangements similar to fiducies or trusts.

Professionals are obliged to take reasonable measures to discover the identity of the natural person who owns or controls the customer or for whose benefit a transaction is carried out.

“‘Beneficial owner’ (…) shall, in accordance with this Law, mean any natural person(s) who ultimately owns or controls the customer or any natural person(s) on whose behalf a transaction or activity is being conducted. The concept of beneficial owner shall include at least:

a)  in the case of corporate entities:

(i) any natural person who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, or through control via other means, other than a company listed on a regulated market that is subject to disclosure requirements consistent with European Union law or subject to equivalent international standards which ensure adequate transparency of ownership information.

A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a natural person shall be an indication of direct ownership. A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s), shall be an indication of indirect ownership;

(ii) if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), any natural person who holds the position of senior dirigeant (manager)/ senior managing official;

aa) a direct or indirect right to exercise a dominant influence over the customer by virtue of a contract with the customer or by virtue of a clause in the customer’s articles of association, where the law governing the customer permits it to be subject to such contracts or clauses in the articles of association

bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;

cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking

dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”

b) in the case of fiducies and trusts: 

(i) the settlor or settlors;

(ii) the trustee or trustees;

(iii) the protector(s), if any;

(iv) the beneficiaries, or where the individuals benefiting from the legal arrangement or entity have yet to be determined, the class of persons in whose main interest the legal arrangement or entity is set up or operates;

(v) any other natural person exercising ultimate control over the fiducie or trust by means of direct or indirect ownership or by other means;

c)  in the case of legal entities such as foundations, and legal arrangements similar to fiducies or trusts, any natural person holding equivalent or similar positions to those referred to in point (b)”,

“identifying the beneficial owner and taking reasonable measures to verify his identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer.”

“The beneficial owner within the meaning of Article 1 (7) of the Act means any natural person who ultimately owns or controls the customer or any natural person for whom a transaction is executed or an activity is performed. This may be the case even if the threshold of ownership or control as set out in Article 1 (7) (a) (i) of the Act is not met.”

In providing for the possibility of an obligation to identify as a beneficial owner a natural person holding less than 25% of the shares, the CSSF Regulation draws attention to the fact that the professional’s approach must not involve merely relying on that 25% participation threshold, since that threshold does not automatically enable the real beneficial owner to be identified in every case. Thus it is possible that a person holding less than 25% may be the beneficial owner where that person exercises in some other way control over the management of a legal entity.

It must also be borne in mind that it may be possible for a professional to adopt differentiated approaches to, on the one hand, the identification of beneficial owners pursuant to the Law and, on the other hand, the obligations to be complied with by companies in accordance with the Law of 13 January 2019 on the register of beneficial owners of companies.

1.2  Definition of “controlling persons” in the context of the automatic exchange of information relating to financial accounts in tax matters

It is important to note that different approaches may be adopted as regards the identification of beneficial owners, depending on whether what is involved are customer due diligence measures pursuant to the Law or similar obligations in tax matters.

Also, the information appearing below cannot be equated with the beneficial owner identification obligations under the Law, and is given only by way of comparison. Moreover, the term “controlling persons within the meaning of the Law of 18 December 2015 cannot be equated with the term control in the case of companies or ultimate control in the case of fiducies/trusts within the meaning of the Law.

“The term ‘controlling persons’ means natural persons who exercise control over an entity. In the case of a trust, that term means the settlor(s), the trustee(s), the person(s) charged with supervising the trustee(s), as the case may be, the beneficiary or beneficiaries or the classes of beneficiary, and any other natural person ultimately exercising actual control over the trust; and, in the case of a legal arrangement which is not a trust, the term means persons in an equivalent or analogous situation. The term ‘persons having control’ must be construed in accordance with the Recommendations of the FATF.”

The term “passive non-financial entity” (“NFE”) means, in essence, (1) an NFE, that is to say, any entity which is not a financial institution, (2) which is not an active NFE. An active NFE is any NFE which fulfils the eight relevant criteria laid down by Directive (EU) 2014/107. Amongst those criteria, the most representative one appears necessarily to be that requiring less than 50% of the gross income of the entity concerned to be passive income (dividends, interest, rents, capital gains).

In order to determine the residence of “controlling persons” of a passive NFE for new accounts of entities, “(…) the reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures, on the understanding that, for the accounts of pre-existing accounts of entities, the rule is as follows:

“For the purposes of determining the controlling persons of an account holder, a reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures” [persons controlling a passive NFE].

“For the purposes of determining whether a controlling person of a passive NFE is a reportable person, a reporting financial institution may rely on:

(i) information collected and maintained pursuant to AML/KYC procedures in the case of a pre-existing entity account held by one of more NFEs with an aggregate account balance or value that does not exceed an amount denominated in euros corresponding to USD 1 000 000 (…)” [Determining the residence of a controlling person of a passive NFE].

As regards the identification of the “controlling person of a passive NFE account holder, the Law of 18 December 2015 on the automatic exchange of information related to financial accounts in tax matters refers to the identification procedures/information collected in the AML context.

In addition, the “CRS-E” form states, in the annex thereto, that the definition of “controlling person” “(…) corresponds to the term ‘beneficial owner’ described in Recommendation 10 and the Interpretative Note on Recommendation 10 of the FATF”.

The ABBL Guidance regarding the implementation of the OECD Common Reporting Standard also states: “Any individual identified as beneficial owner of the Entity under review under applicable anti-money laundering regulations should therefore qualify as Controlling Person of the said entity for the purpose of the CRS” [see Section VII: Controlling Persons of Passive NFEs].

2. Identification of the beneficial owner(s) in certain specific cases

2.1  Identification of the beneficial owner(s) controlling the company by virtue of thresholds (shares/voting rights/capital)

The beneficial owner(s) of a customer that is a legal entity may simply control that entity by virtue of a direct participation comprising over 25% of its capital:

Direct capital holding:

Ms A and Mr B directly hold over 25% of the capital of company Z (units/shares).

They are the beneficial owners of company Z.

As stated by CSSF Regulation No 12-02, a professional may identify the beneficial owner of a legal person, even where the thresholds of participation or control are less than 25%, especially in the context of private banking activities. Thus, the professional must carry out an analysis of the beneficial owner on a case-by-case basis, which may result in it identifying and verifying the identity of Mr Y, even though the latter holds only 20% of the company’s capital.

  • Control of a legal entity may also result from an indirect holding (or chain of holding) of the capital of that entity:

Direct and indirect holding of the capital:

Mr A directly holds 30% of the capital of Alpha

Ms B holds 37% of the capital of Alpha:

27% indirectly via her participation in Beta

(45% of 60%) and

10% directly.

Ms C indirectly holds 29.7% of the capital of Alpha:

90% of C x 55% of Beta x 60% of Alpha = 29.7%.

In this example, the 25% threshold is exceeded for each beneficial owner.

The methods for calculating the control held by the beneficial owner must invariably take account of the chain of indirect holding.

  • The beneficial owner may indirectly hold voting rights in the customer:

Indirect holding of voting rights:

Ms A holds over 25% of the voting rights in Company Alpha:

40% x 90% = 36%

(* no other member individually holds more than 25% of the capital or voting rights; there exist no agreements between members)

  • The beneficial owner holds a majority interest in an entity holding over 25% of the customer company:

Mr A does not hold a weighted interest in LuxCo of more than 25% (75% x 30% = 22,5%), but he holds a majority interest of 75% in FrenchCo, which holds over 25% of the shares/voting rights in LuxCo.

Mr B holds a substantial direct interest in LuxCo. Both of them are the beneficial owners of the customer LuxCo.

2.2  Identification of the beneficial owner(s) controlling the company “through other means”

Control by other means may be established in accordance with Articles 1711-1 to 1711-3 of the amended law of 10 August 1915 on commercial companies and in accordance with the following criteria:

left-bookmark link=”https://www.cssf.lu/en/Document/law-of-12-november-2004/”]Art. 1, para. (7) of the Act, Points a), ii), 2nd3rd paragraph[/left-bookmark]

aa) a direct or indirect right to exercise a dominant influence over the client by virtue of a contract concluded with the client or by virtue of a clause in the client’s articles of association, where the law governing the client allows it to be subject to such contracts or statutory clauses

bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;

cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking

dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”

The definition of “control by other means” was introduced into Luxembourg law by the law of 25 March 2020.

It may also be useful for the professional to refer to the legal framework of neighbouring Member States to better understand this notion and the situations referred to.

In France, for example, the natural person controlling a company is materialized:

– when he or she de facto determines, by exercising the voting rights that he/she holds, the decisions adopted in general meetings of that company; OR

– when he or she is a member or shareholder of that company and has the power to appoint or remove a majority of the members of the administrative, management or supervisory body of the company in question.

In other words, “control of a company” means the de jure or de facto power to exercise a decisive influence on the appointment of a majority of the directors or managers of the company OR on the way in which it is managed.

Sources:

BRIEFLY:

The right to appoint or remove a majority of the members of the administrative, management or supervisory body of a company OR the right to exercise a dominant/decisive influence over the undertaking pursuant to a contract entered into with that undertaking or to a provision in its memorandum and articles of association, or an agreement entered into with other shareholders or members with a view to controlling the undertaking, constitute “control through other means”.

This example shows a chain of shareholders on 3 levels, the assumption being that the reference to “other shareholders” is to disparate groups of shareholders (holding capital amounting to less than 5%).

Shareholder A is the beneficial owner of LuxCo, in that he holds a significant part of the capital of that company, enabling him to exercise a “power of control through other means” over the administrative, management or supervisory bodies or over its general meeting:

– indirect holding of 13.26% of the capital of LuxCo (51% x 51% x 51%), which appears to be significant in light of the holding threshold of the holdings of the groups of “other shareholders”, who hold less than 5% of the capital;

– A is the majority holder of the shares in Shareholder 2, which is itself the majority holder of the shares in Shareholder 1, the majority shareholder of LuxCo.

2.2.1  Family group having control of a company

A civil partnership (PACS) is entered into between Ms B and Mr C.

No person within the family group individually holds more than 25% of the capital or voting rights in Company Alpha (the same applies in the case of the “other shareholders or members”, who have not entered into an agreement with each other). But they are acting “in concert”, and are thus able together to determine the decisions adopted in general meetings within the framework of their family relationships.

Mr A, Ms B, Mr C and Mr D are the beneficial owners of the customer Alpha Company: they have control of the customer company “through other means”, since they are members of a family group.

2.2.2  Concerted action between different persons

Concerted action may be defined as follows:

“Persons shall be deemed to be acting in concert where they have entered into an agreement with a view to acquiring, transferring or exercising voting rights in order to pursue a joint policy vis-à-vis a company or to obtain control of that company.”

None of the “other shareholders or members” individually holds more than 25% of the capital or voting rights; they have not entered into an agreement whereby they hold more than 47% of the voting rights.

Ms D and Ms A and Mr B and Mr C are not related to each other. But if they act in concert, they can determine the decisions taken in general meetings. They are the beneficial owners of the customer Alpha Company since they control it “through other means”, being bound by a shareholders’/members’ agreement.

2.2.3  Separation of the attributes of ownership

80% of the shares in the Société Civile Immobilière Alpha (an SCI = a property-holding company) are held by the family of Ms A; the attributes of ownership of the shares have previously been separated: Ms A has a usufructuary interest (life interest) in them and the statutory heirs have an undivided bare ownership (remainder) interest.

Under Article 1852 bis of the Civil Code, the voting rights belong to the holder of the bare ownership (remainder) interest, save as regards decisions concerning the allocation of profits, which are reserved to the holder of the usufructuary interest (unless otherwise provided for by the articles of association of the SCI).

Unless otherwise provided for by the articles of association of the SCI, Ms A, who is not a member of that company, nevertheless determines the allocation of its profits up to 80%. Thus, Ms A is a beneficial owner of the SCI Alpha.

Her statutory heirs, as bare owners (remaindermen), hold 80% of the capital and voting rights in the SCI ; they are therefore beneficial owners (assuming that the articles of association of the SCI do not otherwise provide).

2.3  Identification of the ultimate beneficial owner of a legal person: the “senior dirigeant (manager)/ senior managing official”

here a professional has no grounds for suspicion regarding its customer (a company) and has not been able to determine the beneficial owner(s) of the entity having direct control over the company or indirect control via a chain of holdings, or controlling it “through other means”, or where the professional is uncertain whether the person(s) identified is/are the beneficial owner(s), the professional must treat as being the beneficial owner any natural person who holds the position of senior dirigeant (manager)/ senior managing official.

2.3.1 In the case of companies:

The notion of “senior dirigeant (manager)/ senior managing official” must be understood as referring to those managers of the company who exercise, in practice, the most decisive influence on the management of the company. As a general rule, this will be the Chief Executive Officer (CEO) or the chair of the board of directors (of the company).

In the absence of any statutory definition in Luxembourg law of the notion of “senior dirigeant (manager)/ senior managing official, professionals may determine as being the beneficial owner(s), on a case-by-case basis, depending on the circumstances and according to the specific characteristics of foreign systems of company law:

(a) the manager(s) of sociétés en nom collectif (commercial partnerships), sociétés en commandite simple (limited partnerships), sociétés à responsabilité limitée (private limited companies), sociétés en commandite par actions (limited partnerships with shares) and sociétés civiles (civil-law partnerships);

(b) the general manager/CEO of sociétés anonymes à conseil d’administration (public limited companies having a board of directors) (one-tier system);

(c) the member of the management board to which the day-to-day management of the company has been delegated, in the case of sociétés anonymes (public limited companies) having a management board and a supervisory council (two-tier system);

(d) the chair or managing director of a société par actions simplifiées (simplified joint-stock company) where the latter has powers of representation analogous to those of the chair which are conferred on him/her by the articles of association.

Where the statutory representatives referred to in points (a) or (d) are legal persons, the beneficial owner(s) will be the natural person(s) who represent those legal persons in law.

CSSF Circular 20/742 specifies that reporting entities will be required to take reasonable steps to verify the identity of the natural person who occupies the position of key manager and to keep records of the steps taken and of any difficulties encountered during the verification process.

Sources:

“(…) the concept of senior managing official/senior dirigeant (manager) is generally to be understood as the management body legally provided for and not just for instance, the chairman of a board of directors. Can also be considered as senior managing official, the person to whom the daily management of the company has been delegated or any other equivalent body according to legal or statutory provisions, in which case only the latter must be registered”.

Illustration of a situation where the legal representatives are, by default, the beneficial owners:

It has not been possible to identify any beneficial owner of Alpha SAS, either in terms of the holding of capital/voting rights, or in terms of control through other means.

Accordingly, the legal representatives of Alpha SAS should be identified as its beneficial owners:

  • Mr A (Managing Director of the company Belle S.A., which holds the position of Chair of Alpha SAS), since, in French sociétés par actions simplifiées (simplified joint-stock companies), power is exercised by a single person, namely the chair, who may be a natural or a legal person (the sole mandatory management organ);
  • possibly, Mr B, if the articles of association of Alpha SAS confer on him executive powers and a power of representation which are the same as those of Belle S.A.

The designation of the senior dirigeant (manager)/ senior managing official” as the beneficial owner should remain an exceptional measure, and should only be resorted to after all other possible means under the Law have been exhausted (thresholds in respect of direct/indirect holdings; control through other means) to determine the beneficial owner(s) of the customer company.

Depending on the legal form of the customer company, the function/designation of the senior dirigeant (manager)/ senior managing official, as the beneficial owner may well vary.

For the purposes of identifying the “senior dirigeant (manager)/ senior managing official” as the beneficial owner, it is necessary to look first and foremost at the organ responsible for managing the company, charged with the day-to-day management of the entity. Professionals should none the less base their analysis, on a case-by-case basis, on the aspects of the specific business relationship with which they are confronted in each given instance.

  • The concept of “legal representative” as applied in the case of a Luxembourg customer company (non-exhaustive example):

Indicative table concerning the “legal representative”

Legal representative

(executive power of the management body)

Beneficial owner of “last resort” (senior managing official/ senior dirigeant [manager] )
Administrative organ

  • société à responsabilité limitée (private limited company)


 

  • société en nom collectif (commercial partnership)


 

  • société en commandite simple (limited partnership)


 

 


  • société en commandite spéciale (special limited partnership)

 

 

 

 

  • The manager(s)


 

 

 

 

 

 

  • the associé commandité

  • (general partner)

 

 

 

 

 

 

 
In the case of a sociéte en commandite spéciale having the structure of an investment fund:  the members of the board, unless specific legal arrangements are set

  • société civile


(civil-law partnership)
the manager(s)

  • société par actions simplifiées (SAS = simplified joint-stock company)

 

 

 

  • the chair


 

  • the managing director(s) (if the articles of association of the SAS confer on him/her a power of representation analogous to that of the chair)


  • société anonyme (SA = public limited company) having a board of directors) (one-tier system)


(« système moniste »)

  • the managing director (CEO)


(otherwise, where the managing director is a legal person, the permanent representative charged with execution)
 

Where the  SA is a UCITS (“SICAV”):

the members of the board, unless specific legal arrangements are set

 

  • société anonyme (SA = public limited company) having a management board and a supervisory council


  • the member of the management board to whom the day-to-day management/ representation of the company has been delegated (where appropriate, its chair).


(otherwise, in the case of a legal person, its permanent representative)
Where the SA is a UCITS (“SICAV”):  :

the members of the supervisory council unless specific legal arrangements are set

  • société en commandite par actions (SCA = limited partnership with shares)

the manager(s)

(where appropriate, the managing partner)(“actionnaire commandité”)
In the case of an SA that is a UCITS (“SICAV”):

The members of the board, unless specific legal arrangements are set

As regards “fonds communs de placement” (mutual funds): the legal representatives of the fund’s management company: the members of the Board of Directors, unless specifically agreed otherwise in law, should be considered as the “chief executive officer” (i.e. EC of last resort).

2.3.2  In the case of associations

Not-for-profit associations may be involved in the raising and/or disbursing of funds for charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying-out of other types of good works. Nevertheless, they may possibly be used for less virtuous purposes, and risk being exploited for the purposes of, in particular, terrorist financing rather than pursuing a not-for-profit or laudable aim.

The Ministry of Justice has illustrated some cases where associations/foundations are used for TF purposes in guidelines (“Raising awareness of the voluntary sector of the risks of terrorist financing”).

WHAT TO DO?

The professional’s customer may be an association (whether or not promoting the public interest). In such cases, the professional must adopt a prudent approach and must identify the beneficial owner of last resort”.

Apart from identifying the beneficial owner of last resort, the professional must without fail ascertain whether the association is being used within a set-up aimed at effectively philanthropic goals or with a view to the optimisation of property assets. It is recommended that information be obtained concerning: the name and address of the organisation and its charitable object, as well as an extract from the business register.

The FATF considers that the natural person exercising control over a legal person is the person who supervises that legal person’s day to day or regular affairs through a senior management position, such as a chief executive officer (CEO), chief financial director (CFO) or chair.

Thus, it is only the senior dirigeant (manager)/legal representative of the ASBL (not-for-profit association), to whom the daily management of the association has been delegated according to legal or statutory provisions (delegated administrator or CEO), who may be designated as the beneficial owner in the register. As the case may be, members of the management body), otherwise, in the absence of a delegation of management powers,  the members of the Board of Directors will be registered in the registry.

In the event that the professional has any doubts regarding the identification of the beneficial owner (of last resort) in respect of its ASBL customer, it may refer to Circular 19/02 of the Luxembourg Business Registers:

“Where, despite the enquiries carried out, it has not been possible to identify any beneficial owner within the meaning of the Law of 13 January 2019, the senior dirigeant(s) (manager(s)) / senior managing official(s) must be regarded as the beneficial owner(s) and be registered as such in the Register of Beneficial Owners.

In this context, the notion of a senior dirigeant (manager)/  senior managing official, is to be generally understood as being the board of directors and, consequently, the entirety of the members of the management organ legally provided for must be communicated to the Register of Beneficial Owners, rather than merely the chair of the board of directors or the members of an executive committee. Can also be considered as senior managing official the person to whom the daily management of the association has been entrusted to or any other equivalent organ/body according to legal or statutory provisions.”

2.3.3  In the case of undertakings for collective investment (UCIs):

WHAT TO DO?

One should here refer to the joint guidelines of the ALFI, the ALCO, LPEA and LUX REAL entitled “who is the beneficial owner of the investment fund” published on August 8, 2019 (Illustrations of examples to identify the benficial owners).  

Reference can also be made to the former ALFI Guidance on “Practices and Recommendations aimed at reducing the risk of money laundering and terrorist financing in the Luxembourg Fund Industry” as regards custodian banks (Part IV, point D).

In the case of investment funds of the SICAV or FCP (mutual fund) type, or involving a legal form such as a société en commandite spéciale (special limited partnership) or limited liability partnership, the professional should refer where necessary to the indicative table concerning the legal representative/ senior managing official, which includes the identification of the beneficial owner(s) of companies whose legal form is used for the creation/management of investment funds.

In the United Kingdom, for example, funds are typically formed as limited partnerships registered at Companies House. Those funds have a general partner who exercises discretion over the assets of the fund.

In the case of a compartmentalised investment fund (of the SICAV type) involving a single legal personality, the professional must investigate the beneficial owner(s) of the fund at the level of the legal entity and not on a compartment-by-compartment basis, since the compartments do not possess their own legal personality.

The FATF guidelines (“Guidance for a risk-based approach for the securities sector”) state that it is for the intermediary (the customer of the custodian bank) to perform the customer due diligence obligations, but that an understanding of the intermediary’s customer base may none the less be a useful element in determining the risk associated with the intermediary itself. The level of understanding and the details obtained concerning the documentation must be tailored to the risk level of the intermediary.

In this context, it should also be noted that the custodian bank of a UCI (in so far as the relevant legislation requires the appointment of a custodian for the UCI) is required to take cognisance of the property and financial assets deposited with the custodian bank and, where necessary, to verify the origin and existence of that property/those assets.

Such due diligence checks, commonly known as the “Know Your Assets” process, may obligate custodian banks, over and above the requirement that they comply with all express legislative provisions prescribing a general duty of due diligence duty on the part of the custodian bank, to pursue a duly applied risk-based approach in the absence of any express agreement/delegation arrangement entered into with the investment manager(s) concerned.

The custodian bank may nevertheless rely on certain legitimate assumptions concerning the property and assets deposited, in so far as that property/those assets come to it from certain types of UCI, in accordance with the risk-based approach.

Preference should be given to a “comply or explain” approach, that is to say, one where the bank is required to explain to the regulator the assumptions applied by it in cases where it has not carried out due diligence checks on the property and assets deposited with it.

2.3.4  In the case of legal persons incorporated under public law and companies whose securities are admitted to trading on a regulated market:

A.    Legal persons incorporated under public law

WHAT TO DO?

Public administrative bodies or undertakings of countries or territories with a low level of corruption should be regarded by professionals as posing a potentially lower risk within the meaning of the Law.

A financial organisation having as its customer a legal person incorporated under public law must identify the latter’s beneficial owner; this involves, having regard to the guarantees of transparency, identifying the beneficial owner of last resort, that is to say, its legal representative.

Accordingly, the person to whom the daily management of the public entity has been delegated according to legal or statutory provisions may be designated as beneficial owner in the register. As the case may be, members of the management body/ Board of Directors will be registered in the registry.

If representatives of the State are members of the executive committee or the Board of Directors, the registration of the latter in the registry is replaced by that of their responsible Minister (“Ministre de tutelle”).

 The Luxembourg State Treasury keeps a list of public institutions, foundations and economic interest groupings indicating their legal representatives.

B. Companies whose securities are admitted to trading on a regulated market

“Companies whose securities are admitted to trading on a regulated market in the Grand Duchy of Luxembourg or in another State party to the Agreement on the European Economic Area, or in another third country imposing obligations recognised as being equivalent by the European Commission within the meaning of Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC, shall register only the name of the regulated market on which their securities are admitted to trading.”

Since companies whose securities are admitted to trading on a regulated market in Luxembourg or in the EEA are required to indicate only the name of the regulated market in the Register of Beneficial Owners of Companies, the professional must identify the name of the regulated market on which the securities of the customer company are admitted to trading as the beneficial owner.

In the case of a customer company a majority of the capital of which is held by a company whose securities are admitted to trading on a regulated market, the professional is thus required to identify as its beneficial owner the “senior dirigeant (manager)/ senior managing official” of the company which is the account-holder; it should indicate in the margin of the documentation of the beneficial owner in question the name of the regulated market on which the listed company holding the customer company is admitted to trading.     

2.3.5 Case of the syndicates of co-ownership (NEW)

In accordance with the provisions of the law of 16 May 1975 on the status of co-ownership of built-up properties, the co-owners are obliged to be grouped together in a syndicate (syndic de copropriété), acting as the legal representative of the community of co-owners.

In most cases, the syndicates have legal personality and are registered in the Luxembourg Trade Register, thus being subject to the law of 13 January 2019 establishing a register of beneficial owners.

WHAT TO DO?

In the search for the beneficial owners of trustees, some professionals sometimes find that trustees tend to argue that the co-owners of the building should be designated as the beneficial owners of trustees, indicating that the role of trustees is only to execute decisions on behalf of the co-owners.

Even if the decision of the trustee is taken by the general assembly of the co-owners, and despite the fact that a trade union council hypothetically supervises the trustee, it is the trustee who alone operates and controls the bank account, the co-owners having no say in the management of the trustee’s bank account.

According to the definition of beneficial owner as it appears in article 1, paragraph (7), point a), (ii) of the law of 12 November 2004, in the case of companies, the syndicate being a legal person, “the natural person who occupies the position of principal manager” must be designated as the beneficial owner of the syndic.

/message-box]

Translated with www.DeepL.com/Translator (free version)

2.3.6  In the case of NGOs:

According to the national money laundering risk assessment, NGOs pose an inherently high risk, since they may be used to finance terrorist acts.  

Professionals must adopt a prudent approach in identifying the beneficial owner of an NGO, taking due account of its legal structure, of the nature of its activities and of the business relationship which it proposes to maintain with the professional.

2.4  The beneficial owner(s) of fiducies and trusts and other similar legal arrangements

2.4.1      Fiducies and trusts

The professional must identify the beneficial owner and take “reasonable measures to verify his/her identity”, so as to be satisfied that it knows “who the beneficial owner is”, and must also, in the case of “legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer”.

The information which a Luxembourg fiduciary is additionally required to gather regarding the beneficial owner of a fiducie or trust subject to the Luxembourg Law of 27 July 2003 on trusts and fiduciary contracts in order to feed this in to a register created for that purpose, is set out in the Law of 10 August 2018 on the information to be collected and maintained by professionals acting as fiduciaries.

Where the trustee/fiduciary is a legal person, the professional should refer to the guidance given in the “ABBL CRS-related FAQs” concerning the senior managing official test.

In the context of the automatic exchange of information concerning financial accounts in tax matters, the guidelines state, by reference to the Law, that the application of the senior managing official principle applies in the case of a corporate trustee holding a controlling/majority interest in a passive non-financial entity.

By analogy, the professional must accordingly identify the senior managing official of a trustee that is a legal person, seeking to obtain sufficient information concerning the entire chain of holdings in cases where a series of corporate structures are interposed in order to carry out the requisite “common knowledge” analyses.

“Countries should take measures to prevent the misuse of legal arrangements for money laundering or terrorist financing. In particular, countries should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries, that can be obtained or accessed in a timely fashion by competent authorities (…) ”

As regards the obligation to identify the “beneficial owners” of trusts/fiducies, especially those governed by foreign law, it will be noted that the elements enabling the fiduciary/trustee, the settlor, the protector (as the case may be) and the beneficiary or beneficiaries to be identified will be found in the instrument setting up the trust/fiduciary contract.

Trusts and fiducies may cover extremely diverse situations, and the documentary requirements will differ depending on the variety of situations.

Professionals must be conscious of the fact that customer accounts set up in the name of a trust/fiducie could be used to circumvent the procedures for the identification of customers. For that reason, it is essential to understand the true nature of the business relationship. It is necessary to ascertain whether the customer is passing him/herself off as another person, if he/she is “covering” for another person, or if he/she is acting as an intermediary on behalf of a third party. To that end, supporting documents should be requested evidencing the identity of any intermediaries or persons in whose name he/she is acting as well as details regarding the nature of the fiducie/trust. Trusts/fiducies are normally, but not systematically, set up by a written document in the form of a fiduciary instrument / trust deed.

The professional should strive to obtain a list of the contributors of funds and of the beneficial owners by means of the deed setting up the trust/fiducie or through any other means giving reasonable credence to the information communicated to it. The difficulty lies, in essence, in identifying the beneficial owners, since the “letter of wishes” is not normally communicated to the professional. The “letter of wishes” is the document by which the settlor or the fiduciary structure indicates his wishes regarding the ultimate beneficiaries and the ways in which he would like the trust property is to be distributed.

The simplest situation is that in which the account is opened in the name of the trustee, a natural person, but the account is frequently opened in the name of a legal structure, typically a legal person located in an offshore country.

It may happen that, in certain fiduciary structures, the beneficiaries cannot be designated by name because they are in the process of becoming (children yet to be born) or on account of the fact that the realisation of a profit or benefit is subject to the occurrence of certain events. In such cases, it is sufficient to determine the “group of persons”/class of beneficiaries thus designated. This requirement need not involve the identification of the individuals forming that group of persons.

2.4.2      The beneficial owners of foundations/legal arrangements similar to fiducies/trusts

“In the case legal entities such as foundations, and legal arrangements similar to trusts or trusts, (the trader shall identify) any natural person who performs functions equivalent or similar to those of (settlor, trustee/trustee, beneficiaries or any other natural person exercising ultimate control over the trust/trustee by direct or indirect ownership or by other means).”.

2.5  The natural person “for whom a transaction is carried out”

According to the Law, the notion of “beneficial owner” also includes “any natural person(s) on whose behalf a transaction or activity is being conducted”.

This situation concerns cases involving a “man of straw”, called upon to lend his name to cover operations carried out for the account of a third person who wishes to remain anonymous, often with a view to achieving an unlawful aim.

This may also concern, for example, the situation in which the custodian of a property, belonging to a foreign non-resident natural person, opens an account in his own name with a credit institution with a view to domiciling in that account exclusively operations concerning the expenses of maintaining the property in question. The account is fed by transfers of funds coming from the owner. In such a case, the customer is the custodian of the property and the beneficial owner is its owner.

Where special purpose vehicles, for example SOPARFIs (financial holding companies), securitisation companies, or specialised investment funds, are set up on the initiative of a person holding not more than 25% of the capital of the structure in question, but that person nevertheless takes out most of the profits, the professional must try to identify/verify the identity of that person as beneficial owner (“bottom-up” approach).

In the case of, for example, a non-approved securitisation fund (“securitisation SPV”), managed by a management company, the investors will be the holders of co-ownership units in the fund (characterised as “transferable securities” even though the fund does not have legal personality). Those investors will receive, on a recurring basis, the interest due to them. Thus, those investors should be regarded as beneficial owners of the securitisation structure set up.

3. Measures to identify and verify the identity of the beneficial owners

The 4th Anti-Money Laundering Directive, as amended, requires certain information concerning the beneficial owners of companies and fiducies/trusts to be made available in registers to which professionals have access. The professional may, in addition to the information received by its customer, consult the registers established in Member States with a view to backing up the information supplied to it by its customer.

1.  Identification measures

“Without prejudice to enhanced due diligence requirements or the application of simplified due diligence measures, where applicable, the identification of beneficial owners (…) shall include the surname(s), first name(s), nationality(ies), date and place of birth and their address as well as the full postal address of the principal residence. At the discretion of the trader, it will also include the official national identity number”.

2.  Verification measures

“The verification of these data (concerning the beneficial owners) shall be made, notably, using information obtained from customers, central registers within the meaning of Articles 30(3) and 31(3a) of Directive (EU) 2015/849 or any other independent and reliable source available.

The sole recourse to central registers as mentioned above does not constitute a sufficient means of fulfilling the obligations of vigilance, the professional will therefore, the professional shall take all reasonable measures in order to ensure that the real identity of the beneficial owner is known. The reasonable nature of these measures shall be defined, notably, according to the level of money laundering or terrorist financing risk that the professional considers to be linked to the customer profile or the nature of the business relationship or of the transaction contemplated by the customer ”.

The ability of professionals to access the Register of Beneficial Owners, as provided for by the Law of 13 January 2019, will enable them to obtain information concerning certain entities registered in the Luxembourg Commercial and Companies Registry as from 1 September 2019, it being understood, however, that the Law states that professionals must not rely exclusively on central registers in order to fulfil their customer due diligence obligations.

For the purposes of verifying the identity of the beneficial owners, the professional is referred to the examples given below of documents for the identification of customers who are natural persons.  

In the absence of any more detailed statutory or regulatory requirements, the professional has a relatively  wide discretion as to the choice of documentation used for the purpose of verifying the identity of the beneficial owner.

The obligation to obtain a beneficial ownership declaration signed by the beneficial owner(s) or his/her/their representatives stems from CSSF Regulation No 12-02; professionals would be well advised to make this practice a permanent and established part of their procedures (see art.17 of the CSSF Regulation).

For information, with regard to “controlling persons” in the context of the automatic exchange of information concerning financial accounts in tax matters, the persons “having control” of an entity, who must be the subject of a declaration within the meaning of the Law of 18 December 2015, must provide information as to their “name, address, jurisdiction(s) of residence, TIN(s) and date and place of birth (…)”.

“Countries should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities. In particular, countries that have legal persons that are able to issue bearer shares or bearer share warrants, or which allow nominee shareholders or nominee directors, should take effective measures to ensure that they are not misused for money laundering or terrorist financing. Countries should consider measures to facilitate access to beneficial ownership and control information by financial institutions (…).”

3.  Bearer shares

In the context of business relationships involving nominees, the professional should request the latter to obtain the information needed in order to identify the beneficial owner(s) of the securities (that is to say, the natural person who is the owner of the securities held by the representative/nominee).

Subsection 3. Obtaining information on the purpose and intended nature of the business relationship, including the origin of funds

The customer due diligence measures to be taken by the professional include “assessing and understanding the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship”.

1. Assessing the business relationship

This obligation is additional to the obligation to identify customers/beneficial owners, and is just as important, in that it enables the professional to go beyond a mere process of identification/verification based on documents; the professional can thereby assess the nature of the risks inherent in its relationship with the customer(s).

WHAT TO DO?

The relationship between a financial professional and its customer is of an intuitu personae (personal) nature. The scope of the documentation requested from the customer will necessarily depend on the way in which, and the circumstances in which, the relationship is entered into and the risk factors linked to the customer.

A so-called profile sheet, listing a number of items of information to be obtained from the customer, should be used by the professional. That sheet must be such as to make it possible to acquire a store of knowledge of the customer that is as exhaustive as possible, and, for that reason, need not necessarily be approved by the latter. It is recommended that this type of profile sheets of this kind be applied both to new and to existing customers. The sheet must also be updated as the relationship develops.

2. The origin of funds

The professional must obtain all necessary information regarding the origin of the customer’s funds:

“The professionals’ obligation to know their customer includes the obligation to gather (…), register, analyse and understand, at the time of the customer identification, information about the origin of the customer’s funds and the types of transaction for which the customer requests a business relationship, as well as any adequate information allowing the determination of the customer’s purpose of the business relationship (…). This information shall allow the professional to carry out an efficient ongoing customer due diligence (…). Depending on the risk assessment, this obligation may include the obligation to obtain evidence”.

In order to enhance the plausibility of the origin of the funds, the professional must verify the consistency between their operational origin and the economic origin indicated by the customer.

All relevant documents corroborating what the customer says, especially as regards the provenance of the funds, must be kept together with the documentation concerning the entry into the business relationship.

The professional must verify and log:

(a) the operational origin of the funds (cards, giro payments, other means of transfer);

(b) the geographical origin of the funds (third countries, EEA countries, countries demonstrating shortcomings in the fight against money laundering;

(c) the economic origin of the funds (salaries, income from investments, inheritances).

The professional is obliged to use its best endeavours to determine the economic origin of its customer’s funds. The following information may be useful, or even necessary, and must therefore be documented by the person carrying out the entry into the business relationship:

– family situation;

– wealth situation;

– associates and/or contact persons;

– description of professional activity;

– other sources of income;

– purpose of the business relationship;

– origin of funds;

– general assessment;

– entry into the relationship for his/her own account or for the account of someone else;

– any other relevant information, in specific cases, needed for knowledge of the customer (…).

All the information and documents thus obtained, when combined with common sense, must be such as to enable the account executive to arrive at an informed judgement in deciding whether or not it is advisable to establish a relationship with a customer. To the extent that there are any unusual factors, inconsistencies or specific risks attaching to the customer, the professional must obtain additional documents or relevant information in order to mitigate the attendant risks.

In order to ensure compliance with the obligations arising from other statutory or regulatory provisions (market abuse, handling of conflicts of interest), the professional must make sure to obtain a number of additional items of information concerning the customer and, in particular, the latter’s professional activity.

Subsection 4. Exercise of ongoing due diligence in respect of the business relationship and the updating of the documents, data and information held

1. General considerations

The exercise of ongoing due diligence as required by the Law is centred around three axes, comprising, for the professional, the obligation to carry out:

checks on transactions;

a permanent (event-driven) review of the business relationship;

a periodic review of the business relationship.

The monitoring of customers in terms of the risk involved must be founded either on a process of permanent ongoing checks based on the level of risk attaching to each customer and showing up all instances of unusual behaviour, or on a periodic review which will likewise depend on the level of risk attaching to the customer. Such monitoring must be based on a comparison between the profile sheet and the operations carried out by the customer (checks on transactions).

A customer’s profile may well change over the course of time. For that reason, in order to ensure that their customer data are up-to-date, professionals are recommended to carry out a re-assessment of the data collected by them at the time of the entry into the business relationship. In particular, where a customer has been accepted and it subsequently becomes apparent that that customer or the beneficial owner is or is becoming a politically exposed person, the question whether to maintain the business relationship should, where appropriate, be referred for authorisation to a more senior level.

Such a review may, in particular, take place on the occasion of a significant transaction, a substantial modification of the customer documentation standards or a significant change in the way in which accounts are managed, or whenever a professional realises that it is lacking information regarding an existing customer. 

Certain circumstances (changes of shareholders, a change of proxy, unusual operation of the account, for example in the case of professionals normally engaged in the safekeeping of funds of third parties with a financial establishment, etc.) may signify that the beneficial owner has changed or that the customer is not acting, or is no longer acting, for his/her own account. Professionals are recommended to clarify the situation in each case, and thus to undertake where necessary a fresh identification of the beneficial owner.

Professionals should also put in place control mechanisms enabling them, upon accepting new customers and in monitoring business relationships, to identify persons such as PEPs/countries lacking adequate AML/CFT systems/persons who are the subject of restrictive measures in financial matters (see below – point 2, b).

  • Special cases: dormant accounts and cheques

Dormant accounts present certain particular characteristics making it problematic to update them. Professionals are recommended to put in place specific procedures for the monitoring of dormant accounts and the updating of the data relating to the customers concerned.

The fact of a dormant account suddenly becoming active should alert the professional.

Particular attention should likewise be paid when processing of cheques, notably those bearing multiple endorsements, and of bank drafts, likewise calls for particular attention.

2.   Assessment of transactions and the detection of complex operations and unusual transactions

a)  General assessment:

This comprises “conducting ongoing due diligence of the business relationship including constant scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer (and) the business and risk profile, and ensuring that the documents, data or information held obtained in the exercise of customer due diligence remain up to date and relevant. To this end, professionals shall examine existing elements, in particular for higher risk categories of clients.”

Ongoing due diligence in respect of the business relationship necessitates examination of the transactions carried out by the customer in the course of that business relationship. Such ongoing examination of the transactions carried out by the customer will require the professional, where necessary, to gather information concerning the origin of the funds.

b)  Complex operations, unusual transactions and restrictive measures

“Ongoing due diligence (…) includes at a minimum the obligation to identify without delay:

  • (…) States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters in the context of the fight against terrorist financing, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or through the adoption of notably ministerial regulations; and
  • the States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or, where appropriate, through the adoption of national regulations for their implementation.”

The professional is also obliged to detect States, persons, entities and groups subject to financial restrictive measures in relation to the assets under his management and to ensure that the funds will not be made available to such States, persons, entities or groups.

Where persons, entities or groups referred to in this article are identified, (…), the professional shall without delay apply the required restrictive measures and inform the competent authorities regarding financial sanctions. A copy of this communication must be sent at the same time to the CSSF.”

A list of links to the lists of persons, entities and groups concerned can be found in Annex III, Part B.

“(…) the trader must ensure that the internal system used for this control or made available by an external service provider to which he has recourse for the purposes of this control, is adapted without delay in order to be able to meet his obligations (…)”.

The obligation to exercise constant vigilance over the business relationship requires that “particular attention be paid to transactions that exceed certain amounts, to very large movements on an account that are incompatible with the amount of the balance or to transactions that are outside the normal pattern of account movements”.

“Professionals are required to examine as far as possible the context and purpose of these transactions, to record the results of these examinations in writing and to keep these documents in accordance with (…) the Law and to keep them at the disposal of the Luxembourg authorities responsible for combating money laundering and the financing of terrorism and of the auditors for at least five years, without prejudice to the longer retention periods prescribed by other laws”.

“With respect to the professionals’ ongoing due diligence (…), the professionals shall identify complex or unusual transactions (…) by taking into account, notably:

  • the importance of the incoming and outgoing assets and the volume of the amounts The transactions which involve small amounts but which are unusually frequent are also concerned;
  • the differences compared to the nature, volume or frequency of the transactions usually carried out by the customer in the framework of the business relationship concerned or the existence of differences compared to the nature, volume or frequency of the transactions normally carried out in the framework of similar business relationships;
  • the differences compared to the declarations made by the customer during the acceptance procedure and which concern the purpose and nature of the business relationship, in particular as regards the origin and destination of the funds involved.”

(1) “Professionals shall have procedures and implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:

(…)

– persons as referred to in articles 30, 31 and 33 (of CSSF Regulation 12-02) (i.e. PEPs, clients from high-risk countries and persons subject to financial restrictive measures).

the funds coming from or going to States, persons, entities or groups (…) involved in a transaction or business relationship subject to prohibitions or restrictive measures in financial matters in the context of the fight against money laundering and terrorist financing or countries or territories whose AML/CFT framework is considered as insufficient;

the complex operations or unusual transactions (taking into account in particular the importance of the incoming and outgoing assets, the existence of differences compared to the nature, volume or frequency of the transactions normally carried out by the customer and inconsistencies with the declarations made by the customer during the acceptance procedure);

a transfer of funds with missing or incomplete information within the meaning of EU Regulation 2015/847)”.

(2) “The establishment of a complete and up-to-date customer database is an integral part of this monitoring system. In the case of encoding by a natural person of the professional, this work should be checked according to the “4-eyes principle”.  This monitoring system must cover all client accounts and transactions and must cover clients, persons claiming to act on behalf of the client, originators and beneficial owners and, in the context of monitoring fund transfers, the originator of an incoming fund transfer and the recipient of a fund transfer leaving a client’s account. It should take into account the risks identified by the professional in relation to his or her business and client base. It must be automated, unless the professional can demonstrate that the volume and nature of the clients and transactions to be monitored do not require such automation.”

(3) “The identification researches carried out using this supervisory system shall be duly documented, including in cases where there are no positive results.”

(4) “The identified transactions or persons, as well as the criteria which led to the identification, shall be the subject of written reports. These reports shall be transmitted to the compliance officer for the required purposes, in particular, for compliance with Article 5 of the Law. Professionals shall specify in writing the procedure relating to the transmission of written reports to the compliance officer and the required transmission deadlines.”

(5) “The supervisory system shall allow the professional to take rapidly and, where appropriate automatically, the required measures where a suspicious activity or transaction was identified. The compliance officer shall be solely competent to decide on the application and scope of these measures and their termination, where appropriate, in consultation with the management and the compliance officer.”

(6) “The supervisory system shall be subject to initial validation at least by the compliance officer and regular control by the compliance officer in order to adapt this system, where necessary, to the development of the activities, the customers and the AML/CFT standards and measures.”

Professionals must ensure that their employees report unusual and/or suspicious transactions and that, in accordance with the internal procedures applied by each professional, such transactions are logged in writing by the persons in charge of compliance (including the responsible for monitoring compliance with professional obligations – “RC”), even where it is not considered opportune to report the matter to the authorities.

3.  Activities requiring particular attention

“In the framework of ongoing due diligence, the following activities, among others, require particular attention: (…)

  • activities of customers whose acceptance was subject to a specific examination (…) (acceptance of customers potentially presenting high levels of risk), as well as
  • transfers of funds within the meaning of Regulation (EU) 2015/847 and the respective requirements specified in the latter Regulation (…)”.

4.  Keeping documents and information up to date

“Ongoing due diligence includes the obligation to verify and, where appropriate, to update, in accordance with the maximum period provided for by, and taking into account the appropriate times specified in, Article 1 paragraph 4 of the Grand-Ducal Regulation (i.e. at least every seven years, without prejudice to a greater frequency depending on the risk assessment), within an appropriate timeframe to be set by the professional according to its risk assessment, the documents, data or information gathered while fulfilling the customer due diligence obligations (…).”

“For high-risk business relationships, the review frequency should be at least annual.”

“The professionals shall document, keep up to date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulatory bodies. The supervisory authorities and self-regulatory bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.”

As regards the obligation to keep the documents, data and information held up to date, professionals must carry out a review of their customers and documents (…), especially those which form an essential element of the business relationship and of knowing the customer, at such intervals as they may determine reflecting the risk associated with each customer and the risk involved in the business relationship. CSSF Regulation 20-05 and the Grand-Ducal Regulation of 14 August 2020 provide further details on the updating of the data collected by the professional. This update must be carried out :

– At least every 7 years

– More frequently if the situation requires it in view of the risk-based approach

– At least annually for high risk business relationships

“Following that review, the said documents must be updated if the professional finds any changes compared to the previous verification (for example, modification of the articles of association, identity card expired).

“When reviewing and updating client documents, data and information, the professional may take into account various sources of information, including

– relevant data and information in the public domain

– the client’s national BC/FT risk assessment report,

– the client country’s AML/CFT mutual evaluation reports

– other information obtained from a reliable and independent source.

Internal follow-up measures should be established for cases where the trader cannot meet the deadlines for updating the documentation.”

5.  Retention of documents and protection of personal data

1Retention of documents

“Professionals shall retain and quickly make available the following documents, data and information for the purposes of preventing, detecting and investigating, by the Luxembourg authorities responsible for the fight against money laundering and terrorist financing, possible money laundering or terrorist financing or by self-regulatory bodies:

a)  in the case of customer due diligence, a copy of or references to the documents, data and information which are necessary to comply with the customer due diligence requirements laid down in Articles 3 to 3-3, including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No 910/2014, or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the competent national authorities, books of account, commercial correspondence, and the results of any analysis carried out, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;

b)  the supporting evidence and records of transactions which are necessary to identify or reconstruct individual transactions, to provide, if necessary, evidence in a criminal investigation or enquiry, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.

“The retention period referred to in this paragraph, including the extended retention period not exceeding a further five years, shall also apply in respect of data accessible through the centralised mechanisms referred to in Article 32a of Directive (EU) 2015/849.”

Professionals shall also retain the information concerning the measures taken in order to identify the beneficial owners (…).

Without prejudice to longer retention periods prescribed by other laws, professionals shall delete the personal data at the end of the retention period referred to in the first subparagraph. (…).

By way of derogation from the 4th subparagraph, professionals retain the personal data for a further period of five years where this retention is necessary to effectively implement internal measures for the prevention or detection of money laundering or terrorist financing.”

2 – Compliance with data protection rules

As regards the compatibility with the European General Data Protection Regulation (EU) 2016/679 (“the GDPR”) of the rule requiring documents connected with financial transactions to be retained for five years after the end of the business relationship with the customer, it should be borne in mind that the lawfulness of the processing of personal data lies in “compliance with a legal obligation to which the (data) controller is subject”.

(A) Information on the persons concerned and general notice

  • The customer:

Professionals shall provide new clients with the information required under Articles 13 and 14 of the GDPR before establishing a business relationship or carrying out an occasional transaction.

That information shall, in particular, include a general notice concerning the legal obligations of the professionals under this Law to process personal data for the purposes of the prevention of money laundering and terrorist financing.”

The general notice:

The general notice must contain, in particular, the pre-contractual information to be provided to customers/persons concerned, as indicated in the relevant ABBL guidelines « Steps forward in implementing the GDPR ». In addition, it must refer to the professional obligations as contained in the Law, to which the professional is subject, the lawfulness of the processing of the customer’s data being in accordance with compliance with a legal obligation to which the professional (as “data controller”) is subject.

  • The beneficial owner:

Since the professional gathers information about the beneficial owner only indirectly through its customer, it is not, by virtue of the exception appearing in the GDPR, obliged to inform the beneficial owner.

Information concerning beneficial owners:

As regards the prior information to be provided to the beneficial owner(s), since the primary consideration is that the customer due diligence measures prescribed by the Law require the professional to identify and verify the identity of the beneficial owner(s), and since that information will not have been gathered by the professional from the beneficial owner(s) themselves, the professional need not provide him/her/them with the information in question.

The prior information need not be provided where the personal data have not been gathered from the person concerned “in so far as (…) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests”.

In addition, the data protection policies of certain financial establishments indicate that it is for their customers, where necessary or appropriate, to inform their beneficial owners about any processing using the latter’s personal data.

It may also be noted that the Act considers the processing of personal data as a matter of public interest under the GDPR.

(B) Restriction on the right of access

“(…) The person who is responsible for the processing shall restrict or defer the right of access of the person concerned to his personal data where such measure is necessary and proportionate in order to:

(a) enable the professionals, the Financial Intelligence Unit, a supervisory authority or a self- regulatory body to fulfil their tasks properly (…); or

(b) avoid obstructing official or legal inquiries, analyses, investigations or procedures for the purposes of this Law (…) and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised.”

It will be recalled that the GDPR allows Member States to limit the rights of the “persons concerned” in certain specific cases, for example “in the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

ENHANCED CUSTOMER DUE DILIGENCE OBLIGATIONS

The Law lays down the specific cases in which professionals are required to apply enhanced customer due diligence measures.

The criteria governing cases in which professionals will find themselves faced with potentially higher-risk situations, thereby requiring them to apply enhanced due diligence, are set out in Annex IV to the Law.

Where professionals are confronted with factors indicating higher risks, they shall be required to “examine, as far as reasonably possible, the background and purpose of all transactions, that meets at least one of the following conditions:

(a) it is a complex transaction

(b) it is an unusually large transaction

(c) it is conducted in an unusual pattern

d) it has no apparent economic purpose or apparent lawful purpose.

In particular, the professional shall reinforce the degree and nature of monitoring of the business relationship, in order to assess whether such transactions or activities appear unusual or suspicious.”

Alongside the non-exhaustive list of factors and types of elements indicative of a potentially higher risk, it will be noted that there are situations in which a professional will always be confronted with a high risk and will therefore invariably be constrained to apply enhanced due diligence measures:

  • For business relationships or transactions involving high risk countries

Nevertheless, enhanced customer due diligence measures need not be automatically applied in majority-owned branches or subsidiaries that are located in high-risk countries, if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to Article 4-1 or Article 45 of Directive (EU) 2015/849.

  • In the case of cross-border correspondent and other similar relationships with client institutions
  • In the context of business relationships with politically exposed persons.

The situations imposing reinforced vigilance measures will be detailed one by one below.

Section 1. Politically exposed persons

1.  The risk posed by a PEP

The special attention that professionals are required to pay to these persons arises, first, from the reputational risk linked to customers exercising political responsibilities, particularly in authoritarian regimes, and, second, the risk of the laundering of funds deriving from corruption.

Such persons may also use their families or associates to conceal funds or assets that have been misappropriated as a result of abuse of their official position or resulting from bribery and corruption. Moreover, they may seek to use their power and influence to gain representation and/or access to, or control of, legal entities for similar purposes.

2.  Definition of a PEP

Politically exposed persons are defined as “(…) natural persons who are or have been entrusted with prominent public functions and (…) family members or persons known to be close associates of such persons”.

“‘Natural persons who are or have been entrusted with prominent public functions’ (…) means all natural persons, including:

  1. heads of State, heads of government, ministers and deputy or assistant ministers;
  2. members of parliament or of similar legislative bodies;
  3. members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
  4. members of courts of auditors or of the boards or directorates of central banks;
  5. ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
  6. members of the administrative, management or supervisory bodies of State-owned enterprises;
  7. important officials and members of the governing bodies of political parties;
  8. directors, deputy directors and members of the board or equivalent function of an international organisation.”
  9. natural persons performing the functions included in the list published by the European Commission on the basis of Article 20a(3) of Directive (EU) 2015/849 (…)”

“Each Member State shall issue and keep up to date a list indicating the exact functions which, according to national laws, regulations and administrative provisions, qualify as prominent public functions (…).”

These lists will help professionals to determine the public functions characterising PEPs in all Member States.

3.  Definition of family members and associates of a PEP

The identification of a PEP must also include an examination of the members of his/her family and of his/her associates, within the framework of enhanced due diligence.

Family members means “all natural persons, including in particular:

  1. the spouse;
  2. any partner considered by national law as equivalent to the spouse;
  3. the children and their spouses or partners considered by domestic law as equivalent to a spouse;
  4. the parents;
  5. the brothers and sisters.”

The list is thus not exhaustive, according to the wording of the provision.

“Persons known to be close associates(…) means “all natural persons, including in particular:

  1. any natural person who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a person referred to in paragraph 10;
  2. any natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the benefit de facto of the person referred to in paragraph 10”.

4.  Obligations incumbent on professionals dealing with a PEP

4.1 Identification of PEPs

“(…) Financial institutions should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person who is or has been entrusted with a prominent function by an international organisation (…).”

“Adequate risk management systems (including risk-based procedures) for determining whether the customer or person purporting to act on the customer’s behalf or the beneficial owner is a politically exposed person (…) include at least seeking relevant information from the customer, referring to publicly available information or having access to electronic databases of politically exposed persons. The detection of politically exposed persons among existing clients during the course of a business relationship must be carried out at least every six months.”

Politically exposed persons must be identified, because they represent a potentially high risk. Enhanced due diligence measures must be applied to them. The risk-based approach will make it possible to determine whether the customer or beneficial owner is a PEP, on the basis that, if so, he or she will be the subject of enhanced due diligence. Professionals are therefore required to have adequate risk management systems, including risk-based procedures, to determine whether a potential client, customer or beneficial owner is a politically exposed person.

Every politically exposed person is covered, whether domestic or foreign.  The enhanced due diligence requirements for politically exposed persons also apply when the person in question holds an important public office in another Member State or in a third country or on behalf of one of these countries.

As soon as a person falls into the category of a PEP, the enhanced due diligence requirements apply to him.

WHAT TO DO?

– Subscribe to an IT service comprising databases relating to PEPs and integrate it into the existing systems;

– Carry out a legislative monitoring exercise at European level in respect of Member States that publish a national list of important public functions in accordance with the 5th Anti-Money Laundering Directive;

– Carry out regular checks to ensure that the customer database does not contain any PEPs (natural persons whose professional activity/function has changed).

4.2 The enhanced due diligence obligation

“With regard to transactions or business relationships with politically exposed persons (…), professionals are required to:

(a) have appropriate risk management systems, including risk-based procedures, to determine if the customer or beneficial owner is a politically exposed person;

(b) obtain senior management approval for establishing or, if an existing customer, to maintain a business relationship with such persons ;

(c) take reasonable measures to establish the source of wealth and source of funds that are involved in the business relationship or transaction with such persons. In addition, credit and financial institutions shall take all appropriate measures to establish the source of assets and funds of customers and beneficial owners identified as politically exposed persons;

(d) conduct enhanced ongoing monitoring of the business relationship.

The provisions of this paragraph also apply where a customer has already been accepted and the customer or the beneficial owner is subsequently found to be, or subsequently becomes, a politically exposed person.”

“When a client has been accepted and it subsequently appears that this client or the beneficial owner is or becomes a politically exposed person, professionals are required to obtain authorization from a high level of the hierarchy to continue the business relationship. The authorization procedure requiring approval from a high level of the hierarchy also involves the person responsible for monitoring compliance with professional obligations in terms of the fight against money laundering and terrorist financing.

Professionals are required to take all reasonable measures to identify the origin of the assets and funds of clients and beneficial owners identified as politically exposed persons”.

4.3 Particular case: life insurance contracts

The Law of 13 February 2018 adds new criteria to determine whether the beneficiary of a life insurance contract may be a politically exposed person:

“Professionals must take reasonable steps to determine whether the beneficiaries of a life insurance contract or other type of investment-linked insurance or, if applicable, the beneficiary’s beneficial owner are politically exposed persons. These measures shall be taken at the latest at the time of the payment of benefits or at the time of the assignment, in part or in full, of the insurance contract. When higher risks are identified, professionals, in addition to the customer due diligence measures provided for in Article 3, must:

a) inform a senior member of the hierarchy before payment of the proceeds of the contract ;

b) exercise enhanced scrutiny over the entire business relationship with the policyholder

c) make a suspicious transaction report to the FIU or, if the professional is a lawyer, to the President of the respective Bar Association, if the circumstances give rise to a suspicion of money laundering or terrorist financing.

5.  PEPs who no longer hold office

“Where a natural person who is or has been entrusted with prominent public functions is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, the professionals shall, for at least 12 months, take into account the continuing risk posed by that politically exposed person and apply appropriate and risk-sensitive measures until such time as that person no longer poses a particular risk.”

WHAT TO DO?

Depending on its risk assessment, the professional may, on a case-by-case basis, opt for periods going beyond 12 months after the PEP has left office in which to apply appropriate due diligence measures.

Section 2. Correspondent banks

“In the case of cross-border correspondent relationships and other similar relationships with client-correspondent institutions in third countries and, credit institutions, financial institutions and other institutions involved in such relationships, must, in addition to the customer due diligence measures provided for in Article 3, paragraph (2), when entering into a business relationship :

(a) gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, which implies, among other things, knowing whether the client institution has been the subject of an investigation or of measures taken by a supervisory authority with regard to the fight against money laundering and against the financing of terrorism;

(b) assess the client institution’s anti-money laundering and anti-terrorist financing controls;

(c) obtain approval from senior management before establishing new correspondent banking relationships;

(d) clearly understand and document the respective responsibilities of each institution;

(e) with respect to “payable through accounts”, ensure that the client institution has verified the identity of clients with direct access to the accounts of credit institutions, financial institutions and other institutions involved in such relationships and has implemented ongoing monitoring of them, and that it can provide relevant data and information concerning these due diligence measures at the request of the correspondent institution” (see also below the novelties brought by the RGD of February 1, 2010 for payable through accounts).”

“Professionals are prohibited from establishing or maintaining a correspondent relationship with a shell banking company or with a credit or financial institution known to allow a shell banking company to use their accounts. Professionals shall ensure that correspondents do not allow shell banking companies to use their accounts.”

“It is prohibited for professionals to enter into or continue a correspondent  relationship with a shell bank or with a bank that is known to permit its accounts to be used by a shell bank.”

The Grand-Ducal Regulation of 1 February 2010 (GDPR) as amended provides additional instructions in the event of a cross-border correspondent relationship in the context of the business relationship with the client institution. The professional must also:

  • assess, on the basis of publicly available information, the reputation of the client institution and the quality of its supervision, including whether the institution concerned has been the subject of an investigation or intervention by the supervisory authority relating to money laundering or terrorist financing
  • ensure the adequacy and effectiveness of the client institution’s anti-money laundering and anti-terrorist financing controls
  • clearly understand and specify in writing the respective AML/CFT responsibilities of each institution

The GDR impose additional obligations on the professional in the presence of transit accounts. The latter must ensure that:

  1. their client (the client institution) has applied all the due diligence measures provided for in Article 3 of the Act to those of its clients who have direct access to the accounts of the corresponding institution ;
    and
  2. that the client institution is able to provide relevant identifying data and information about such clients upon request by the correspondent institution. The provision of such data and information by Luxembourg credit institutions in the context of a correspondent relationship is permitted.

Insofar as institutions other than credit institutions are involved in correspondent banking relationships, the rules on this matter also apply to these institutions.

WHAT TO DO?

A shell bank is a credit institution or an establishment carrying on activities equivalent to those of a credit institution, established in a country where it has no effective physical presence through which real control and management would be exercised and which is not attached to a regulated financial group.

In particular, the professional must gather information on:

the country of establishment of the respondent institution, as well as the legal and regulatory framework and the effectiveness of AML/CFT controls applicable in that country 

– the applicable supervisory authority and regime;

– the property and control structure of the respondent institution.

Cross-border correspondent services and other similar relationships may present different levels of high risk which justifies, on the basis of an analysis by the professional, the application of reinforced vigilance measures of varying degrees of intensity by the professional.

The due diligence measures advocated by the Joint Committee of the European Supervisory Authorities in its final guidelines on risk factors in the context of the activities of correspondent banks include the following:

– identifying/verifying the identity of the respondent institution (including information concerning the respondent’s management) and that of its beneficial owner;

– obtaining sufficient information about the activities and reputation of the respondent institution (the types of customers it attracts, qualitative analysis of the respondent’s AML/CFT control systems);

– establishing/documenting the nature and purpose of the service provided, as well as the responsibilities of each institution (the way in which the service is used and access thereto);

monitoring the business relationship and identifying any changes occurring in the risk profile of the respondent institution, in order inter alia to detect any unusual or suspicious behaviour (for example, customers of the respondent institution being allowed direct access to accounts provided by the respondent);

– ensuring that the respondent institution does not authorise the use of its accounts by shell banks and does not have any dealings with such banks.

Once that information has been gathered, the professional should analyse it and take a decision concerning the correspondent banking relationship. That decision must be documented and retained so that it can be made available to the competent authorities.

The professional must in addition undertake an examination of the information on which the decision to establish the relationship is based, and where necessary update that information. Where information is such as to undermine confidence in the legal system of the country in which the respondent is established, or in the effectiveness of its anti-money laundering/terrorist financing controls, the professional must reconsider the relationship.

Lastly, the professional must satisfy itself with regard to compliance by the respondent at all times with the commitments given by the latter, depending on the risk involved (in particular, communication without delay, upon request, of relevant data for the identification of those of its customers that have direct access to the payable-through accounts opened for it).

Section 3. High-risk countries

“A high-risk country is a country” that is on the list of high-risk third countries identified pursuant to Article 9(2) of Directive (EU) 2015/849 (i.e. i.e., Delegated Regulation EU 2020/855) or designated as higher risk by the Financial Action Task Force (FATF) as well as any other country that supervisory authorities and professionals consider in their assessment of money laundering and terrorist financing risks to be a high risk country based on the geographical risk factors set out in Annex IV (of the Act).”

There is no standardized method allowing the professional to assign a “country risk” “scoring”. If the professionals apply the procedure used by the parent company of the group, they will have to integrate the criteria of art. 1, para (30) of the Law.  

As for the updating of the list of high risk countries, this is done at least following the publication of EU delegated acts listing high risk third countries or CSSF circulars on the FATF declarations concerning high risk jurisdictions against which enhanced due diligence measures are required.

With regard to business relationships or transactions involving high risk countries, professionals shall apply the enhanced customer due diligence measures mentioned below

a) obtaining additional information on the client and on the beneficial owner(s) and updating the identification data of the client and the beneficial owner(s) more regularly

b) obtain additional information on the intended nature of the business relationship

c) obtain information on the origin of the funds and the origin of the assets of the customer and the beneficial owner(s)

d) obtain information on the reasons for the transactions envisaged or carried out

e) obtain authorization from a senior member of their hierarchy to enter into or maintain the business relationship

f) implement enhanced monitoring of the business relationship by increasing the number and frequency of checks carried out and by identifying transaction patterns that require further scrutiny.

The Law does not impose on the person responsible for compliance with professional obligations (“RR”), i.e. the person occupying the function corresponding to the “high level of the hierarchy” according to art, 31, para. (2) of CSSF Regulation 12-02 as amended, his involvement in transactions with high risk countries.

The RR must therefore not be involved ex-ante in these transactions. The Compliance Officer (“CO”) may be involved ex-post in the monitoring of such transactions if necessary.

“Professionals shall ensure that, where appropriate, the first payment is made through an account opened in the customer’s name with a credit institution that is subject to customer due diligence standards at least as high as those set out in Directive (EU) 2015/849.”

“Enhanced customer due diligence measures need not be automatically applied in the case of majority-owned branches or subsidiaries that are located in third countries (…), if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to (…) Directive (EU) 2015/849. Professionals shall address these situations using a risk-based approach.”

Enhanced customer due diligence measures need not be invoked automatically with respect to branches or majority-owned subsidiaries of the professionals established in the European Union which are located in high-risk third countries (…), where those branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849. The professionals shall handle those cases by using a risk-based approach.”

“Financial institutions should be required to apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries for which this is called for by the FATF. The type of enhanced due diligence measures applied should be effective and proportionate to the risks.”

Annexe III(A) below provides various links giving information about third countries posing risks of corruption/money laundering/terrorist financing.

WHAT TO DO … to mitigate the risks posed by high-risk countries?

Increase the quantity of information obtained for customer due diligence purposes (e.g. concerning the identity of the customer or beneficial owner or the customer’s ownership and control structure, in order to be satisfied that the risk associated with the business relationship is well understood, and about the intended nature of the business relationship, to ascertain that the nature and purpose of the business relationship is legitimate and to help firms obtain a more complete customer risk profile);

Increase the quality of information obtained for customer due diligence purposes, in order to confirm the identity of the customer or beneficial owner (the first payment should be carried out through an account verifiably in the customer’s name with a bank subject to customer due diligence rules which are the same as those laid down in, for example, the 4th Anti-Money Laundering Directive);

Increase the frequency of reviews, in order to be satisfied that the firm continues to be able to manage the risk associated with the individual business relationship, or, where the relationship no longer corresponds to the firm’s risk appetite, to help it to identify any transactions that require further review.

Section 4. Examples of enhanced due diligence measures to be implemented, sector by sector/ in the case of transactions not involving the physical presence of the parties

The Joint Committee of the European Supervisor Authorities, in its final guidelines on risk factors, sets out numerous criteria to be applied by professionals in the specific situations provided for by the Law, and by sector of activity, it being understood that the measures appearing in the guidelines are not exhaustive and are thus given by way of illustration only.

  • Retail banking:– Verifying the identity of the customer and the beneficial owner(s) on the basis of more than one reliable and independent source;- Obtaining more information about the customer and the nature or purpose of the business relationship, so as to build up a more complete customer profile;- Increasing the frequency of transaction monitoring;- Reviewing and updating the information held more frequently.
  • Wealth management/private banking:

The measures prescribed in the guidelines echo, in a number of ways, those mentioned with respect to retail banking.

In addition, the professional must, in particular, establish the source of the assets and funds; where the risk is particularly high and/or the firm has doubts regarding the legitimacy of the origin of the funds, verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth may be verified by reference to, inter alia:

– a recent pay slip;

– a written confirmation of annual salary signed by the employer;

– a confirmation of sale signed by a lawyer/notary;

– the original or a certified copy of the will or grant of probate;

– written confirmation of inheritance signed by the testator’s notary/fiduciary/executor.

The professional should, moreover, monitor its customer’s transactions on an ongoing basis and/or where one of the elements of a transaction appears to be incompatible with the customer’s commercial risk profile.

  • Electronic money issuers and money remitters:

The enhanced customer due diligence measures which firms should apply in a high-risk situation include the following:

– obtaining additional information about the customer during the identification process, such as the source of funds;

– applying additional verification measures from a wider variety of reliable and independent sources (e.g. checking against online databases) in order to verify the identity of the customer and the beneficial owner(s);

– obtaining additional information about the intended nature of the business relationship, for example by asking clients about their business or the jurisdictions to which they intend to transfer electronic money;

– obtaining information about the merchant/payee, in particular where the electronic money issuer has grounds to suspect that its products are being used to purchase illicit or age-restricted goods;

– applying identity fraud checks to ensure that the customer is who he or she claims to be;

– applying enhanced monitoring to the customer relationship and individual transactions;

– establishing the source and/or the destination of funds.

  • Transactions not involving the physical presence of the parties, in the absence of electronic means of identification or secure identification process:

“In the case of transactions that do not involve the physical presence of the parties and where the professional has not set up electronic means of identification, relevant trust services within the meaning of Regulation (EU) No. 910/2014 or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, professionals must have specific risk management systems related to business relationships or transactions.

These policies and procedures must be applied at the time of the establishment of the business relationship with the client and during the implementation of ongoing vigilance measures”.

Specific measures to be adopted by the professional to compensate for the potentially higher risk presented by this type of relationship may include:

“- measures ensuring that the identity of the client is established by means of additional documents, data or identifying information ;

– additional measures ensuring verification or certification by a public authority of the documents provided ;

– a confirmation certificate from a credit or financial institution subject to the Law or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism

– measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism.”

Section 5. Examples of enhanced due diligence measures to be implemented pursuant to CSSF Regulation No 12-02:

“Without prejudice to the cases where enhanced due diligence measures are specifically prescribed by the Law, the Grand-Ducal Regulation or this Regulation, examples of enhanced due diligence measures that could be applied depending on the risk assessment performed by the professional for higher-risk business relationships include:

  • obtaining additional information on the customer and updating more regularly the identification data of the customer and the beneficial owner;
  • obtaining additional information/documentation on the intended nature of the business relationship or on the origin of the funds involved and the assets;
  • obtaining information and, where appropriate, evidence as to the reasons and economic background for the transactions contemplated or carried out and the plausibility of such transactions;
  • obtaining the approval of the authorised management to commence or continue the business relationship;
  • requiring the first payment to be carried out through an account in the customer’s name with a professional subject to similar customer due diligence standards;
  • verifying the additional information obtained with independent and reliable sources;
  • receiving a visit from the customer/company or contacting the customer/company via registered letter with acknowledgement of receipt;
  • conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.”

PRACTICAL APPLICATION OF DUE DILIGENCE MEASURES

Section 1. Third-party introducers

“For the purposes of this Article, ‘third parties’ shall mean professionals (…), the member organisations or federations of those professionals, or other institutions or persons situated in a Member State or third country that:

a)  apply customer due diligence requirements and record-keeping requirements that are consistent with those laid down in this Law and in Directive (EU) 2015/849; and

b)  have their compliance with the requirements of this Law, Directive (EU) 2015/849 or equivalent rules applicable to them, supervised in a manner consistent with (…) Directive (EU) 2015/849.

It is prohibited for professionals to rely on third parties established in high-risk countries. Third parties that are branches and majority-owned subsidiaries of professionals established in the European Union are exempt from that prohibition, where those branches and majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849.

(2) Professionals may rely on third parties to meet the requirements (…), provided that the information (…) and documents (…) are obtained immediately from the third party to whom they have recourse. However, the final responsibility in the execution of these obligations remains with the professionals who use third parties”.

“Professionals using a third party must take appropriate measures to ensure that this third party provides without delay, upon request, in accordance with paragraph (3), the necessary documents concerning the customer due diligence requirements provided for in Article 3 (…), including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure, electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities.

Professionals using a third party must also ensure that the third party is regulated, supervised, and has taken measures to comply with customer due diligence and record keeping obligations that are consistent with those set out in Articles 3 to 3-2 of the (…) Law”.

(3) “When a third party intervenes for the purposes of paragraph 2 above, the latter shall be obliged to immediately make available to the professional to whom the client is addressing himself, notwithstanding any rules of confidentiality or professional secrecy applicable to him, the information requested in accordance with the obligations laid down in Article 3, paragraph 2, subparagraph 1, points a) to c) and subparagraph 2. 
In this case, an adequate copy of the identification and verification data, including, where appropriate, data obtained through the use of electronic means of identification, relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, and any other relevant documents concerning the identity of the client or beneficial owner must be transmitted without delay, upon request, by the third party to the professional to whom the client is addressing.”

Moreover, the professional must ensure that the introducing third parties meet the requirements of the Law.

Any professional using a third party introducer must ensure, prior to the intervention of the latter, that he meets the requirements of the Act. The documentation used to verify the quality of the third party introducer must be kept in accordance with the Act.

The introducing third party shall give a prior written undertaking to fulfill the obligations specified in section 3-3, subsection (2) of the Act, notwithstanding the fact that the introducing third party is not a party to the Act. (2) of the Act, notwithstanding any rules of confidentiality or privilege applicable to the introducing party, if any.

The responsibility for compliance with the professional obligations provided for by the applicable legal provisions, including the present regulation, remains with the professional using the introducing third party.

[/left-bookmark]

If the professional uses a third party that is part of the group, the above requirements with respect to third parties will be considered met if:

“a) the professionals rely on information provided by a third party which is part of the same group ;

b) this group applies customer due diligence measures, rules relating to the conservation of documents and records and anti-money laundering and anti-terrorist financing programs in accordance with the Law, Directive (EU) 2015/849 or equivalent rules;

(c) the effective implementation of the obligations referred to in (b) is monitored at the group level by a supervisory authority, a self-regulatory organization or their foreign counterparts;

(d) any high-risk country risk is satisfactorily mitigated (…)”.

With regard to funds, the joint ALFI and ABBL guidelines on reducing money laundering and terrorist financing risks in the fund industry[1] refer to the respective obligations of the parties in the context of the use of the “third party introducer

– the UCI/IFM – investment fund manager (“the responsible entity” according to the guidelines) may rely on a third party meeting the requirements of the Law (art. 3-3) and of CSSF Regulation 12-02 (art. 36), which will have previously verified the identity of a prospect/client (his proxy if applicable)/BE of the UCI. The client thus introduced becomes a direct investor in the UCI. The UCI nevertheless remains responsible for the obligations of vigilance in relation to its clients.

[1] See “Practices and recommendations aimed at reducing the risk of money laundering and terrorist financing in the Luxembourg Fund Industry” (p. 21-22). This guide has been updated in May 2021 and contains new recommendations for fund players, in particular on the “Know your assets” (KYA) aspects.

Section 2. Outsourcing and agency relationship

“The contract between the professional and the delegated third party in the context of outsourcing or agency relationships (…) shall at least include:

  • a detailed description of the due diligence measures and procedures to be implemented in accordance with the Law and this Regulation and, in particular, of the information and documents to be requested and verified by the third-party representative (service provider in case of outsourcing or agent in case of an agency relationship);
  • the conditions regarding the transmission of information to the professional, including, notably, to make available immediately, regardless of confidentiality or professional secrecy rules or any other obstacle, the information gathered while fulfilling the customer due diligence obligations and the transmission, upon request and without delay, of a copy of the original supporting evidence received in this respect.”

“(2) The outsourcing and agency relationship policies and internal procedures of the trader wishing to use outsourced third parties shall, in particular, contain detailed provisions on the process of selection and evaluation of outsourced third parties, including subcontractors at different levels, in case of cascading outsourcing. In particular, the practitioner must ensure that the service provider has the necessary resources to perform all outsourced functions (process, service or activity outsourced).

Professionals must regularly monitor the delegated third party’s compliance with its commitments under the contract. According to the risk-based approach, regular control refers to the fact that the professional has the means to test (e.g. by sampling) and to control on a regular and punctual basis (e.g. by carrying out on-site visits) the respect of the obligations incumbent on the delegated third party. With regard to the data of its clients, the professional and the CSSF must have access rights to the systems/databases of the delegated third party.

“(2bis) A risk assessment of the outsourced functions and, if applicable, of the outsourcing chain must be carried out before the outsourcing contract is concluded (…)”

“(3) Responsibility for compliance with the provisions of the Act, the Grand-Ducal Regulation and this Regulation shall remain entirely with the professional using the delegated third party and the sub-delegated third party, where applicable.”

“(4) In the context of the outsourcing of AML/CFT functions, the rights and obligations of the professional and the service provider as well as their roles, responsibilities and tasks must be clearly listed, allocated and defined in the outsourcing contract. (…)”

SIMPLIFIED CUSTOMER DUE DILIGENCE OBLIGATIONS

Section 1: Money laundering risks lower than those covered by the Law

“Where professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.”

1.1  Situations involving less risk

When assessing the risks of money laundering or terrorist financing attaching to certain types of customer, geographical areas and products, services, transactions or particular distribution channels, professionals must take into account, as a minimum, the factors involved in potentially lower-risk situations as set out in Annex III (to the Law).

The application of simplified due diligence measures must be based on a risk assessment showing a low risk.

The risk factors set out in the Annex have already been mentioned above (customer/product/country), where the professional finds that the risk is low in the following respects:

– (i) geographical: if the situation/criteria involve more than one Member State, a customer originating from a Member State, and a third country posing a low risk of corruption/having effective AML/CFT systems;

(ii) products/services/transactions/ distribution channels.

A non-exhaustive list comprising, for example: low-premium life insurance policies, retirement insurance contracts without an early redemption clause, pension schemes in favour of employees, financial products or services used for inclusion purposes, or products posing a low risk of money laundering or terrorist financing which are controlled in accordance with other factors such as limits or ownership transparency;

– (iii) customers: companies listed on a regulated market and subject to information obligations (including transparency as regards beneficial owners), public administrative bodies/undertakings, residence criteria.

Electronic money:

“By way of derogation (…) and based on an appropriate risk assessment which demonstrates a low risk, professionals are allowed not to apply certain customer due diligence measures with respect to electronic money, where all of the following risk-mitigating conditions are met:

(a) it is not possible to reload the payment instrument or the instrument has a maximum monthly limit of EUR 150 which can be used only in Luxembourg;

(b) the maximum amount stored electronically does not exceed EUR 150.

(c) the payment instrument is used exclusively to purchase goods or services;

(d) the payment instrument cannot be funded with anonymous electronic money;

(e) the issuer carries out sufficient monitoring of the transactions or business relationship to enable unusual or suspicious transactions to be detected.

The derogation provided for in the first subparagraph is not applicable in the case of redemption in cash or cash withdrawal of the monetary value of the electronic money where the amount redeemed exceeds EUR 50 euros or in the case of remote payment transactions within the meaning of Article 4(6) of Directive (EU) 2015/2366 (…) where the amount paid exceeds 50 euros per transaction.”

“Credit and financial institutions acting as acquirers shall only accept payments made with anonymous prepaid cards issued in third countries where such cards meet requirements equivalent to those set out in paragraphs 1 and 2.”

“In the presence of information suggesting that the degree of risk is not lower, or where there is a suspicion of money laundering or terrorist financing, or where there is doubt as to the veracity or relevance of previously obtained data, or in specific cases of higher risk, the application of this simplified due diligence regime shall not be possible to those particular customers, geographical areas, products, services, transactions or distribution channels.”

Thus, professionals must ensure that they do not apply simplified due diligence where they suspect money laundering/terrorist financing, even where they are confronted with factors which they assume to involve lower risks.

1.2  Due diligence measures

According to the FAFT, financial institutions may be authorised to apply simplified due diligence measures, taking into account any lower level of risk.

The measures advocated by the FATF may thus consist in verifying the identity of the customer/beneficial owner following the establishment of the business relationship, reducing the frequency of customer identification updates and the intensity of ongoing due diligence, and inferring the purpose and intended nature of the business relationship from the type of transactions carried out.

“Where the professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.

(2) Before applying simplified customer due diligence measures, the professionals shall ascertain that the business relationship or the transaction presents a lower degree of risk.”

Section 2: Suggestions for simplified due diligence measures

According to CSSF Regulation n°12-02 :

CSSF Regulation n°20-05 sets out the measures that the professional may apply in the context of a business relationship presenting a justified low risk:

  • For clients subject to an authorization/licensing or mandatory registration regime for AML/CFT purposes, verify that the client is subject to this regime, for example by conducting a search on the regulator’s official website and documenting the result of the search
  • The presumption that a payment debited from an account held in the customer’s name, individually or jointly, with a credit institution or a regulated financial institution in a country of the European Economic Area or a third country imposing equivalent AML/CFT obligations, meets the requirements of Article 3 paragraph 2, subparagraph 1, point a) of the Law
  • The exceptional acceptance of other forms of identification that meet the criteria of reliable and independent sources, for example a letter addressed to the client by a government agency or other reliable public body, when the client is unable to provide the usual proof of identity, and provided that there is no reason for suspicion
  • Updating customer due diligence information only in the case of certain triggering events, for example if the customer requests a new or riskier product or service, or if there are changes in the customer’s behavior or transaction profile that suggest that the risk associated with the relationship is no longer low;
  • For persons purporting to act on behalf of the client and for originators, promoters who are behind the launch of an investment fund, obtaining information on the country of residence of these persons instead of requesting the full mailing address;
  • For persons claiming to act on behalf of a client where the client is a regulated credit or financial institution, instead of requesting the full identification of these persons, obtaining a letter confirming that the institution has applied due diligence measures to these persons and that it has carried out a regular check of these persons against the applicable lists of restrictive measures in financial matters.

Simplified due diligence measures according to the European supervisory authorities:

The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities contain simplified due diligence measures which professionals may apply, generic or specific depending on the business sectors concerned.

2.1 Generic simplified due diligence measures

The measures advocated by the Joint Committee of the European Supervisory Authorities concerning simplified due diligence are based on adaptation – adaptation both of the moment chosen to apply the due diligence measures and of the quantity of information obtained for identification purposes or of its quality/source, or of the frequency of monitoring of transactions.

Professionals may use their discretion in deciding on the measures to be applied, depending on the circumstances of each particular case.

  • Adaptation of the moment chosen to apply the due diligence measures:

(i) by verifying the identity of the customer or beneficial owner at the time of establishment of the business relationship; or

(ii) by verifying the identity of the customer or beneficial owner once the transactions exceed a fixed threshold or once a reasonable time has elapsed.

Professionals must make sure:

  • that this does not entail a de facto exemption from customer due diligence measures;
  • that the threshold or period of time is fixed at a reasonably low level/is reasonably short (that said, as regards the financing of terrorism, firms should note that a low threshold cannot on its own be sufficient to reduce the risk);
  • that they have systems making it possible to detect when the threshold or deadline is reached; and
  • that they do not defer the customer due diligence measures and do not delay the obtaining of relevant information concerning the customer where the applicable legislation, for example Regulation (EU) 2015/847, or provisions of national law require that information to be obtained from the outset.
  • Adaptation of the quantity of information:

(i) by verifying the identity on the basis of information obtained from a single document or a single source of data which is reliable, credible and independent; or

(ii) by making assumptions regarding the nature and purpose of the business relationship on account of the fact that the product is designed exclusively for a very specific use, such as a company pension scheme or a gift card issued by a shopping centre.

  • Adapting the frequency of updates of customer due diligence and reviews of the business relationship, for example by carrying them out only when trigger events occur, in particular where the customer wishes to subscribe for a new product or service or a given threshold for transactions is reached.
  • Adapting the frequency and intensity of transaction monitoring, for example by monitoring transactions only beyond a certain threshold.
  • Adapting the quality or source of information obtained for identification and verification of identity and ongoing due diligence:
    • Accepting information obtained from the customer rather than from an independent source when verifying the identity of the beneficial owner
    • Relying on the origin of funds to meet certain due diligence requirements, such as where funds are derived from employee benefit payments or where funds have been transferred from an account in the customer’s name at an institution located in the EEA

2.2 Simplified due diligence measures by sector of activity

As with risk assessment by sectors of activity, the guidelines published by the Joint Committee provide guidance regarding the simplified due diligence measures to be applied. Various examples are given below, but professionals are invited to consult the guidelines for further details.

  • Retail banking:

  • For customers that are subject to a mandatory licensing or authorisation regime: verifying identity based on evidence showing that the customer is subject to that regime (through a search of the regulator’s public register);
  • Verifying the identity of the customer and, where applicable, the beneficial owner during the course of the establishment of the business relationship;
  • Accepting alternative forms of identity meeting the criterion of a “reliable and independent” source, e.g. a letter sent to the customer by a government agency or other reliable public body, where the customer is unable, on reasonable grounds, to provide standard evidence of his or her identity and provided there are no grounds for suspicion.

  • Wealth management/private banking:

The Joint Committee of the European Supervisory Authorities considers that simplified due diligence measures are not appropriate in a wealth management context.

Nevertheless, all professionals will inevitably find themselves confronted with a series of risk factors linked to their customers which they must assess on a case-by-case basis in their activities as private bankers.

  • Electronic money issuers and money remitters:

  • Deferring verification of the identity of the customer or beneficial owner to a later date after the establishment of the relationship or after a certain (low) monetary threshold is exceeded;
  • Verifying the customer’s identity on the basis of a payment drawn on an account in the sole or joint name of the customer, or in the joint names of the customer and another, or an account over which the customer can be shown to have control held with an EEA-regulated credit or financial institution;
  • Verifying identity on the basis of fewer sources or less reliable sources;
  • Assuming the nature and intended purpose of the business relationship where this is obvious, for example in the case of certain gift cards that do not fall under the closed loop/closed network exemption;
  • Reducing the intensity of monitoring as long as a certain monetary threshold is not reached.

OBLIGATION TO HAVE AN ADEQUATE INTERNAL ORGANISATION

Section 1. Obligation to put in place written internal control and communication procedures

“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves. Those policies, controls and procedures, which take into account the risks of money laundering and terrorist financing, shall be proportionate to the nature, specificities and size of the professionals.

The policies, controls and procedures referred to in the first subparagraph shall include:

a)  the development of internal policies, controls and procedures, including models, relating to risk management practices, customer due diligence, cooperation, record-keeping, internal control, compliance management including the appointment of a compliance officer at appropriate hierarchical level, and employee screening;

b)  where appropriate with regard to the size and nature of the business and the risks of money laundering and terrorist financing, an independent audit function to test the internal policies, controls and procedures referred to in point (a). (…)

The professionals shall appoint, where appropriate, among the members of their management body or effective direction, the person responsible for compliance with the professional obligations as regards the fight against money laundering and terrorist financing.”

“The internal control system … is adequately resourced to monitor compliance, including on a test basis, with procedures, policies and controls and has the independence necessary to perform its duties.

The Compliance Officer and other relevant personnel shall have timely access to client identification and other due diligence information, transaction records and other relevant information. The compliance officer must be able to act independently and report to management, without reporting to his or her immediate supervisor, or to the board of directors (…).”

The AML/CFT compliance officer reports in writing, on a regular basis and if necessary on an ad hoc basis to the authorized management and, if necessary, to the board of directors (or specialized committees).

.

These reports cover the follow-up of recommendations, problems, deficiencies and irregularities identified in the past as well as new problems, deficiencies and irregularities identified. Each report specifies the related risks and their degree of seriousness (impact measurement) and proposes corrective measures (…). These reports shall assess the extent of the suspicions or reasonable grounds for suspicion of money laundering, associated predicate offenses or terrorist financing that have been detected, and make a judgment on the adequacy of the AML/CFT policies, procedures and systems and the AML/CFT cooperation of the professional’s departments.

Monitoring AML/CFT policies and procedures should be an integral part of the professional’s internal audit function. To this end, the internal audit activity must independently test and evaluate risk management and control, AML/CFT policies, and procedures.

The internal auditor must report annually to authorized management and the board of directors (or specialized committees) and submit a summary report on compliance with AML/CFT policies and procedures. The internal auditor must be diligent in ensuring that these recommendations or corrective actions are implemented.

CSSF Regulation No 12-02 sets out various examples of procedures relating to the professional’s AML/CFT policy.

“The professional’s AML/CFT policies and procedures shall cover all the professional obligations and, where appropriate, include, inter alia, the following:

the customer acceptance policy (…);

– the detailed procedures as regards the identification, assessment, supervision, management and mitigation of money laundering or terrorist financing risks (…). Those procedures shall allow monitoring of the development of the identified risks, reassessing them on a regular basis and identifying any significant change affecting them or any new risk;

– the specific risk management mechanisms relating to business relationships or transactions not requiring the physical presence of the parties without other guarantees having been put in place (as referred to in Article 27 of CSSF Regulation 12-02);

– the measures designed to prevent the misuse of products or the execution of transactions that might favour anonymity (…), in particular, as regards new technologies;

– the procedures to be followed in the event of a request to enter into a business relationship or to execute an occasional transaction for a person whose normal activity involves the holding of third-party funds with a professional or the opening of a group account;

– the procedure for accepting and monitoring business relationships (…);

– the procedures to be followed when using a third-party introducer (…)

– the procedures to be followed when using delegated third parties intervening within the framework of an outsourcing or agency contract (…)

– the procedures to observe in order to monitor the development of business relationships as well as transactions executed for customers, notably to detect suspicious transactions;

– the procedures to be followed in the event of suspicion or reasonable grounds for suspicion of money laundering, associated predicate offences or terrorist financing

(…)

– the procedures to be followed in order to fulfil the obligations of Regulation (EU) 2015/847 (transfers of funds);

– the personnel selection policy guaranteeing the recruitment of employees according to demanding criteria, the personnel training and awareness-raising programme (…)

– the accurate definition of the respective responsibilities of the various functions within the staff with regard to AML/CFT, as well as the procedure for appointing the control officer and the compliance officer.”

– the procedure for internal reporting of violations of professional AML/CFT obligations through a specific, independent and anonymous channel

– procedures for financial restraint measures

– procedures for identifying the beneficiary of trusts or similar legal arrangements at the time of payment of benefits or at the time the beneficiary exercises his or her vested rights (…)

 

Information on the measures relating to mechanisms for the supervision of business relationships and transactions as included in CSSF Regulation No 12-02 will be found above.

Section 2. Obligation to provide training and awareness-raising for the personnel

“Professionals are required to take measures proportionate to their risks, their nature and their size, so that their employees, including members of the management bodies and the effective management, are aware of the professional obligations in the fight against money laundering and terrorist financing, as well as the applicable data protection requirements. These measures include the participation of their employees in special continuing education programs designed to keep them informed of new developments, including information on money laundering and terrorist financing techniques, methods and trends, to help them recognize transactions that may be related to money laundering or terrorist financing, and to instruct them on how to proceed in such cases. Special ongoing training programs provide employees with clear explanations of all aspects of AML/CFT laws and obligations, including customer due diligence and suspicious transaction reporting obligations. (…) “.

“Every professional shall have a training and awareness-raising programme for the whole personnel which observes highly qualitative criteria and whose content and calendar take into account the specific needs of the professional. That programme, as well as its realisation, shall be documented in writing. The programme shall take into account the development of money laundering and terrorist financing techniques and shall be adapted when relevant legal or regulatory requirements change.

The training and awareness-raising programme of the personnel shall include, inter alia:

  • for all newly hired employees, participation in internal or external basic training as soon as they are hired, making them aware of the professional’s AML/CFT policy as well as of the relevant legal and regulatory requirements;
  • for the employees, regular participation in internal or external continuing education which is addressed, in particular, to the members of the personnel in direct contact with customers in order to help them identify unusual transactions and recognise money laundering or terrorist financing attempts. That continuing education shall also concern the professional’s internal procedures to be followed by the employees in the event that they identify suspicion or have reasonable grounds for suspicion of money laundering, related predicate offences or terrorist financing;
  • regular information meetings for employees in order to keep them up to date with developments as regards the techniques, methods and trends with respect to money laundering and terrorist financing as well as the preventive rules and procedures to be followed in the matter;
  • the appointment of one or more contact person(s) for employees who is/are competent and available to answer any questions which relate to money laundering or terrorist financing and which may concern, notably, all aspects of the laws and obligations regarding AML/CFT, the internal procedures, the customer due diligence duties and the reporting of suspicious transactions;
  • the periodic distribution of AML/CFT documentation which includes, in particular, examples of money laundering or terrorist financing transactions.”

Where a training programme is organised abroad and presented at, for example, the registered office or parent company of the professional, the latter is obliged to adapt the programme to the rules and standards applicable in Luxembourg. 

The FIU 2017 Activity Report contains more than a dozen studies of specific cases which are not exhaustive but which “gave rise to suspicious transaction reports by the professionals concerned, illustrating different characteristics (techniques, mechanisms and instruments) frequently encountered by the FIU in carrying out its analyses(…)”.

Section 3. Internal reporting of breaches of professional obligations

“Professionals shall have in place appropriate procedures, proportionate to their nature and size, for their employees, or persons in a comparable position, to report internally, through a specific, independent and anonymous channel, breaches of professional obligations as regards the fight against money laundering and terrorist financing.”

The 5th Anti-Money Laundering Directive requires Member States to “ensure that individuals, including employees and representatives of the obliged entity who report suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit, are legally protected from being exposed to threats, retaliatory or hostile action, and in particular from adverse or discriminatory employment actions”.

In addition, they must “ensure that individuals who are exposed to threats, retaliatory or hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit are entitled to present a complaint in a safe manner to the respective competent authorities. (…)”

Section 4. Obligation to have systems making it possible to respond to the authorities

“Professionals shall have systems in place that enable them to respond fully and rapidly to enquiries from the Luxembourg authorities responsible for combatting money laundering and terrorist financing and self-regulatory bodies, as to whether they maintain or have maintained during the previous five years a business relationship with specified natural or legal persons and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.

“(…) professionals shall be able to answer quickly and comprehensively all information requests for information from the Luxembourg AML/CFT authorities, and, in particular, those which tend to determine whether they are or were in business relationships or whether they do or did carry out transactions in relation to specific persons (…).

This cooperation requirement does not end with the business relationship or transaction.”

Similarly, the FIU’s “Suspicious Operations Report” Guideline obliges professionals to respond, “without delay, to a request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in online or download an XML file (…). If (the professional) has not yet done so, (it should) register in advance  to be able to respond to the request for information.

Depending on the complexity and scope of research required, (the professional) should respond to any request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in on FIU within a fortnight. However, if a request for information is described as ‘very urgent’, especially when dealing with terrorist financing, (the professional) should respond within 24 hours. A request for information described as ‘urgent’ should be processed within a week.”

OBLIGATION TO COOPERATE WITH THE AUTHORITIES

“(1) Professionals, their dirigeants and employees are obliged to cooperate fully with the Luxembourg authorities responsible for combatting money laundering and terrorist financing, in particular in the exercise of their supervisory powers (…)”.

Without prejudice to the obligations vis-à-vis the supervisory authorities or self-regulatory bodies, professionals, their directors, dirigeants and employees are required to:

The professional’s duty to collaborate with the authorities relates exclusively to the Luxembourg authorities; any foreign request for cooperation must be made through an official channel such as the system for international mutual legal assistance in criminal matters or international administrative assistance.     

(a) inform promptly, on their own initiative, the Cellule de renseignement financier/Financial Intelligence Unit (…) when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted, in particular in consideration of the person concerned, its development, the origin of the funds, and the purpose, nature and procedure of the operation. This report must be accompanied by all supporting information and documents having prompted the report.

All suspicious transactions, including attempted suspicious transactions, shall be reported, regardless of the amount of the transaction.

The obligation to report suspicious transactions shall apply regardless of whether those filing the report can determine the predicate offence.

(b) provide without delay to the Cellule de renseignement financier/Financial Intelligence Unit), at its request, any information required. This obligation includes the submission of the documents on which the information is based.

(…)

(1a) With regard to combatting terrorist financing, the obligation to report suspicious transactions (…) also applies to funds where there are reasonable grounds to suspect or they are suspected to be linked or related to, or to be used for terrorism, terrorist acts, a terrorist or terrorist groups or by those who finance terrorism”.

“(1) The requirement to inform the FIU without delay(…) also covers cases in which the professional came into contact with a natural or legal person or legal arrangement without entering into a business relationship or carrying out a transaction, insofar as there are suspicions or reasonable indications for suspicion of money laundering, an associated predicate offence or terrorist financing.

(2) The professional shall equip itself with the means required with respect to procedures and organisation of the AML/CFT compliance officer function which allows analysis of the reports transmitted to him and the determination of the necessity to communicate a fact or transaction to the FIU (…). To this end, the professional must register in the tool set up by the FIU. The procedures shall include the conditions, deadlines and steps for the customer relationship manager to communicate reports to the compliance officer. The analysis and the resulting decision shall be recorded in writing and made available to the competent authorities.

(3) (…) a business relationship which is the subject of a suspicion report to the FIU shall be monitored by the professional with enhanced due diligence and, where appropriate, in line with the FIU instructions. Where there are any new indications, the professionals shall lodge a supplementary suspicious transaction report.”

WHAT TO DO …. Is the professional required to determine the predicate offence?

The professional is under no obligation to actively look into the facts relating to possible money laundering, or to consider whether they are sufficiently conclusive to serve as the basis for an official investigation, or to characterise the facts in terms of criminal law, or to prove that they are true; that is a task for the competent judicial authorities.

The Law of 10 August 2018 has amended the terms of the (2004) Law and introduced the obligation for the professional to inform the FIU, in particular where it has reasonable grounds for suspecting that money laundering or a predicate offence is going on/is or has been attempted/has taken place.

Information regarding the notion of suspicion, its origins and examples thereof (…)” is provided in point 4 (From the original suspicion to the reporting of a suspicious operation) of Section 1, Chapter 1.  

Where (…) the professional has a doubt as to the real identity of the beneficial owner and where he is unable to remove this doubt, he shall refuse to enter into the business relationship or to carry out the transaction desired by the client and, where he knows, suspects or has reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is taking place, has taken place or has been attempted, he shall make a declaration (to the Public Prosecutor’s Office) in accordance with Article 5 para. (1) and (1 bis) of the Act (…)”.

No professional secrecy applies vis-à-vis the Financial Intelligence Unit in respect of paragraph (1), paragraph (1a) and paragraph (3).”

“Countries should ensure that financial institution secrecy laws do not inhibit implementation of the FATF Recommendations.”

  • Rules on non-execution of suspicious transactions and no tipping-off

Professionals must refrain from carrying out transactions which they know, suspect or have reasonable grounds to suspect to be related to money laundering, to an associated predicate offence or to terrorist financing until they have informed the Financial Intelligence Unit thereof (…) and have complied with any specific instructions from the Financial Intelligence Unit. The Financial Intelligence Unit may give instructions not to carry out the operations relating to the transaction or the customer.

Where refraining from carrying out transactions (…) is impossible or is likely to frustrate efforts to pursue the beneficiaries of a suspected operation, the professionals concerned shall inform the Financial Intelligence Unit immediately afterwards.

Where the instruction is communicated orally, it must be followed by a written confirmation within three business days, otherwise the effects of the instruction cease on the third business day at midnight.

The professional is not authorised to disclose this instruction to the customer without the express prior consent of the Financial Intelligence Unit.

The Financial Intelligence Unit may order systematically and at any time the total or partial withdrawal of the order not to carry out the operations pursuant to sub-paragraph 1.”

Potential requests by the FIU for information on the reporting of suspicious transactions, and the rules on refraining from execution and “no tipping-off” with regard to such transactions, “apply even in the absence of a suspicious transaction report made by the professionals”.

“The FIU may issue a freezing order at any given moment.

To avoid the freezing order from becoming ineffective, (the professional) should not execute a transaction which (it knows) or suspect(s) to be linked to an act of money laundering or terrorist financing, as long as it has not informed the FIU of (its) suspicion by means of a suspicious operations report or by a response to a request for information received. An acknowledgment of receipt of the declarations (the professional’s) and responses (the professional’s) report by the FIU is automatically generated by goAML Web and will be sent to (the professional) via the message board, usually around midnight.

From this moment on, as long as (the professional has) not received any freezing order from the FIU, (it) may execute, under (its) own responsibility, the transaction related to (its) communications, as well as any subsequent non-suspicious transactions.”

Given that the FIU has for ten years now been receiving a growing number of suspicious transaction reports (38,744 in 2017), it cannot systematically provide feedback to a professional that has submitted a suspicious transaction report to it.

“Professionals and their dirigeants and employees shall not disclose to the customer concerned or to other third persons the fact that information is being, will be or has been reported or provided to the authorities (…) or that a money laundering or terrorist financing investigation by the Financial Intelligence Unit is being or may be carried out.

This prohibition does not apply to a disclosure to the supervisory authorities or, if appropriate, the self-regulatory bodies of the different professionals.” Nor, subject to fulfilment of the criteria set out in Section 2.3 above, does it apply in an intra-group context.

(…)

“For credit and financial institutions and the professionals referred to in Article 2 (1) (8), Article 2 (1) (9), Article 2 (1) (11), Article 2 (1) (12) and Article 2 (1) (13) (lawyers, notaries, tax advisers), in cases involving the same person and the same transaction involving two or more professionals, the prohibition laid down in the first sub-paragraph of this paragraph shall not prevent disclosure between the relevant professionals provided that they are situated in a Member State, or in a third country which imposes requirements equivalent to those laid down in this Law or in Directive (EU) 2015/849 and that they are from the same professional category and are subject to equivalent obligations as regards professional secrecy and personal data protection. The information exchanged must be used exclusively for the purposes of the prevention of money laundering and terrorist financing.”

OBLIGATIONS IN THE CASE OF GIRO PAYMENTS AND TRANSFERS OF FUNDS

The provisions to which professionals are subject are set out in Regulation (EU) 2015/847 on information accompanying transfers of funds and repealing Regulation (EC) No1781/2006. Those provisions entered into force on 26 June 2017.

“Regulation (EU) 2015/847 ensures the uniform implementation of FATF Recommendation 16 on wire transfers throughout the European Union. (…) (It) lays down rules regarding the information on payers and, henceforth (which is new as compared to the old Regulation (EC) No 1781/2006), on payees, that shall accompany transfers of funds, in any currency, where at least one of the payment service providers involved in the transfer of funds is established in the European Union.”

Taking into account the direct effect of Regulation (EU) 2015/847, the CSSF invites professionals to “adjust, where applicable, (their) internal AML/CFT procedures and processes in order to comply with its requirements”.

In addition, CSSF Circular 18/680 of 23 January 2018 refers to the joint guidelines of the three European Supervisory Authorities on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee.

Regulation (EU) 2015/847 applies to transfers of funds, in whatever currency, sent or received by a payment service provider or an intermediary payment service provider established in the Union.

The European Banking Authority’s latest guidance on AML/CFT risk factors specifies that payment initiation service providers (“PISPs”) as well as payment service providers providing account information (“AISPs”) are subject to AML/CFT rules, even though they are not in possession of customer funds.

Derogations from the application of Regulation (EU) 2015/847

“This Regulation shall not apply to transfers of funds carried out using a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, where the following conditions are met:

(a)  that card, instrument or device is used exclusively to pay for goods or services; and

(b)  the number of that card, instrument or device accompanies all transfers flowing from the transaction.

However, this Regulation shall apply when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, is used in order to effect a person-to-person transfer of funds

This Regulation shall not apply to persons that have no activity other than to convert paper documents into electronic data and that do so pursuant to a contract with a payment service provider, or to persons that have no activity other than to provide payment service providers with messaging or other support systems for transmitting funds or with clearing and settlement systems.

This Regulation shall not apply to transfers of funds:

(a)  that involve the payer withdrawing cash from the payer’s own payment account;

(b)  transfer funds to a public authority as payment for taxes, fines or other levies within a Member State

(c)  where both the payer and the payee are payment service providers acting on their own behalf;

(d)  that are carried out through cheque images exchanges, including truncated cheques.”

The professional’s obligations will vary according to whether it is acting, as the case may be, as a payment service provider for the payer (Section 1), for the payee (Section 2) or where there is an intermediary payment service provider (Section 3).

 

Section 1. Compliance with Regulation (EU) 2015/847 on information accompanying transfers of funds

Subsection 1. Obligations of the payment service provider (“PSP”) of the payer

1.  Information accompanying transfers of funds

“1.  The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:

(a)  the name of the payer;

(b)  the payer’s payment account number; and

(c)  the payer’s address, official personal document number, customer identification number

or date and place of birth.

2.  The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:

(a)  the name of the payee; and

(b)  the payee’s payment account number.

3.  By way of derogation from point (b) of paragraph 1 and point (b) of paragraph 2, in the case of a transfer not made from or to a payment account, the payment service provider of the payer shall ensure that the transfer of funds is accompanied by a unique transaction identifier rather than the payment account number(s).

The UTI is a combination of letters, numbers or symbols determined by the payment service provider, in accordance with the protocols of the payment and settlement systems or messaging systems used for the transfer of funds, which permits the traceability of the transaction back to the payer and the payee.

4.  Before transferring funds, the payment service provider of the payer shall verify the accuracy of the information referred to in paragraph 1 on the basis of documents, data or information obtained from a reliable and independent source.

(…)

5.  Without prejudice to the derogations provided for in Articles 5 and 6, the payment service provider of the payer shall not execute any transfer of funds before ensuring full compliance with this Article.”

It is important to note that the rules laid down concerning the data to be provided by the PSP of the payer are subject to a significant exception, where all the PSPs involved in the payment chain are established in the EU: only the payment account numbers of the payer and the payee have to accompany the transfer (Article 5 of the Regulation, below).

In practice, the name of the payer is normally given.

2.  Transfers of funds within the Union

“1.  By way of derogation from Article 4 (1) and (2), where all payment service providers involved in the payment chain are established in the Union, transfers of funds shall be accompanied by at least the payment account number of both the payer and the payee or, where Article 4 (3) applies, the unique transaction identifier, without prejudice to the information requirements laid down in Regulation (EU) No 260/2012, where applicable.

2.  (…) the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the information:

(a) for transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, the information on the payer or the payee in accordance with Article 4 (see above);

(b) for transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, at least:

(i) the names of the payer and of the payee; and

(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.”

(…) ».

The Regulation thus lays down thresholds for transfers (1 000 €) according to which the information to be given by the professional will vary.

The PSP of the payer will not be required to verify the accuracy of the information concerning the payer in the case of transfers of funds within the EU which do not exceed 1000 €, the PSP has received the funds to be transferred in cash or in anonymous electronic money, or where it has reasonable grounds to suspect money laundering or terrorist financing.

3.  Transfers of funds outside the Union

“1.  In the case of a batch file transfer from a single payer where the payment service providers of the payees are established outside the Union, Article 4(1) (information concerning the payer and the payee) shall not apply to the individual transfers bundled together therein, provided that the batch file contains the information referred to in Article 4(1), (2) and (3), that that information has been verified in accordance with Article 4(4) and (5), and that the individual transfers carry the payment account number of the payer or, where Article 4(3) applies, the unique transaction identifier.

2.  By way of derogation from Article 4(1), and, where applicable, without prejudice to the information required in accordance with Regulation (EU) No 260/2012, where the payment service provider of the payee is established outside the Union, transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least:

(a) the names of the payer and of the payee; and

(b) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.

By way of derogation from Article 4(4) (verification of the accuracy of the information), the payment service provider of the payer need not verify the information on the payer referred to in this paragraph unless the payment service provider of the payer:

(a) has received the funds to be transferred in cash or in anonymous electronic money; or

(b) has reasonable grounds for suspecting money laundering or terrorist financing.”

Here again, a threshold below 1000 for a transfer outside the EU will allow the PSP of the payer to identify only the names of the payer and the payee accompanied by the payment account numbers.

The PSP of the payer will not be required to verify the information on the payer unless the funds to be transferred have, in particular, been received in cash or in anonymous electronic money or there are reasonable grounds to suspect money laundering or terrorist financing.

Subsection 2. Obligations of the payment service provider of the payee

1.  Detection of missing information concerning the payer or the payee

“1.  The payment service provider of the payee shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system.

2.  The payment service provider of the payee shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:

(a) for transfers of funds where the payment service provider of the payer is established in the Union, the information referred to in Article 5;

(b) for transfers of funds where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2);

(c) for batch file transfers where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.

3.  In the case of transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, before crediting the payee’s payment account or making the funds available to the payee, the payment service provider of the payee shall verify the accuracy of the information on the payee referred to in paragraph 2 of this Article on the basis of documents, data or information obtained from a reliable and independent source (…).

4.  In the case of transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, the payment service provider of the payee need not verify the accuracy of the information on the payee, unless the payment service provider of the payee:

(a) effects the pay-out of the funds in cash or in anonymous electronic money; or

(b) has reasonable grounds for suspecting money laundering or terrorist financing.”

The principles governing the non-verification of the data concerning the payee where a transfer is made in a sum not exceeding 1000 € are the same as those explained above (under the heading “Transfers of funds outside the Union”) with regard to the obligations of the PSP of the payer. 

Regulation (EU) 2015/847 does not describe how PSPs of payees may detect missing information; CSSF Circular 18/680 of 23 January 2018 reiterates the joint guidelines of the European Supervisory Authorities concerning the measures PSPs should take to detect missing or incomplete information regarding transfers of funds (the “Guidelines”).

CSSF Regulation 12/02 as amended recalls the rules of Regulation (EU) 2015/847 by referring to the common guidelines of the European supervisory authorities on the measures that payment service providers must take to detect missing or incomplete information on the payer or payee, as well as the procedures that must be put in place to handle a transfer of funds that is not accompanied by the required information.

1.1  Procedures with regard to missing and incomplete information

  • Principles

PSPs (…) must implement effective procedures to detect if the required information on the payer or the payee is missing.

To be effective, these procedures should:

a)  enable the PSP or IPSP to spot meaningless information;

b)  employ a combination of real-time monitoring and ex-post monitoring; and

c)  alert the PSP (…) to high-risk indicators.”

  • Obligations and recommendations

“In order to detect and manage these transfers of funds with missing or incomplete information, PSPs and IPSPs shall notably establish, and maintain through regular review, effective policies and procedures that are proportionate to the nature, size and complexity of their business. These policies and procedures shall also be proportionate to the ML/TF risks to which the PSPs and IPSPs are exposed. Thus, they shall, for instance, set out clearly which transfers of funds have to be monitored in real time and which transfers of funds can be monitored on an ex-post basis.”

“The PSPs [of payees] (…) are thus requested to refer to the Guidelines for information on:

– the factors [they] should consider when establishing and implementing procedures to detect and manage transfers of funds that lack required information on the payer and/or the payee”.

1.2  “Meaningless” information

“PSPs (…) should treat meaningless information as though it was missing information

Examples of meaningless information include strings of random characters (e.g. ‘xxxxx’, or ‘ABCDEFG’) or designations that clearly make no sense (e.g. ‘An Other’, or ‘My Customer’), even if this information has been provided using characters or inputs in accordance with the conventions of the messaging or payment and settlement system.

Where PSPs (…) use a list of commonly found meaningless terms, they should periodically review this list to ensure it remains relevant. In those cases, there is no expectation that PSPs (…) manually review transactions to detect meaningless information.”

Professionals are recommended to configure their IT systems so that they are able to detect meaningless information.

1.3  Risk indicators

In the context of setting up procedures to detect missing information, PSPs should take due account of the risk factors referred to in Chapter 1 “Risk-based approach”.

2.  Management of transfers of funds in respect of which information on the payer or payee is missing or incomplete

“The payment service provider of the payee shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action.

Where the payment service provider of the payee becomes aware, when receiving transfers of funds, that the information referred to in Article 4(1) or (2), Article 5(1) or Article 6 is missing or incomplete or has not been filled in using characters or inputs admissible in accordance with the conventions of the messaging or payment and settlement system (…), the payment service provider of the payee shall reject the transfer or ask for the required information on the payer and the payee before or after crediting the payee’s payment account or making the funds available to the payee, on a risk-sensitive basis.”

The PSP will be required to determine whether to execute/refuse/suspend a transfer of funds in accordance with the procedures in force, on the basis that it will take due account of the risks involved in that transfer of funds before deciding what course is to be followed.

The professional must assess whether the missing information raises concerns regarding money laundering.

“Where a PSP (…) decides to reject a transfer of funds, it does not have to ask for the missing information but should share the reason for the rejection with the prior PSP in the payment chain.”

“Where a PSP (…) decides to suspend the transfer of funds, it should notify the prior PSP in the payment chain that the transfer of funds has been suspended and ask the prior PSP in the payment chain to supply the information on the payer or the payee that is missing, or to provide that information using admissible characters or inputs.” (…)

Where the requested information is not provided by the set deadline, the PSP (…) should, in line with its risk-based policies and procedures:

(a) decide whether to reject or execute the transfer;

(b) consider whether or not the prior PSP in the payment chain’s failure to supply the required information gives rise to suspicion; and

(c) consider the future treatment of the prior PSP in the payment chain for AML/CFT compliance purposes.”

It is thus for the professional to determine the outcome of a transfer in light of any missing/incomplete information.

3.  Assessment and reporting

“The payment service provider of the payee shall take into account missing or incomplete information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious and whether it is to be reported to the Financial Intelligence Unit (FIU) in accordance with Directive (EU) 2015/849.”

“PSPs (…) should assess whether or not a transfer of funds is suspicious, taking into account any criteria set out in Union law, national legislation and their own, internal AML/CFT policies and procedures.

PSPs (…) should note that missing or inadmissible information may not, by itself, give rise to suspicion of ML/TF. When considering whether or not a transfer of funds raises suspicion, the PSP or IPSP should take a holistic view of all ML/TF risk factors associated with the transfer of funds (…), to the extent that these are known, and pay particular attention to transfers of funds that are likely to present a higher risk of ML/TF.

PSPs (…) should be able to demonstrate that they comply with directly applicable Union law and national legislation in the area of AML/CFT.”

Subsection 3. Obligations of intermediary payment service providers (“IPSPs”)

The obligations incumbent on IPSPs are similar in many ways to those of the PSP of the payee.

1.  Retention of information on the payer and the payee accompanying the transfer

“Intermediary payment service providers shall ensure that all the information received on the payer and the payee that accompanies a transfer of funds is retained with the transfer.”

IPSPs must ensure that data are not altered.

2.     Detection of missing information on the payer or payee

“The intermediary payment service provider shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system”.

In the case of “meaningless information”, an IPSP wilI be subject to the same obligations as the PSP of the payee in the same situation (see above).

“IPSPs should monitor transfers of funds to detect whether or not the characters or inputs used to provide information on the payer and the payee comply with the conventions of the messaging or payment and settlement system that was used to process the transfer of funds. These checks should be carried out in real time.

IPSPs may assume that they comply with (…) point (1) of Article 11 of Regulation (EU) 2015/847 (…) if they are satisfied, and can demonstrate to their competent authority, that they understand the messaging or payment and settlement system’s validation rules (…).”

“The intermediary payment service provider shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:

(a)  for transfers of funds where the payment service providers of the payer and the payee are established in the Union, the information referred to in Article 5;

(b)  for transfers of funds where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2);

(c)  for batch file transfers where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.”

3.  Transfers of funds in respect of which information on the payer or payee is missing

“(…) IPSPs must implement effective procedures to detect if the required information on the payer or the payee is missing.

To be effective, these procedures should:

(a) enable the (…) IPSP to spot meaningless information;

(b) employ a combination of real-time monitoring and ex-post monitoring; and

(c) alert the (…) IPSP to high-risk indicators.”

“The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

(…)”

The obligations incumbent on IPSPs in the management of transfers of funds in respect of which information on the payer or payee is missing or incomplete are the same as those indicated above for the PSP of the payee (points 33 to 38 of the Guidelines).

Professionals are recommended to configure their IT systems so that they are able to detect suspicious or doubtful transactions.

4.  Assessment and reporting

“The intermediary payment service provider shall take into account missing information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious, and whether it is to be reported to the FIU in accordance with Directive (EU) 2015/849.”

Subsection 4. Information, data protection and retention of information

1.  Communication of information to the authorities

Payment service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation”.

In certain circumstances, “host Member States may require electronic money issuers and payment services providers that have establishments in their territory in forms other than a branch, and whose head office is situated in another Member State, to appoint a central contact point (…)”.

The central contact point plays a role of “central coordinator” between the PSP that appoints it and its establishments, and between the PSP and the competent authorities of the Member State in which those establishments are established.

2.  Data protection

“The processing of personal data under this Regulation is subject to Directive 95/46/EC (…).

Personal data shall be processed by payment service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited. (…)”

“Payment service providers shall provide new clients with the information required pursuant to Article 10 of Directive 95/46/EC before establishing a business relationship or carrying out an occasional transaction. That information shall, in particular, include a general notice concerning the legal obligations of payment service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing.”

“Payment service providers shall ensure that the confidentiality of the data processed is respected.”

Reference should be made to the relevant provisions of the GDPR relating to the information to be provided where personal data are collected/have not been obtained from the data subject (Articles 13 and 14).

The general notice must contain, in particular, the pre-contractual information to be provided to new customers (“data subjects”) as indicated in the ABBL guidelines entitled “Steps forward in implementing the GDPR”. Reference should be made to the professional obligations contained in, inter alia, the Law and to which the professional is subject, and the lawfulness of the processing of customer data in compliance with a legal obligation to which the professional (the “controller”) is subject.

3.  Retention of information

“1.  Information on the payer and the payee shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7 for a period of five years.

2.  Upon expiry of the retention period referred to in paragraph 1, payment service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law, which shall determine under which circumstances payment service providers may or shall further retain the data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years.”

As stated above, Article 3(6) of the Law provides that “professionals shall retain the supporting evidence and records of transactions which are necessary to identify or reconstruct transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction”.

The Law thereby lays down a provision “otherwise provided for by national law” within the meaning of Regulation (EU) 2015/847, requiring professionals to retain supporting evidence of transactions of their customers for a period of five years after the end of the business relationship with the latter.

Subsection 5. Sanctions

“Without prejudice to the right to provide for and impose criminal sanctions, Member States shall lay down the rules on administrative sanctions and measures applicable to breaches of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The sanctions and measures provided for shall be effective, proportionate and dissuasive and shall be consistent with those laid down in accordance with Chapter VI, Section 4, of Directive (EU) 2015/849.

Member States may decide not to lay down rules on administrative sanctions or measures for breach of the provisions of this Regulation which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions. (…)”

In the event of a breach of (certain) provisions (…) of Regulation (EU) 2015/847, the CSSF may impose administrative fines (…) on the entities in question (…) and on the members of their management body and/or de facto managers, or on any other person who is responsible for the breach.

Section 2. Fraud relating to transfers of funds: false transfer orders

Professionals must ask themselves whether the matter may potentially be one of the specific cases pinpointed by the FIU.

1. Types of fraud found to have occurred

  • Fraud on the chief executive (“CEO fraud”), whereby a fraudster, passing himself off as the CEO, succeeds in persuading the accounts department of an undertaking to carry out a transfer to an account located abroad;
  • False invoices of various different kinds may be utilised, addressed to the accounts department of a company. For example, a fraudster may hack into the IT system of an undertaking in order to gain knowledge of parties contracting with it and payments falling due to the latter by a given deadline or deadlines;
  • Attack via a “middleman” (that is to say, a hacker intercepting electronic communications);
  • “Pirated” e-mails (for example, those purportedly sent by financial intermediaries) designed to prompt the professional to execute non-authorised transfer orders.

2. The craftiness of fraudsters

Fraudsters invariably have recourse to social engineering to deceive their victims, having won their trust and preventing them from asking themselves questions regarding the legitimacy of the transfers executed.

In most of the cases analysed by the FIU, the customer did not inform his bank or lodge a complaint with the police or the public prosecutor until several days after the event. The chances of recovering the funds several days after the transfer was made tend to be zero. The first 24 hours are crucial for the possibility of recovering the funds. Intervention within 72 hours can sometimes still lead to a satisfactory result.

Only increased vigilance of the customer’s transactions by the financial institution concerned is likely to prevent the customer from failing to react.

3. Preventive measures

Various indicators exist for spotting fraudulent transfers. Those indicators may be generally applicable and may involve, in particular:

  • the fact that substantial/high amounts are demanded as the price payable for the execution of high-value contracts. According to the FIU, it is not uncommon for the transfer to involve sums in excess of EUR 100,000 or even EUR 100,000;
  • the use of payee accounts, already known about, in the context of false transfer orders;
  • the use of “money mules” (a person who transfers funds obtained unlawfully between different bank accounts or other accounts, very often located in different countries, for the account of another).

There also exist criteria relating to the victim’s account or the account of the perpetrator (holder of the payee account):

Holder of the payee account:

  • inconsistency of the amount of the transaction
  • inconsistency with the customer’s business

Account of the victim/unusual behaviour/other factors:

  • existing business relationship but inconsistent payee account
  • new payee account
  • urgency/confidentiality of the transaction
  • failure to respect the “four eyes” principle
  • unusual/inconsistent supporting evidence in the documentation provided
  • phishing/pharming: instructions come from an email account that closely resembles the customer’s email account (e.g. contact@abc.com instead of contact@abc.lu)
  • instruction given by the boss of a new employee or instructions given only by e-mail.

WHAT TO DO?

In order to pre-empt false transfer orders, the professional may initiate procedures whereby the customer is automatically contacted as soon as the amount involved in a transfer order reaches a pre-defined threshold. 

4. Reporting by the professional to the FIU

The professional with whom the victim’s account is held must react quickly in order to maximise the chance of recovering the funds.

After informing the payee financial institution, the professional must immediately submit a suspicious operations report (SOR) to the FIU.

Where the transfer has been executed within the last 72 hours, the professional:

  • may lodge a summary SOR, accurately providing all the information concerning the suspicious transaction(s), together with a statement of reasons in a few words. The professional is required to provide all further details within 24 hours.
  • Contact the FIU by telephone after sending the SOR.

The professional the suspicious account is held must immediately submit a SOR to the FIU. The FIU will decide on a freezing order.

***

Correlation table – FATF Recommendations

FATF RECOMMENDATIONSAML Handbook
Risk-based approach:

  • Recommendation 1

Part II: Content of the professional obligations, Chapter 1: “Risk-based approach”, Section 1: “Identification and assessment of risks” and Section 2: “Management and mitigation of risks”
Money laundering and terrorist financing offences:

  • Recommendations 3 and 5

Part I: Scope of application of the professional obligations, Chapter 1: “Material scope of application”:

Annex II: “Table of predicate offences”
Targeted financial sanctions/other sanctions:

  • Recommendations 6 and 7 (terrorism - proliferation)

  • Recommendation 35 (effective – proportionate – dissuasive sanctions)

See Annex III
Financial institution secrecy laws:

  • Recommendation 9

Part I: Scope of application of the professional obligations, Chapter 1: “Material scope of application”, Section 1: “Money laundering and terrorist financing offences”
Customer due diligence obligation:

  • Recommendation 10

Part II: Content of the professional obligations:
Retention of documents:

  • Recommendation 11

Part II: Content of the professional obligations:
Politically exposed persons (PEPs):

  • Recommendation 12

  • Recommendations 12 and 22 of the guidelines entitled “Politically exposed persons” (June 2013)

Part II: Content of the professional obligations, Chapter 3: “Enhanced customer due diligence obligations”, Section 1: “Politically exposed persons”
Correspondent banking

  • Recommendation 13

Part II: Content of the professional obligations, Chapter 3: “Enhanced customer due diligence obligations”, Section 2: “Correspondent banks”
New technologies

  • Recommendation 15

Part II: Content of the professional obligations,

Chapter 1: “Risk-based approach”, subsection 2.3: “Mitigation of specific risk factors according to the business activities concerned”
Electronic transfers

  • Recommendation 16

Part II: Content of the professional obligations, Chapter 8: “Obligations in the case of giro payments and transfers of funds”
Recourse to third parties

  • Recommendation 17

Part II: Content of the professional obligations, Chapter 4: “Practical application of due diligence measures”:
Internal controls/foreign branches and subsidiaries

(AML/CFT at group level)

  • Recommendation 18


 
Part I: Scope of application of the professional obligations, Chapter 2, Section 2: “Application of the professional obligations to foreign subsidiaries and branches of professionals carrying on their activities in Luxembourg”
Higher-risk countries

  • Recommendation 19

Part Il: Content of the professional obligations, Chapter 1:
Suspicious operations report

  • Recommendations 20 and 21

Part I: Scope of application of the professional obligations:
Transparency and beneficial owners of legal persons

  • Recommendation 24

Part II: Content of the professional obligations, Chapter 2, subsection 2: “Identification and verification of the identity of the beneficial owners”
Transparency and beneficial owners of legal arrangements

  • Recommendation 25

Part II: Content of the professional obligations, Chapter 2, subsection 2: “Identification and verification of the identity of the beneficial owners”

Survey of predicate offences to money laundering under Luxembourg law

The table below has been drawn up for information purposes only and does not claim to be exhaustive. Similarly, the description of the component elements of the offence is intended to be purely indicative.

Article 506-1 of the Penal Code contains an extended list of predicate offences, that is to say, offences the subject-matter or proceeds of which may give rise to a money laundering offence. The list consists of two parts: first, offences expressly designated as predicate offences, and second, an “open-ended” list defined according to a penalty threshold and including all offences punishable by a minimum term of imprisonment of more than six months.

The Law of 12 November 2004, as amended by the Law of 10 August 2018 modifying the Code of Criminal Procedure, requires professionals to submit a suspicious operations report to the Parquet (State Prosecutor’s Department) where they know, suspect, or have reasonable grounds for suspecting that money laundering, an associated predicate offence or terrorist financing is going on, has taken place or has been attempted, notably on account of the person concerned, its development, the origin of the funds, or the purpose, nature and procedure of the operation. Professionals are not obliged to actively look into the facts potentially constituting the money laundering, or to consider whether they are sufficiently conclusive to serve as the basis for an official investigation, or to characterise the facts in terms of criminal law, or to prove that they are true; that is a task for the competent judicial authorities.

Professionals will incur administrative sanctions if they fail to comply with the professional obligations linked to the Law of 12 November 2004. Legal persons may be fined up to a maximum of 5 000 000 euros or 10% of their total annual turnover. Natural persons may be fined up to a maximum of 5 000 000 euros.

Moreover, the latter will also be liable to criminal sanctions in the form of potential fines of between 12 500 euros and 5 000 000 euros, as introduced by the Law of 13 February 2018 partially transposing the Fourth Anti-Money Laundering Directive (EU) 2015/849.

The Luxembourg courts have imposed sanctions as provided for by law, notably in two cases.

In a judgment dated 25 April 2012, an accountant was fined 12 000 euros for acting for companies without knowing who their beneficial owners were.

– In a judgment dated 13 June 2013, an accounting professional was sentenced to a term of imprisonment (suspended) for forgery of documents and violation of Article 5(1) of the Law of 12 November 2004 as amended. The professional had drawn up a false statement concerning the origin of assets found by the Grand-Ducal Police in a car driven by the customer’s brother-in-law. The professional certified that the assets derived from the sale of a vehicle and issued a statement to that effect upon the presentation of a counterfeit invoice.

Given, moreover, that predicate offences of money laundering are not all of equal importance in the day-to-day activities of professionals from the standpoint of combatting money laundering and terrorist financing, the list of such offences is set out below in two parts:

  • first, the offences set out in Directive EU 2018/1673 of the European Parliament and of the Council of 23 October 2018 on combatting money laundering by criminal law (see Part 1 below);
  • second, offences not listed in that Directive, of a less relevant nature (see Part 2 below).

 

Part 1 – Relevant offences from the standpoint of combatting money laundering and terrorist financing

Classes of offencesDescription of the offenceReferences
Terrorism, including the financing thereof
Acts of terrorism: any crime or misdemeanour punishable by a term of imprisonment of a maximum of at least three years or a heavier penalty which, by its nature or context, may seriously prejudice a country or an international organisation and which is committed intentionally with a view to:

- seriously intimidating a section of the population;

- improperly compelling public authorities or an international organisation or body, to carry out, or refrain from carrying out, any act of whatever kind; or

- seriously destabilising or destroying any fundamental political, constitutional, economic or social structures of any country or international organisation or body;

- participation in a terrorist group: a terrorist group is any structured association composed of at least two persons, established over a period of time, with a view to committing in a concerted fashion one or more terrorist acts;

- terrorist financing: terrorist financing is any act whereby funds, assets or property are provided or brought together, directly or indirectly, by whatever means, unlawfully and with intent, with a view to their being used, or knowing that they will be used, wholly or in part, to commit one or more offences defined as acts of terrorism or as hostage-taking, even where they have not in fact been used to commit any of those offences;

  • terrorist bomb attacks:


(unlawfully and intentionally) supplying, planting, blowing up or detonating an explosive device or another lethal device in or against a public place, government installation or other public installation, transport system or infrastructure, with intent to cause death or grievous bodily harm or mass destruction in such place, where such destruction entails or threatens to entail substantial economic loss;

  • terrorism messages and terrorist recruitment and training:


making available to the public any message, including via electronic communications networks, with the aim of inciting, directly or indirectly, the commission of an offence linked to terrorist activities, calling for/participating in/committing an act of terrorist recruitment or training;

attacks on persons enjoying international protection (head of State, head of government or minister of foreign affairs, where such a person is present in a foreign State, and on members of his/her family accompanying him/her, or on any representative, public servant or official of a State, or any other agent of an intergovernmental organisation who is entitled to special protection against any attack on his person, freedom or dignity, as well as members of his/her family).
Article 506-1, first indent of the Penal Code (PC)

Articles 135-1 to 135-6 PC

 

 
See also FATF Special Recommendations on Terrorist Financing
 

 
See FATF Terrorist Financing Risk Assessment Guidance
 

 
 

Article 135-9 PC

 

 

Articles 135-11 to 135-13 PC

 

 

Article 112-1 CP
Acts of nuclear terrorism

  • possessing, making or using radioactive or nuclear materials, any explosive nuclear apparatus, any radioactive material dispersal or radiation-emitting device;

  • using any radioactive or nuclear device or material, and using or damaging any nuclear facility in a way which releases or risks the release of radioactive material, or threatening to commit one of those offences, where those acts are committed unlawfully and with intent to cause death or grievous bodily harm or substantial damage to property or to the environment.

Law of 29 July 2008 approving the International Convention for the Suppression of Acts of Nuclear Terrorism, opened for signature in New York on 14 September 2005.
Abduction, false imprisonment and hostage-taking

  • desertion of children;

  • abduction of a minor.


The predicate offence of abduction of a minor includes demanding a ransom or requiring an order to be carried out, or a condition to be met, which may procure a pecuniary advantage. It is in fact the proceeds of such a crime, the source of which the direct or indirect abductor will try to conceal, that explains why the offence of abduction of a minor is included amongst the predicate offences of money laundering;

  • abducting, or causing the abduction of, a child aged less than 7 years, even where the child has voluntarily gone with the abductor; concealing, or causing the concealment of, the existence of a child aged less than 7 years;

  • false imprisonment: unlawful and unjustified detention for a period of more than one month; unlawful and unjustified detention for a period of more than ten days of a person related to the offender;

  • violation by public servants of rights guaranteed by the Constitution; unlawful and unjustified detention for a period of more than one month of one or more persons by public servants;

  • forgery and the use of forgeries committed by means of the falsification of the signature of a public servant, permitting the unlawful and unjustified detention;

  • torture inflicted on an abducted person;

  • hostage-taking.

Article 360 PC

Articles 368 to 370 PC

 

 

Articles 364 and 365 PC

 

Articles 435 to 438-1 PC

 

 

Article 147, third paragraph, PC

 

Article 154 PC

 

Articles 438 and 438-1 PC

Article 442-1 PC
Non-accountability of resources, participation in an organised criminal group and participation in racketeering

  • not being able to justify resources corresponding to one's lifestyle or not being able to justify the origin of property held, while being in habitual relations with one or more persons who either commit crimes or offences punishable by a maximum of at least four years' imprisonment and providing them with a direct or indirect financial advantage, or who are the victims of one of these offences;

  • participation in a criminal association formed with intent to cause harm to persons or to violate property rights;

  • providing any such association with arms, ammunition, equipment for use in the commission of crimes, accommodation, refuge or a place in which to meet.


A criminal association is constituted by the existence of a group of persons formed with intent to cause harm to persons or to violate property rights. It does not necessarily entail the existence of any hierarchy or organic structure. It may even be said that the absence of a hierarchy is a characteristic of modern criminal associations. In order to play their role in such an association, the members do not need to know all the other members;

  • participation in a criminal organisation: a criminal organisation is a structured association composed of more than two persons, established over time with intent to commit, in a concerted manner, crimes and misdemeanours punishable by a term of imprisonment of a maximum of at least four years with a view to obtaining, directly or indirectly, pecuniary advantages.

Article 506-1, second indent, PC

Articles 322 to 324 quater PC
Trafficking in human beings and unlawful trafficking in migrants

  • recruiting, transporting, transferring, accommodating and/or receiving any person, or exercising or transferring control over them, with a view to:

  • the commission against that person of offences of procuring or sexual assault;

  • exploitation of the labour or services of that person in the form of forced or compulsory labour or services, servitude, slavery or similar practices and, generally, keeping him or her in conditions contrary to human dignity;

  • forcing him or her into a life of begging, exploiting his or her begging or placing him or her in the hands of a beggar to arouse sympathy amongst the public:

  • removal of organs or tissue in contravention of the applicable legislation;

  • causing that person to commit a crime or misdemeanour against his or her will.

Article 506-1, third indent, PC

 

Articles 382-1 and 382-2 PC

Articles 382-4 and 382-5 PC

 

Article 143 of the Law of 29 August 2008 on the free movement of people and immigration.
Sexual exploitation, including that of children

  • facilitating or promoting prostitution, sexual immorality or the corruption of minors;

  • exploitation of minors for the purposes of prostitution or the production of shows or material of a pornographic nature;

  • facilitating the entry, transit, stay or departure from the territory of a minor for the purposes of prostitution or the production of shows or material of a pornographic nature;

  • getting a person to work as a prostitute, or leading or luring a person into prostitution or sexual immorality, by means of fraud, violence, threats or abuse of official authority, or by any other means of constraint, or by exploiting the particularly vulnerable situation of a person;

  • facilitating the entry, transit, stay or departure from the territory of a minor for the purposes of prostitution or sexual immorality;

  • possessing, directly or through an intermediary, managing, running or operating a house of ill repute or brothel;

  • in the case of an owner, hotelier, landlord, inn-keeper or any other person, ceding, letting, making available or permitting the use of any premises in the knowledge that they are used or to be used for the exploitation of prostitution;

  • procuring:


This offence consists in getting a person to work as a prostitute, or leading or luring a person into prostitution or sexual immorality, either within the territory of the Grand Duchy or in a foreign country. The offence is also committed by anyone who facilitates the entry, transit, stay or departure of persons from the territory for the purposes of prostitution or sexual immorality.

The same applies as regards the act of possessing, running or making premises available to another for use as a house of ill repute or brothel, or indeed, permitting any premises to be operated for that purpose.

  • pornography involving or showing minors aged under 18 or a particularly vulnerable person, notably on account of that person's illegal or precarious situation, pregnancy, illness, infirmity or physical or mental handicap;

  • facilitating the entry, transit or illegal stay of a third country national.

Article 506-1, third indent, PC

Article 506-1, fourth indent, PC

 

Article 379 CP

 

 

Article 379 bis PC

 

 

Articles 383 to 383 ter PC
Illicit trafficking in drugs and psychotropic substances

  • the unlawful cultivation, production, manufacture, extraction, preparation, exporting, importing, selling, offering for sale or putting into circulation of psychotropic substances;

  • the unlawful transportation, despatch, possession or acquisition, for consideration or free of charge, of psychotropic substances for use by others;

  • acting, even on an occasional basis, as a dealer or intermediary with a view to the acquisition of psychotropic substances;

  • using such substances, as a group or in the presence of third parties;

  • facilitating the use of such substances, for consideration or free of charge, for example by procuring premises for that purpose;

  • producing or distributing propaganda or advertising in favour of such substances;

  • fraudulently causing such substances to be issued to oneself (fake prescription, prescription of convenience), or causing them to be issued on presentation of such fake prescriptions;

  • the administration of such substances by a doctor in such a way as to create, maintain or aggravate drug addiction;

  • making, transporting, distributing or possessing equipment, materials or psychotropic substances, knowing that they are to be, or are being, used in or for the illicit cultivation, production or manufacture of such substances;

  • refusing to undergo a medical examination where there are serious signs giving rise to a presumption that a person is carrying, on or in his body, drugs or toxic, soporific or psychotropic substances;

  • the illicit use by the staff of an educational establishment of toxic, soporific or psychotropic substances in such an establishment;

  • the illicit use by a doctor, dentist or pharmacist (or any other legally authorised depositary) of toxic, soporific or psychotropic substances in a prison facility, educational establishment or social services centre or in the immediate vicinity thereof or in any other place where schoolchildren or students pursue educational, sporting or social activities

Law of 19 February 1973 on the sale of medicinal substances and combatting drug addiction.

 

Article 506-1, 15th indent, PC

Law of 11 January 1989 regulating the marketing of chemical substances with therapeutic effects
Illicit arms trafficking

  • importing, manufacturing, transforming, repairing, acquiring, purchasing, possessing, storing, carrying, transferring, selling, exporting or trading in arms and ammunition designed to harm persons by means of lachrymatory, toxic, asphyxiating or inhibiting substances or similar substances, as well as their ammunition; arms and other devices designed to harm persons or property by fire or explosion, as well as their ammunition; knives with more than one edge, bayonets, swords, blades, sabres, spears, stilettos and throwing knives, pen-knives (…), and the spare parts needed for such arms and ammunition.


There are numerous exceptions to the definition of arms and ammunition, including hunting knives and arms that are antiques, artistic or decorative objects or objects intended to form part of a collection or array, etc.

  • the development, manufacture or assembly by any natural or legal person of prefabricated parts into a complete arm, the transformation, repair, acquisition, sale, use, possession, transportation, transfer, storage or retention by such persons of cluster munitions or explosive submunitions;

  • the financing by any natural or legal person, knowingly, of cluster weapons or explosive submunitions.

Article 506-1, seventh indent, PC

Law of 15 March 1983 on arms and ammunition.

 

 

 
Law of 4 June 2009 approving the Convention on Cluster Munitions, opened for signature in Oslo on 3 December 2008.
Illicit handling of stolen goods or other property

  • unauthorised searches or excavations aimed at discovering or bringing to light objects or sites of historic, prehistoric, palaeontological or other scientific interest;

  • unauthorised exporting of objects of cultural interest;

  • the intentional destruction, mutilation, degradation or disappearance of objects of historical or cultural interest;

  • the unauthorised importing, marketing or exporting of chemical substances having anti-infective, anti-parasite, anti-inflammatory, analgesic, neuroleptic, anaesthetic, hormonal, anti-hormonal, antibiotic or anabolic effects;

  • the removal of substances or organs from human beings in contravention of the law.

Article 506-1, indent 14, PC

Law of 21 March 1966 on:

(a) excavations of historic, prehistoric, palaeontological or other scientific interest,

(b) safeguarding movable cultural heritage.

 

Law of 11 January 1989 regulating the marketing of chemical substances with therapeutic effects.

Law of 25 November 1982 regulating the removal of substances of human origin.
CorruptionThe offence of corruption covers both active corruption (caused by an act of the bribe-giver) and passive corruption (caused by an act of the bribe-taker), and both corruption in the public sector and corruption in the private sector:

(1) Corruption in the public sector:

(a) This concerns:

  • persons, depositaries or agents of public authorities or law-enforcement agencies, or entrusted with a public service mission, or on whom a public electoral mandate has been conferred, including those of other States;

  • judges and law officers, and any other person sitting as a court, including those of another State, any arbitrator or expert appointed either by a court or by the parties, non-professional members of a collegiate body called upon to adjudicate on the outcome of a dispute, or acting in an arbitral capacity subject to the rules on arbitration of another State or of an international public organisation;

  • officials and members of the Commission of the European Communities, the European Parliament, the Court of Justice and the Court of Auditors of the European Communities;

  • officials and agents of any other international public organisation, persons who are members of a parliamentary assembly of an international public organisation and persons exercising judicial or registry functions within another international court or tribunal.


(b) Elements constituting the offence:

  • soliciting or approving, proposing or granting, without the right so to do, directly or indirectly, for oneself or for another, any offer, promise, gift, present or advantage of whatever kind, with the intention of either carrying out, or refraining from carrying out, an act in the performance of one's function, mission or mandate or an act facilitated by that function, mission or mandate; or exploiting one's actual or presumed influence with a view to obtaining from a public authority or administrative body any distinction, employment or contract, or any other favourable decision;

  • using threats, violence or other act of intimidation with the same aim.


The predicate offence which may give rise to the crime of money laundering is particularly evident in the case of passive corruption, given that it is the concealment by the bribe-taker of the origin of the pecuniary advantage which he derives from the corruption that constitutes the offence of money laundering. It should be noted that corruption is particularly difficult to pinpoint. Leaving to one side cases of passive corruption, the possibility cannot be ruled out that a professional may be called upon to take cognisance of situations involving active corruption. It will not be easy for that professional to pinpoint a single triggering event. The discovery of acts of corruption will emerge most frequently from analysis of a range of indicia (e.g. account movements, copies of contractual agreements, etc.). Corruption may be found to exist, for example, where an agent or public official contrives to be granted a sum of money in return for the award of a contract.

(2) Corruption in the private sector:

  • this occurs where any person acting as a director or manager of a legal person, or as a proxy or servant of a legal or natural person, solicits or accepts, directly or through any other person or persons, any offer, promise or advantage of any kind, either for himself or for a third party, in return for doing or refraining from doing any act falling within the ambit of his functions or which is facilitated by those functions, without the knowledge and without the authorisation, as the case may be, of the board of directors or the general meeting, or of the principal or the employer;

  • it also occurs where someone proposes, directly or through another, to any person acting as a director or manager of a legal person, or as a proxy or servant of a legal or natural person, any offer, promise or advantage of any kind, whether for the benefit of the offeree or another, in return for the offeree doing or refraining from doing any act falling within the ambit of his functions or which is facilitated by those functions, without the knowledge and without the authorisation, as the case may be, of the board of directors or the general meeting, or of the principal or the employer.


This covers not only professional activities but also work done free of charge, as well as relationships arising from other types of contracts, such as contracts for the supply of services entered into between an independent service provider and his/her customer.
Article 506-1, sixth indent, PC

Articles 246 to 253 PC and the Law of 23 May 2005 approving:

(a) the Convention on the fight against corruption involving officials of the European Communities or officials of the Member States of the European Union;

(b) the Second Protocol to the Convention on the protection of the European Communities' financial interests;

(c) the Criminal Law Convention on Corruption;

(d) the Additional Protocol to the Criminal Law Convention on Corruption, and amending and supplementing certain provisions of the Penal Code.

 

 

Article 240 PC

 

 
Articles 310 and 310-1 PC
Fraud (1) Bankruptcy:

  • negligent (simple) bankruptcy and fraudulent bankruptcy:


This offence is committed by the managers of legal persons which are the subject of an insolvency procedure where they are guilty of serious incompetence (negligent bankruptcy) or have committed acts of criminal mismanagement (accounting embezzlement, misappropriation of assets, etc.) (fraudulent bankruptcy);

  • the abstraction, concealment or conversion, by or for the bankrupt, of all or any part of the goods or moveable or immoveable property involved;

  • making a fraudulent claim in the bankruptcy, either in one's own name or through others, in respect of alleged or exaggerated debts due;

  • where the creditor, either together with the bankrupt or with any other person or persons, seeks to claim any special advantages by reason of the vote cast by him in the deliberations relating to the bankruptcy, or enters into a special deal resulting in any advantage in his favour at the expense of the bankrupt's assets;

  • misconduct on the part of the administrator of the bankruptcy in his management thereof.


(2) Misappropriation (“abus de confiance”):

  • converting or dissipating, to the detriment of another, any bills of exchange, moneys, goods, notes, receipts or written documents of any kind containing or giving effect to any obligation or discharge which had been handed over on condition that they were to be returned or used for a particular purpose;

  • obtaining credit by fraud in a hotel or restaurant, etc.: with fraudulent intent, and without paying the price, ordering any food or drink and consuming it on the premises, procuring accommodation in an hotel or transportation in a taxi, filling up with fuel or lubricants, in a service station, the tank(s) of any vehicle or any other tank(s);


 

  • fraudulently exploiting the ignorance or weak situation either of a minor, or of a person whose particular vulnerability, due to his or her age, an illness or infirmity, or a physical or mental handicap, is apparent or known to the perpetrator, or of a person in a state of psychological or physical subjection resulting from the exercise of serious or repeated pressure or techniques likely to affect his or her judgement, with intent to lead that minor or that person into an act, or an abstention from acting, which is seriously prejudicial to him or her;


 

  • supplying credit at a rate exceeding the statutory interest rate (usury) and exploiting the needs or passions of the borrower;

  • malevolently or fraudulently misusing a certificate, document or pleading after having produced it in a legal dispute.


(3) Obtaining by false pretences:

  • with a view to appropriating unto oneself a thing belonging to another, securing the handing-over or delivery unto oneself of any funds, moveable property, bonds, receipts or discharges, either by using a false name or claiming a false position, or by employing fraudulent practices to persuade others of the existence of false undertakings or of a fictitious power or credit, so as to create the hope or fear of some success, accident or other illusory event, or to abuse another person's trust or credulity.


 

(4) Fraud on the financial interests of the State and of international institutions:

  • making false or incomplete statements with a view to obtaining or retaining any subsidy, compensation or other allowance borne or to be borne wholly or in part by the State, by a legal person governed by public law or by an international institution;

  • wrongfully receiving a subsidy, compensation or allowance as a result of a false or incomplete statement;

  • using a subsidy, compensation or allowance for purposes other than those for which it was initially granted;

  • wrongfully accepting or retaining any subsidy, compensation or other allowance;

  • making false or incomplete statements or omitting to communicate any information in breach of a specific obligation, with a view to avoiding or reducing one's legal contribution to the budgetary resources of an international institution;

  • misusing any advantage that has been legally obtained and causing an unlawful diminution in the budgetary resources of an international institution.

Article 506-1, 10th indent, PC

Articles 489 and 490 PC

 

 

 

 

 

Articles 491 to 496 PC

 

 

 

 

Article 506-1, fifth indent, PC

Articles 496-1 to 496-4 PC

(obtaining subsidies and funding by false pretences)
Misuse of a company's property or credit for personal advantageThis offence is committed where a de jure or de facto company manager, acting in bad faith,

  • uses the company's property or credit in a way which he or she knows to be contrary to its interests, for personal advantage or for the benefit of another company or undertaking in which he or she holds a direct or indirect interest;

  • uses powers which he or she possesses, or voting rights held by him or her, in that capacity, in a way which he or she knows to be contrary to the company’s interests, for personal advantage or for the benefit of another company or undertaking in which he or she holds a direct or indirect interest.


The term “use”/“uses” is to be understood here as meaning not only the appropriation or dissipation of an item of property but also the mere utilisation or administration of that item of property. Such use is improper when it is contrary to the interests of the company, that is to say, when it prejudices its corporate assets or needlessly exposes the company to abnormal and serious risks. The allocation of funds deriving from a contract entered into by the company to a private account constitutes an appropriation of property adversely affecting the company's assets (judgment of the Luxembourg District Court of 22 April 1999, p. 31, at p. 81.)
Article 506-1, 25th indent, PC

Article 1500-11 of the Law of 10 August 1915 on commercial companies
False accounting

  • Committing forgery with fraudulent intent or with intent to cause damage, in the balance sheets or the profit and loss accounts of companies (false signatures, alteration of entries).

Article 506-1, final indent, PC

Article 1500-8 of the Law of 10 August 1915 on commercial companies
Insider trading and market manipulation

  • This offence is committed where a person, acting in his or her capacity as a member of the administrative, management or supervisory body of the issuer, or by reason of his or her participation in the capital of the issuer or his or her access to information on account of his or her work, profession or functions, or as a result of his or her criminal activities, possesses privileged information and uses that information by purchasing or selling, or attempting to purchase or sell, for his/her own account or for the account of another, whether directly or indirectly, the financial instruments to which that information relates;

  • It is also committed where such a person communicates any privileged information to another person, otherwise than in the normal context of the performance of his or her work, profession or functions; or recommends to another person that the latter should buy or sell, or cause to be bought or sold by another person, on the basis of privileged information, the financial instruments to which that information relates;

  • It also covers market manipulation.

Article 506-1, 24th indent, PC

Article 16 et seq. of the Law of 23 December 2016 on market abuse
Criminal tax offences (linked to direct and indirect taxes)

  • Aggravated tax fraud and tax evasion in relation to direct taxes, VAT and registration fees and succession duties:


 

Constituent elements of the offence of aggravated tax fraud:

 

Where the fraud concerns an amount of tax greater than one quarter of the annual tax actually due, without being less than 10 000 euros, or reimbursement of undue payments greater than one quarter of the annual refund actually due, without being less than 10 000 euros, or where the amount of annual tax actually due or the annual reimbursement to be made is greater than 200 000 euros, it will be punishable as aggravated tax fraud.

It follows that tax fraud is aggravated where it exceeds two thresholds:

  • either the fraud concerns taxes which would have been due (at least 10 000 euros); or

  • the individual concerned saves over 200 000 euros.


 

Constituent elements of the offence of tax evasion:

This offence is committed where:

  • a person systematically employs fraudulent practices with intent to conceal relevant facts from the administrative authorities or to persuade them of incorrect facts, and


 

  • the fraud thus committed or attempted relates, per reporting period or operative event, to a significant amount, either in terms of the absolute amount thereof or in relation to the sums due,


 

on the basis that the offences include:

  • a material element: obtaining a tax advantage or a diminution in the tax collected;

  • a moral element: intentional concealment


 

See also CSSF Circular 17/650 of 17 February 2017 and the list contained therein of indicators of the above-mentioned offences

(See also judgments Nos 353/2002 of 14 February 2002 and 1344/2008 of 24 April 2008)
Article 506-1, 25th to 27th indents, PC

(introduced by the Law of 23 December 2016) 

 

  • Fifth and sixth subparagraphs of paragraphs 396 and 397 of the General Tax Law (Abgabenordnung)

  • First and second paragraphs of Article 29 of the Law of 28 January 1948, as amended, designed to ensure the just and correct collection of registration fees

  • First paragraph of Article 80 of the Law of 12 February 1979 on value added tax, as amended

Cybercrime

  • Fraudulently accessing or maintaining all or part of an automated system for the processing or transmission of data;

  • hindering or distorting the functioning of an automated system for the processing or transmission of data;

  • intentionally, and disregarding the rights of others, introducing data into an automated system for the processing or transmission of data which suppress or modify the data contained therein or the methods of processing or transmitting them;

  • intentionally, and disregarding the rights of others, intercepting data in the course of their non-public transmission to, from or within an automated system for the processing or transmission of data;

  • misuse of a device: producing, selling, obtaining, possessing, importing, disseminating or making available, with fraudulent intent, a computer device with a view to the commission of one of the offences referred to in Articles 509-1 to 509-4 or any electronic key allowing access, to the detriment of rights of others, to all or any part of an automated system for the processing or transmission of data;

  • commercial spam (unsolicited commercial communications):


This applies to any service provider who fails to respect the desire of persons registered on one or more lists to opt out of continuing to receive such commercial communications;

  • unsolicited communications (systems for the making of unsolicited calls and the despatch of unsolicited communications for the direct marketing purposes):


This involves a prohibition against engaging in such communications by disguising/misrepresenting the identity of the person making them and without the prior consent of the person contacted, or the prior (voluntary) supply by that person of his/her e-mail address.
Article 506-1, 11th indent, PC

Articles 509-1 to 509-7 PC

 

 

Article 506-1, 12th indent, PC

Article 48 of the Law of 14 August 2000 on electronic trading

 

Article 506-1, 13th indent, PC

Article 11(6) of the Law of 30 May 2005 on protection of privacy in the electronic communications sector
Theft and other crimes against property

  • Theft committed without violence or menaces;

  • theft committed by breaking and entering, climbing into premises or using duplicate keys; theft committed by a public servant abusing his or her  functions; theft involving the use of an allegedly authentic but actually inauthentic order of a public authority;

  • theft committed with violence or menaces;

  • extortion;

  • murder committed to facilitate theft or extortion;

  • handling stolen goods, where the penalty applicable to perpetrators of the crime is life imprisonment;


 

  • in the case of judicial seizure of property, fraudulent misuse or destruction of moveable objects by the person from whom they are, or are to be seized; damage to, or the destruction of, any immoveable property seized; degradation of, or the destruction or misuse of, any objects given by way of security by the debtor or borrower or by a third party pledgor;


 

  • deliberately setting fire to inhabited premises;


 

  • destroying or knocking down any edifice, bridge, dam, dyke or embankment, roadway, railway or other construction belonging to another person;


 

  • destroying any “steam-driven engine” (and by extension sabotaging any machines, electric motors, electrical installations operated by means of electric motors, etc.) where the offence is committed by a group of persons, or using violence, assault or menaces;

  • destroying, degrading or damaging any moveable property of another person, where this is done by a gang or band, or using violence or menaces; murder committed in order to facilitate such destruction or damage, or to ensure that it is done with impunity;

  • flooding all or any part of any mine workings, with wrongful or fraudulent intent.

Article 506-1, ninth indent, PC

Article 506-1, 25th indent, PC

 

Articles 463 and 464 PC

 

Article 467 PC

 

Articles 468 to 474 PC

Article 470 PC

 

Article 475 PC

 

Article 506 PC

 

 

Article 507 PC

 

Articles 510 to 513 PC

 

Article 521 PC

 

Article 525 PC

 

Articles 529 to 532 PC

 

Article 547 PC
Forging (counterfeiting) currency

  • Counterfeiting or tampering with coins that are legal tender in the Grand Duchy or abroad;

  • participation in the issue of coins which are counterfeit or have been tampered with, or in the introduction thereof on Luxembourg territory;

  • counterfeiting or falsifying banknotes that are legal tender in the Grand Duchy or abroad;

  • counterfeiting or falsifying certificates representing property rights, debts receivable or transferable securities legally issued by a legal person governed by Luxembourg public law or the public law of a foreign State, or by an international financial institution;

  • counterfeiting or falsifying certificates representing property rights, debts receivable or transferable securities legally issued by a legal person governed by Luxembourg private law or the private law of a foreign State, or by a natural person;

  • counterfeiting or falsifying any tangible payment instrument protected against fraudulent imitation which can be used to effect transfers of money or money's worth, such as credit cards, Eurocheque cards or other cards issued by financial institutions;

  • knowingly receiving, possessing, transporting, importing, exporting or procuring any such banknotes or certificates representing property rights, debts receivable or transferable securities which have been counterfeited or falsified, and putting them into circulation.

Article 506-1, 25th indent, PC

Articles 162 to 178 PC
Product counterfeiting and piracy(1) Product piracy

  • placing, or causing to be placed by way of addition or removal, or by any alteration whatsoever, on manufactured objects, the name of a manufacturer other than the true manufacturer thereof, or the trading name of a factory other than that which manufactured the objects in question.


(2) Use and disclosure of commercial or industrial secrets

  • this offence is committed where an employee, worker or apprentice of a commercial or industrial undertaking, whether with a view to competition, or with intent to harm his or her boss, or to procure an unlawful advantage, uses or discloses, during his or her engagement or within two years after the end thereof, any business secrets or manufacturing secrets coming to his or her knowledge by reason of his or her situation;

  • it is also committed where someone, having gained knowledge of business secrets or manufacturing secrets belonging to another person, uses or discloses those secrets, either through the intermediary of an employee, worker or apprentice or by means of an act contrary to the law or morality, whether with a view to competition, or with intent to harm the person to whom the secrets belong, or to procure an unlawful advantage;

  • in addition, it is committed where a person, without having the right so to do, uses or communicates to another person any models, designs or patterns which have been entrusted to him or her for the carrying-out of special or industrial orders, whether with a view to competition, or with intent to harm the person to whom they belong or to procure an unlawful advantage.


(3) Copyright infringement

  • any wrongful or fraudulent infringement of copyright, related rights or the rights of database producers;

  • selling, offering for sale, importing, exporting, fixing, reproducing, communicating, transmitting, making available to the public or generally putting or re-introducing into circulation, whether for consideration or free of charge, any work, supply or database without the authorisation of its author, the holder(s) of any related rights or the database producer;

  • knowingly making available to the public any phonograms, videograms, CD‑ROMs, multimedia or other media, programs or databases produced, without the authorisation of the copyright holder, the holder(s) of any related rights or the database producers;

  • reproducing any protected work, supply or database in order to digitalise, memorise, store, distribute or inject it or, generally, to make it possible for the public to access it, or communicating it to the public;

  • wrongfully or fraudulently applying to a protected work or database the name of an author or of the holder of any related rights or any sui generis right of a database producer, or any other distinctive sign adopted by that author or holder in order to designate his work, supply or database;

  • wrongfully or fraudulently applying, on the occasion of a supply by a holder of related rights or by a database producer, or on the medium containing that supply, the name of a holder of related rights or of any sui generis right of a database producer, of any distinctive sign adopted by the latter;

  • selling, offering for sale, importing, exporting, fixing, reproducing, communicating, transmitting, making available to the public or generally putting or re-introducing into circulation, whether for consideration or free of charge, any work, supply or database to which the name of an author or of the holder of any related rights or of any sui generis right of a database producer, or any other distinctive sign adopted by that author or holder in order to designate his work, supply or production, has been applied.

Article 506-1, eighth indent, PC

Article 169 et seq. PC

 

 

 

 

Article 309 PC

 

 

 

Articles 82 to 85 of the Law of 18 April 2001 on copyright, related rights and databases
Environmental crimes

  • erecting any construction in contravention of the law;

  • depositing refuse or waste outside the places specially designated for that purpose;

  • destroying or changing biotopes such as ponds, wetlands, marshes, springs, dry grasslands, moors and heaths, bogs, ground cover made up of reeds or rushes, hedges, scrub or thickets;

  • possessing, purchasing, transporting, importing, exporting, peddling, exchanging, offering for sale or exchange, or selling any protected plants or specimens of protected plants, or destroying any such plants or specimens;

  • purchasing, transporting, importing, exporting, exchanging, or offering for sale or exchange any protected animal, or killing, hunting, capturing, keeping or stuffing any such animal, intentionally destroying or collecting their eggs in the wild or damaging or destroying their breeding grounds or rest and hibernation areas;


 

  • polluting the atmosphere in conditions contrary to the law;

  • contravening any laws relating to classified establishments, in particular those laying down the conditions in which certain industrial, commercial or artisanal establishments, whether public or private, or of any installations, activities or related activities or processes, or the existence, exploitation or operation thereof, may endanger or pose any  drawback in relation to the environment;


 

  • throwing, depositing or introducing, directly or indirectly and intentionally or inadvertently, into any surface waters or subterranean waters any solid, liquid or gaseous substances which are polluted, polluting or likely to pollute;

  • directly or indirectly abstracting any water or solid or gaseous substances from surface waters;

  • cleaning motor vehicles, machines or other similar devices, or working on them, in the immediate vicinity of any waters;


 

  • carrying out any movements of waste which are not in conformity with the national waste management plan;

  • failing to comply with:


(a) the applicable obligations in respect of waste, in particular, the obligation requiring holders of waste either (i) to hand that waste over to a public or private waste collector or to an undertaking engaged in recycling or disposal operations, provided such collector or undertaking holds the requisite authorisation for that purpose, or (ii) to undertake themselves the collection, recycling and disposal of the waste in conformity with the applicable legal requirements;

(b) the obligation to separate, or not to mix, the different types of waste when getting rid of them, in particular into the hands of the collector or transporter, to the extent that the separate processing of different categories of waste is required for the purposes of recycling and disposal; and

(c) the obligation to get rid of waste intended for separate collection in a place or facility designed to be used for that purpose;

 

  • contravening the statutory provisions on classified establishments (building consents, authorisations, operating permits);


 

  • placing any biocidal product (a chemical product designed to destroy, repel or neutralise harmful organisms, to prevent them from acting or to combat them) on the market without authorisation; placing on the market, without authorisation, any active substance designed for use in relation to biocidal products; providing the Ministry with incorrect information likely to result, for the product or substance concerned, in the imposition of less stringent conditions for its marketing or use, or to conceal known information;


 

  • the discharge by ships of polluting substances where this is done intentionally and (a) causes significant damage to water quality and the ecological functions of the natural environment or (b) causes the death of one or more persons or serious injury to one or more persons.

Article 506-1, 18th indent, PC

Article 65 of the Law of 19 January 2004

  • on the protection of nature and of natural resources;

  • amending the Law of 12  June 1937, as amended, on the planning of towns and of other large conurbations;

  • supplementing the Law of 31  May 1999, as amended, setting up a fund for the protection of the environment.


 

Article 506-1, 19th indent, CP

Article 9 of the Law of 21 June 1976 on combatting atmospheric pollution

Law of 10 June 1999 on classified establishments

 

Article 506-1, 19th indent, PC

Article 26 of the Law of 29 July 1993 on the protection and management of water

 

Article 506-1, 22nd indent, PC

Article 35 of the Law of 17 June 1994 on the prevention and management of waste

 

Article 506-1, 22nd indent, PC

Article 25 of the Law of 10 June 1999 on classified establishments, as amended

 

Article 18 of the Law of 24 December 2002 on biocidal products

 

Article 4 of the Law of 2 April 2008 on pollution caused by shipping
Smuggling

  • fraudulent contravention of the customs and excise laws: the importation, exportation or transit, without a declaration or with a declaration but under cover of authorisations that are false or have been obtained fraudulently, of any goods, whether or not liable to duties, which are subject, even on a temporary basis and for any reason whatever, to any prohibition, restriction or controls, upon entry or exit or when in transit, across all frontiers or part thereof, with a view to the fraudulent withholding of duties payable to the Treasury.

Article 506-1, 23rd indent, PC

Articles 220 and 231 of the General Law on customs and excise
ExtortionThis offence is committed by anyone who, using violence or menaces, extorts either the handing over of funds, securities, chattels or electronic keys or the signature or handing over of a written document, deed or instrument, or any other document of whatever kind, containing or giving effect to any obligation, disposal or discharge, and is punishable by one of the penalties listed in Articles 468, 471, 472, 473, 474 and 475, according to the distinctions set out therein.

Any person who, using a written or oral threat to make any slanderous or defamatory revelation or allegation, extorts either the handing over of funds, securities, chattels or electronic keys or the signature or handing over of any document referred to above shall be liable to a term of imprisonment of between one and five years and a fine of between 500 and 30 000 euros.

Any attempt to commit such offence shall be punishable by a term of imprisonment of between six months and three years and a fine of between 251 and 10 000 euros.
Articles 470 and 475 PC
ForgeryForgery committed with fraudulent intent or with intent to harm:

  • forgery committed by any public servant or officer in the performance of his or her duties, whether by means of a fake signature, or by tampering with any deed, instrument, written document or signature, or by impersonation, or by any writing done or inserted in any register or other public document, from the time when it is drawn up or closed. Such forgery is also committed where the substance or circumstances of a document are falsified either by writing into it agreements other than those outlined or dictated by the parties or by declaring facts to be true which are not;

  • forgery committed by any person: forgery in officially or notarially recorded documents or other public documents; forgery in commercial or bank documents or in private documents, including electronic privately executed documents, or by means of a fake signature, or by counterfeiting or tampering with any writing or signature, or by fabrication of any agreements, disposals, obligations or discharges, or by retrospectively inserting them in instruments or other documents, or by adding or tampering with clauses, statements or matters which those instruments or documents were intended to contain or record.


The entry in a bank's books of account of deposits in the name of a fictitious customer, with a view to securing unlawful profits, constitutes fabrication of a fake deposit agreement by distortion of matters which those books were intended to contain and record (judgment of the Luxembourg District Court of 16 November 1948, p. 14, at p. 464).

The offence of forging a written document presupposes thefulfilment meeting of four conditions: (i) the existence of a written document protected under criminal law; (ii) distortion of the truth; (iii) fraudulent intent or intent to cause harm; and (iv) damage or the possibility of damage. Fraudulent intent is defined as an intention to design or intent to procure, for oneself or another, an unlawful advantage of any kind. These conditions are met where a co-holder of a joint account, with a view to drawing on the money deposited in it, fabricates a statement annulling the agreement whereby the signatures of all the holders of the current account must appear on transfer orders, and the bank's employees to whom the false statement is presented are both misled and prompted to align their attitude to the content of the false statement in question, by accepting transfer orders bearing only the signature of the accused (judgment of the Luxembourg District Court of 22 April 1999, p. 31, at p. 82).

  • uttering a forged document;

  • the issuing by a public servant, prompted by gifts or promises, of a passport, hunting or fishing permit, passbook/paybook or waybill to a person whom he or she does not know, without satisfying him/herself as to the latter's name and status/position/capacity;

  • the false certification by a doctor, surgeon or other medical officer, prompted by gifts or promises, of any illness or infirmity with the aim of exempting a person from some service legally owed or from any other obligation imposed by law;

  • the issuing by a public servant or officer, in the exercise of his/her functions, of a false certificate or the falsification of a certificate by such a servant or officer, or the use by him/her of a false or falsified certificate;

  • forgery committed in any telegram by a public servant (employee) or agent of a telegraph service;

  • uttering any forgery committed in a telegram;


 

  • perjury/false testimony in a criminal case, either against the accused or in one's own favour;


 

  • the making of any false statement in a criminal case by an interpreter or expert, either against the accused or in one’s own favour.

Articles 193 to 212 PC

 

 

Articles 215 to 217 CP

 

Article 221 CP
Piracy

  • deliberately compromising the navigability or aeronautical safety of an aircraft;

  • seizing an aircraft, exercising control over it or diverting it from its route without the right so to do, using trickery, violence or threats;

  • an act of piracy committed against a vessel or any persons on board, or against persons or property, on the high seas or in a place not falling within the jurisdiction of any State.

Article 31 of the Law of 31 January 1948 on the rules governing air traffic

 

Merchant Navy Disciplinary and Penal Code
Murder and grievous bodily harm

  • intentional homicide (murder);

  • premeditated murder;

  • parricide (murder of one's father, mother or other legitimate or illegitimate ascendants);

  • infanticide;

  • poisoning;

  • deliberately striking or wounding which results in an illness which appears to be incurable or permanent unfitness for personal work, or the total loss of use of an organ, or serious mutilation;

  • deliberately striking or wounding which results in death;

  • striking or wounding a child aged less than 14 years, or depriving such a child of healthcare or food/drink;

  • administering substances which cause an incurable illness or permanent unfitness for personal work, or the total loss of use of an organ;

  • administering any substance which causes death, without intending so to do;

  • preparing any food, drink, medication, articles of consumption or clothing, or cosmetic products (…), in such a way as to render them dangerous or harmful to human health; selling or distributing, offering for sale, or possessing or transporting such products or articles with a view to their sale or distribution, knowing that they are dangerous or harmful to human health; procuring or selling materials for use in the fabrication of such products or articles, where doing so results in the death of a person, or in an illness which appears to be incurable, or permanent unfitness for personal work, or serious mutilation, or the total loss of use of an organ;

  • hindering the circulation of traffic on a railway (placing objects on the rails, or interfering with railway tracks or their supports), whether or not this results in injury or death;

  • striking or wounding with aforethought any person who is related to the offender, or any vulnerable person, or any person in a subordinate position vis-à-vis the offender;

  • murder by duelling; inciting a person to take part in a duel which results in death;

  • violating or profaning any tomb, grave or monument erected in memory of the dead, accompanied by an assault on the integrity of the corpse;

  • serious infringements of the 1949 Geneva International Conventions (concerning the treatment of prisoners of war and the protection of civilians in time of war), adversely affecting persons or property protected by those Conventions: intentional homicide, torture or inhuman treatment, serious assaults causing bodily harm or harm to health, deportation, detention, hostage-taking, (…) or the destruction or appropriation of property where this is not justified by military necessity and carried out on a large scale.

Article 393 PC

Article 394 PC

Article 395 PC

 

Article 396 PC

Article 397 PC

 

Article 400 PC

 

Article 401 PC

 

Article 401 bis PC

 

Article 403 PC

 

Article 404 PC

 

Law of 25 September 153 on the reorganisation of controls in respect of foodstuffs, drinks and everyday products

 

Articles 406 to 408 PC

 

Articles 409 and 410 PC

 

Article 430 PC

Article 453 PC

 

Law of 9 January 1985 to suppress serious infringements of the Geneva International Conventions of 12 August 1949

 

 Part 2- Offences of a less relevant nature in the context of combatting money laundering and terrorist financing

Genocide, crimes against humanity, war crimes, and the crime of aggression- genocidal act: the intent to destroy, wholly or in part, a national, ethnic, racial or religious group, by committing one of the following acts:

(a) murder of members of the group;

(b) serious assault on the physical or mental integrity of members of the group;

(c) intentional submission of the group or members thereof to living conditions which are such as to result in their total or partial physical destruction;

(d) measures designed to hinder births within the group;

(e) forcible transfer of children from the group to another group;

- crimes against humanity: any of the following acts where it is committed in the context of a generalised or systematic attack on any civil population and in the knowledge of that attack:

  1. murder;

  2. extermination;

  3. enslavement;

  4. deportation or forcible transfer of a population;

  5. imprisonment or any other form of serious deprivation of physical liberty in breach of fundamental provisions of international law;

  6. torture;

  7. rape, sexual slavery, forced prostitution, forced pregnancy, forced sterilisation or any other form of sexual violence of comparable seriousness;

  8. persecution of any group or community on political, racial, national, ethnic, cultural, religious or sexist grounds, or on the basis of other criteria universally recognised as inadmissible in international law, in correlation with any act referred to in Articles 136 bis, 136 ter or 136 quater;

  9. forced disappearance of persons;

  10. the crime of apartheid;

  11. other inhuman acts of an analogous nature intentionally causing great suffering or grievous bodily harm or harm to physical or mental health;


- war crimes, that is to say:

  1. any act provided for by the Geneva International Conventions of 12 August 1949, as approved by the Law of 23 May 1953;

  2. any act constituting a serious violation of the laws and customs applicable to armed conflict, whether or not international, in the established context of international law;

  3. in the case of an armed non-international conflict, serious breaches of Common Article 3 to the four Geneva Conventions of 12 August 1949, namely one of the following acts, committed against persons taking no direct part in the hostilities, including members of armed forces who have laid down their arms and those placed hors de combat by sickness, wounds, detention or any other cause:


- the crime of aggression, that is to say, the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.
Articles 136 bis to 136 quinquies PC
Crimes against State security

  • attempts on the life of, and plots against, the Grand Duke, the royal family and/or the form of the Government;

  • crimes against the external and internal security of the State;

  • treason and sabotage of national defence, insubordination and revolt in time of war, by a member of the armed forces.

Articles 101 to 112 PC

Articles 113 to 118 ter and 121, first paragraph, 121 bis, 122, 123 and 123 quater PC; Articles 124 to 135 PC

Law of 31 December 1982 on the recasting of the Military Penal Code
Crimes against public order(1) Plotting:

  • collusion between the civil authorities and the armed forces or their chiefs with a view to taking measures against the enforcement of a law or Grand-Ducal order or decree;

  • plotting to the detriment of State security between the civil authorities and the armed forces or their chiefs.


(2) Misuse or destruction of deeds, instruments and certificates:

  • the misuse by any depositary or agent of a public authority or law enforcement agency, or by any person charged with a public service mission, of any public or private monies, bills of exchange used in lieu thereof, documents, certificates, instruments, deeds or chattels in his or her hands;

  • the destruction or fraudulent suppression by any depositary or agent of a public authority or law enforcement agency, or by any person charged with a public service mission, of any deeds, instruments or certificates deposited with him or her or communicated to him or her by reason of his or her office or position.


(3) Extortion or dishonest receipt of money by a public officer:

Extortion/dishonest receipt of money using violence or threats by any depositary or agent of a public authority or law enforcement agency, or by any person charged with a public service mission or on whom a public electoral mandate has been conferred:

  • ordering the collection of, demanding or receiving, any sums in respect of duties, fees, taxes, contributions, moneys, revenues or interest, salaries or emoluments, in the knowledge that the sums in question are not due or exceed what is due;

  • granting any exemption from liability to pay any public duties, contributions, taxes or fees, in contravention of the applicable legislation or regulations.


(4) Abuse of official authority:

  • this offence is committed where a public official or Government agent or servant, regardless of his or her capacity or grade, requests or orders, or causes to be requested or ordered, any action by, or the use of, a law enforcement agency to prevent the enforcement of a law or Grand-Ducal order or decree, or the collection of any tax legally introduced, or the enforcement of any judicial order or warrant or any other order emanating from a public authority.


(5) Acts of torture:

  • this offence is committed where a depositary or agent of a public authority or law enforcement agency, or any person charged with a public-service mission, or anyone acting at the instigation or with the express or tacit consent of any such person, inflicts on any person acts of torture, causing the latter severe pain or suffering, whether physical or mental, inter alia with a view to obtaining from him or her information or a confession, punishing him or her for an act committed or suspected to have been committed by him or her or by a third party, or intimidating or placing pressure on him or her or on a third party.


(6) Rebellion:

  • rebellion (armed resistance with violence or menaces) committed by two or more persons, whether or not planned between them in advance, against employees or agents of the State acting in the enforcement of any laws, orders or ordinances of public authorities, judicial warrants or court judgments.

Article 234, third paragraph, PC

 

 

Article 235 PC

 

 

 

Article 240 PC

 

 

Article 241 PC

 

 

Article 243, second and third paragraphs, PC

 

 

Articles 254 to 260 PC

 

 

Articles 260-1 to 260-4 PC

 

 

Article 272 PC
Crimes against family order and public morality

  • causing or attempting to cause a pregnant woman to have an abortion against her will;

  • concealment of birth, substitution of one child for another, or attributing a child to a woman who has not given birth; commissioning the performance of such acts, where they are actually carried out;

  • bigamy.

Articles 348 to 352 PC

 

Article 363 PC

 

Article 391 PC
Undermining the administration of justice by the International Criminal Court

  • perjury by a person who has sworn or otherwise undertaken to tell the truth;

  • knowingly producing evidence which is false or falsified;

  • procuring a person to give false evidence; manoeuvres designed to prevent a witness from appearing or testifying freely;

  • reprisals against a witness on account of his or her testimony; destruction or falsification of evidence, or impeding the gathering of such evidence;

  • intimidation of a member or agent of the court, impeding action by such member or agent, or influence peddling designed to prompt him or her, by constraint or persuasion, not to perform his or her duties or not to perform them as they should be performed;

  • reprisals against a member or agent of the court on account of the functions exercised by him or her or by another member or agent;

  • the soliciting or acceptance by a member or agent of the court of any unlawful remuneration in the context of his or her official functions.

Article 28 of the Law of 27 February 2012 regulating the arrangements for cooperation with the International Criminal Court

 

List of high-risk third countries and persons subject to restrictive financial measures

The links given below were selected when the Vade Mecum was being drawn up. Accordingly, professionals should ensure that, when consulting them, they have an up-to-date version of the links proposed.

A – LISTS OF THIRD COUNTRIES POSING A RISK OF CORRUPTION/LACUNAE IN THE SYSTEMS FOR COMBATTING MONEY LAUNDERING AND TERRORIST FINANCING:

  • See for example the list of countries (corruption) published by Transparency International:

https://www.transparency.org/en/cpi/2020/index/nzl 

 

  • See the website of the Council of Europe with regard to the Group of States against Corruption:

https://www.coe.int/en/web/greco/evaluations

(List regularly updated)

 

  • See the FATF list/tool concerning the FATF member states and the 9 regional FATF-type organisations, also including high-risk and other monitored jurisdictions:

http://www.fatf-gafi.org/fr/pays/#hiyysgh-risk

 

  • see Commission Delegated Regulation (EU) 2020/855 of 7 May 2020 amending Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies

https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:32020R0855&from=EN

 

  • The CSSF also recommends referring to the official “country” reports published by the OECD, the World Bank and the International Monetary Fund:

 

 

 

  • See also:

www.cfatf.org (caribbean financial action task force)

www.apgml.org (Asia Pacific group on money laundering)

http://www.gafilat.org/index.php/es/ (GAFI South America)

www.menafatf.org (Middle east and North Africa financial action task force)

www.eurasiangroup.org

www.esaamlg.org

www.giaba.org (intergovernmental action group against money laundering in Africa)

 

B – LIST OF PERSONS/ENTITIES/GROUPS SUBJECT TO PROHIBITIONS AND RESTRICTIVE MEASURES IN FINANCIAL MATTERS IN THE CONTEXT OF COMBATTING MONEY LAUNDERING AND TERRORIST FINANCING:

  • EU sanctions tool :

https://www.cssf.lu/en/Document/eu-sanctions-tool/

  • Lists issued by the European institutions: the EU rules regarding financial embargoes are systematically sent to financial sector professionals by the CSSF. They are generally intended to transform into a binding EU instrument resolutions of the Security Council of the United Nations. These lists are directly applicable as soon as they are published in the Official Journal of the European Union and are, as such, binding on professionals.

https://webgate.ec.europa.eu/europeaid/fsd/fsf/public/…/pdfFullSanctionsList/content?…

 

  • Lists issued by the Cellule de Renseignement Financier (CRF_ Financial Intelligence Unit) of the Parquet (State Prosecutor’s Department)/Ministry of Finance: the circulars issued by the Parquet are generally aimed, on the basis of the obligation to cooperate in anti-money laundering matters, first, at obtaining information about persons suspected of being connected with money laundering/terrorist financing activities and, second, freezing the assets of such persons.

The CRF link leads to the website of the Ministry of Finance: https://mfin.gouvernement.lu/en/dossiers/2018/sanctions-financiaires-internationales.html

 

  • Other lists issued by foreign national authorities: this primarily concerns the list of the OFAC (Office of Foreign Assets Control of the United States Department of the Treasury).

That list may contain a number of persons and entities suspected of being connected with terrorist financing or money laundering activities. Thus, where a professional finds that it has a direct or indirect link with a person appearing on that list, this may give rise to a suspicion of money laundering or terrorist financing on the part of the professional. The presence of the person in question on the list may be regarded as constituting evidence within the meaning of Article 5 of the Law of 12 November 2004 which could prompt the professional to submit a suspicious operations report to the CRF. Indeed, the professional cannot rule out the possibility that the reason for the inclusion of the suspect on the OFAC list is his (the suspect) connection with activities linked to terrorist financing or money laundering.

 

https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx

 

C – FISCAL TRANSPARENCY AND THE COMMON REPORTING STANDARD

  • Grand-Ducal Regulation of 22 January 2021 amending the amended Grand-Ducal Regulation of 15 March 2016 implementing Article 2 (4) of the Law of 18 December 2015 on the Common Reporting Standard:

http://legilux.public.lu/eli/etat/leg/rgd/2021/01/22/a56/jo

  • Grand-Ducal Regulation of 1 March 2018 amending the Grand-Ducal Regulation of 15 March 2016, as amended, implementing Article 2(4) of the Law of 18 December 2015 on the Common Reporting Standard:

http://legilux.public.lu/eli/etat/leg/rgd/2018/03/01/a155/jo

 

  • On 17 October 2018 the OECD published recommendations concerning potentially high-risk “Citizenship by Investment” and “Residence by Investment” schemes:

http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/residence-citizenship-by-investment/

Useful links – additional references

  • The UK Joint Money Laundering Steering Group provides guidelines concerning the risk-based approach in Part 1 of its Guidance (pp. 41 to 70), accompanied by concrete illustrations:

http://www.jmlsg.org.uk/

  • The Bank for International Settlements provides guidance on “Sound management of risks related to money laundering and financing of terrorism”:

https://www.bis.org/bcbs/publ/d405.pdf

  • The FATF has issued guidelines on “National Money Laundering and Terrorist Financing Risk Assessment” containing illustrations of “country” risks (p. 39):

http://www.fatf-gafi.org/media/fatf/content/images/National_ML_TF_Risk_Assessment.pdf

  • The interpretative note to Recommendation 10, point H (p. 67) deals with the risk-based approach, listing the lower and higher-risk factors:

http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf

  • Virtual assets:

FATF guidance for a risk-based approach to VAs and VASPs (October 2021)

12-month review of the FATF standards on VAs and VASPs (June 2020) and

Second 12-month review of the FATF standards on VAs and VASPs (July 2021)

FATF report: virtual assets red flag indicators of ML/TF (September 2020)

CSSF communiqué on VAs, VASPs and the related registration process (9 April 2020)

Ministry of Justice ML/TF vertical risk assessment: virtual asset service providers (December 2020)

European Banking Authority risk factors Guidelines (1st March 2021)

CSSF dedicated page for VASPs

Documents – identification/verification of customers

DOCUMENTARY FORM – documentation/retention of documents relating to customer due diligence (verification)

 

CUSTOMER – legal personCopyOriginalIntervention/validation-certification by a third party

(public authorities, public officers and others)
Powers of representation of

AUTHORISED AGENTS:
X

 

Delegation of power, articles of incorporation of the company or association, fund prospectus, order/instrument of appointment

 

Art. 20(2) Reg. No 12-02
Depending on the risk assessment by the professional

 

(intervention: lawyer, notary, local authority, administrative authority/emanation of the State, as the case may be)
VERIFICATION of the identity of the legal personX

 

  1. Latest consolidated or up-to-date articles of incorporation (or an equivalent incorporation document)


 

  • Extract/entry in the register of companies (or equivalent supporting evidence)


 

  • In the case of associations or foundations recognised as being of public interest, see for example the relevant Grand-Ducal orders, decrees, association websites (…)


 

Art. 19(1) Reg. No 12-02
X

 

  • Consultation by certified electronic means, true copies, extracts from the identity documents of the legal person/entity registered


[instruments, articles of incorporation, annual accounts, collective proceedings, judgments, etc.]

 

  • Certificate of company incorporation/certificate of legal validity of the company

SUPPLEMENTARY VERIFICATION of the identity of the legal personX

 

  • Verification of the information gathered from independent sources (internet, software, public and private databases)


 

Art. 19(2) Reg. No 12-02
X

 

  • Acknowledgements of receipt of registered letters (contact with companies)


 

Art. 19(2) Reg. No 12-02
X

  • Management report and latest accounts, certified by an approved statutory auditor (as the case may be)


 

  • Document certifying that the company has not been dissolved/struck off the register/declared bankrupt/gone into liquidation


 

Art. 19(2) Reg. No 12-02

 

 

CUSTOMER – legal personCopyOriginalIntervention/validation-certification by a third party

(public authorities, public officers and others)
Powers of

AUTHORISED REPRESENTATIVES:

  • Legal representatives of customers lacking legal capacity/minors

X

 

Judgments/ family record books/birth certificates (…)
X

  • Judgment of the competent guardianship/administration court


 

  • Any supporting document issued by an administrative or public authority/emanation of the State

VERIFICATION of the identity of a customer who is a natural personX

 

Any document contained in e.g. the public (worldwide) register of authentic travel and identity documents online

 

(Website of the European Council)

https://www.consilium.europa.eu/prado/en/prado-start-page.html
X

 

  • Official unexpired identity document


(emanating from a public authority)

 

  • certificate of authenticity drawn up by the professional after inspecting the original or by a third party


 

Art. 18(1) Reg. No 12-02
SUPPLEMENTARY VERIFICATION of the identity of a customer who is a natural person and of his/her residence (where there is any doubt)X

 

  • Any relevant supporting document as required by the professional

X

 

  • Acknowledgements of receipt of registered letters (contact with customers)


 

  • Documents proving permanent domicile/residence:


 

standard insurance document;

 

municipal/housing tax bills/State subsidies – miscellaneous allowances;

 

tax demands/salary slips/ pension statements/tax credits;

 

Proof of dispensational tax status (RND, “au forfait”), tax identification number, self-certification;

 

internet/mobile phone subscription;

 

administrative summons/formal notice to pay/perform/comply (…)

 

DOCUMENTARY DATABASES FOR CARRYING OUT CUSTOMER DUE DILIGENCE:

The Luxembourg Ministry of Foreign and European Affairs provides comprehensive information regarding the list of travel documents approved by the European Commission and recognised by the Member States parties to the Schengen agreement. This contains:

(i)  Travel documents issued by third countries and territorial entities (Part I)

The above link indicates, above all, the official identity documents (for natural persons) authorised in third States.

– The European Council’s (worldwide) “PRADO” public register of authentic identity and travel documents online lists, and make it possible to search for, documents by country of issue or by document title.

This tool is very comprehensive and may prove particularly useful in helping to assess the authenticity of identity documents issued by third countries. It includes the references and photos necessary for a practical assessment by a professional:

https://www.consilium.europa.eu/prado/en/prado-documents/are/b/o/docs-per-type.html

(see also the French version)

The French decree of 16 April 2014 fixing the list of supporting documents for exercising the right to hold an account with the Banque de France (Official Journal of the French Republic No 0106 of 7 May 2014, page 7762) provides a long list of documents proving identity/domicile for the purposes of the exercise that right, both by natural persons and by legal persons.

Professionals may find it useful to refer thereto for the purposes of supplementing their list of supporting documents:

https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000028905503&categorieLien=id

– Luxembourg legal literature proposes, notably, a series of elements for identifying and verifying the identity of customers who are natural persons and customers who are legal persons

See “Check List des documents d’identification et de vérification” (“Checklist of identification and verification documents” in La lutte contre le blanchiment d’argent by Thierry POULIQUEN, Éditions Promoculture Larcier (p. 399).

The UK’s Joint Money Laundering Steering Group has issued AML/CFT guidance, part of which refers to documents allowing the identity of customers who are natural persons to be verified.

Seehttp://www.jmlsg.org.uk/, point 5.3.73 et seq. of the initial guide.

It states very clearly that these may emanate from either:

(i) an official document issued by the State administration (government-issued document”) which incorporates the individual’s full name and photograph AND:

  • either his/her residential address; or
  • his/her date of birth.

For example: a valid passport, valid driving licence, national identity card, firearms certificate or shotgun licence, voter’s card; or

(ii) a government, court or local authority-issued document not including an identity photograph but incorporating the customer’s full name,

  • supported by a second document, either government-issued or issued by a judicial authority, a public-sector body or authority, a regulated utility company, or an entity regulated by the banking/financial sector supervisory authority (FCA), which incorporates:
  • the customer’s residential address; or
  • his/her date of birth

For example: a valid driving licence, an administrative document/certificate evidencing entitlement to a benefit (housing/tax credit/retirement pension/educational or other grant, etc.), summons/record of service of process/ formal notice to pay/perform/comply, council tax demand letter or statement, etc.