CSSF Regulation 20-05: changes and clarifications

in Regulatory/Compliance, 24.09.2020

On 14 August 2020, Luxembourg’s financial regulator CSSF published Regulation 20-05 (“the Regulation”), amending CSSF Regulation 12-02 of 14 December 2012 regarding the fight against money laundering (ML) and terrorist financing (TF). The Regulation, which entered into force on 24 August 2020, aims to provide further clarifications to professionals regarding the changes brought by the Law of 21 March 2020 (“the Law”) transposing the Fifth Anti-Money Laundering Directive. And, it also clarifies certain provisions of the Law that apply to the collective investment sector.

This article summarizes the main changes and clarifications of the Regulation. You can find further key changes and amendments to Grand-Ducal Regulation of 14 August 2020 in this related blog .

1. Risk-based approach

Overall risk related to professionals’ activities

  • When assessing their activities’ anti-money laundering (AML) and/or combating the financing of terrorism (CFT) risk, professionals must integrate different sources including but not limited to:
    1. The European Commission’s supranational report on ML and TF risks (Supra National Risk Assessment)
    2. The “National Risk Assessment” on ML and TF risks
    3. The “sub-sector Risk Assessment” of AML/CFT risks
    4. The “Risk Factor Joint Guidelines” from the European supervisory authorities, namely the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA), as well as any related CSSF publications.
  • Furthermore, professionals must determine their risk-based approach using a defined ML/TF risk appetite approved by the board of directors and transposed by the authorized management. And, they must also make sure the strategy is consistent with this approach and communicated to all staff involved.
  • The Regulation also foresees that, regarding investment business, professionals should carry out an analysis of the investment’s ML/TF risk. Appropriate due diligence measures adapted to the risk assessed should be taken . This analysis must be formalized and reviewed on at least an annual basis, as well as on a trigger event basis.

Customers’ risk classification

  • When professionals assess a business relationship’s individual risk and whether a situation may represent a lower risk, professional judgment is required to justify and explain the application of simplified due diligence (SDD) regimes besides the use of the minimum requirements included in Appendix III of the Law . Other lower risk factors that professionals deem relevant may be considered as well.Similarly, professionals should also include additional relevant high-risk factors beyond the minimum requirements defined under Appendix IV of the Law when assessing the risk of their business relationships.
    • Assessing the risk level of a business relationship should involve an understanding of the nature and activity of that relationship.
    • Where the units or shares of an undertaking for collective investment or an investment company in risk capital are subscribed through an intermediary acting on behalf of others, professionals must apply a two-tiered due diligence approach. First, the intermediary, the persons acting on its behalf and its beneficial owners must be identified, and their identity verified, where appropriate, on a risk-based approach . Second, professionals must implement enhanced due diligence (EDD) measures on the business relationship similar to that of a correspondent with the intermediary that invests on behalf of others. This should enable professionals to accurately assess the robustness of the intermediary’s AML/CFT framework.

2. Customer due diligence measures

Customer acceptance

  • Professionals may accept clients with a lower AML/CFT risk using an automated acceptance process that doesn’t require the intervention of a natural person. This process must be tested beforehand, regularly reviewed to assess its reliability over time, and be in line with the CSSF’s instructions.
  • Also, for all high-risk clients — such as clients or transactions involving a politically exposed person (PEP) or high-risk countries — the systematic involvement and approval of the compliance officer is expected. The acceptance procedure for these customers must also be described and included in the AML/CFT policy.
  • Opening a safe deposit box requires the same level of due diligence as any other type of business relationship. It is prohibited to open an account, passbook or safe deposit box with an anonymous or fictitious name.

Identification and verification of customers

  •  As part of the standard due diligence measures for identifying customers and collecting information, professionals must also gather and register this information regarding initiators and promoters of an investment fund supervised by the CSSF and who will be the professional’s customer.
  • Verifying the identity of a natural person must involve a valid and authentic official identification document issued by a public authority. Driving licenses are once again considered an acceptable document. And, to fulfill their due diligence requirements, professionals may use electronic identification means described by Regulation (EU) 910/2014 as well as any electronic or remote secure, approved and regulated identification process.
  • To verify the beneficial owner’s identification data, professionals can rely on information obtained from customers, central registers, or any other independent and reliable sources. However, please note that the information from central registers cannot be considered as a sole reliable source.
  • When it comes to trusts, fiduciaries or any other similar legal structure, and in case the professional is not able to identify the beneficiary of a trust/fiducie/similar legal arrangement given that such beneficiary is designated by a characteristic, identification and verification might be performed at the time benefit payments are made or when the beneficial owner exercises its vested rights.

Purpose and intended nature of the relationship

While performing customer due diligence measures, professionals are obliged to assess and understand the business relationship’s purpose and intended nature — for example, the origin of the customer’s funds, wealth and type of transactions foreseen — and obtain corroborative documentation on a risk-based approach.

Transfer of funds

The Regulation includes detailed explanations regarding the information professionals must obtain on the payer/payee before carrying out an occasional transaction in the form of a transfer of funds exceeding EUR1,000 within the European Union. These requirements mirror EU Regulation 2015/847.

3. Specific situations

SDD situations

The Regulation has further defined the SDD measures that professionals may use in low-risk situations, including but not limited to:

  • When the customer is subject to a compulsory authorization or registration regime for AML/CFT purposes, professionals can verify that the customer is subject to this regime by searching the regulator’s official website and documenting the search results.
  • When the customer is a regulated credit or financial institution, instead of asking for the complete identification of the persons acting on the customer’s behalf, professionals can obtain a letter confirming the institution applied due diligence measures to these persons and carries out regular controls regarding the applicable lists of restrictive measures in financial matters.
  • When the first payment is transferred from an account in the customer’s name from a credit or financial institution regulated by a member of the European Economic Area or a third country imposing equivalent AML/CFT obligations.
  • Also, professionals may only update customer information if certain trigger events seem to indicate that the relationship’s associated risk is no longer low, such as changes in the behavior or transaction profile, a request from the customer for a new or riskier product or service, etc.

EDD situations

Regarding non-face-to-face relationship or transactions — where the professional has not taken the necessary guarantees such as “electronic identification means, relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification process regulated, recognized, approved or accepted by the relevant national authorities” — the Regulation defines specific measures that professionals should apply to compensate the potentially higher risk of the relationship.

Such measures include obtaining additional identification documents, data or information to check the customer’s identity; obtaining certified documents by a public authority; and ensuring that the first transaction is carried out via an account in the customer’s name with a credit institution subject to the Law or equivalent professional obligations.

PEP relationships

The ongoing identification of PEPs amongst existing customers must be carried out at least every six months. As this relationship should be approved by senior management, the Regulation further specifies that “senior management” should at least be the person responsible for compliance.

4. Due diligence requirements

  •  The Regulation further strengthens the ongoing due diligence obligation for identifying and monitoring abnormal, complex or unusual transactions. Professionals are expected to analyze the economic background of these transactions with the customer’s profile and take appropriate measures for the level of risk, such as obtaining corroborative documentation to support these transactions and document their comfort.
  • In addition, professionals must remain focused on the proper identification of states, persons, entities or groups subject to restrictive measures when entering into a relationship with a customer or transaction. The Regulation stipulates that professionals must ensure the screening system is automatically updated following any changes to the official sanction list, to guarantee real-time screening and ensure the identification process isn’t delayed. This obligation also applies to the assets that a professional manages. To ensure the screening system’s effectiveness, organizations must implement a complete and up-to-date customer database as a prerequisite to an efficient supervisory system, including all customer’s accounts and their transactions, as well as all related parties such as proxies, beneficial owners, the payer of the incoming transfer, recipients, etc.
  • As part of the periodic customer file update, professionals must verify at least once a year if the SDD regime conditions still apply, independently of the relationship review frequency, but provided some transactions occurred during this period. If no transactions have taken place, the review can be launched when the relationship is reactivated.

5. Outsourcing requirements

  • When outsourcing AML/CFT functions, professionals must ensure the third-party delegate has the necessary resources to perform these outsourced tasks. Also, the processes for selecting and evaluating a third-party delegate must include detailed provisions and a risk assessment before concluding such an outsourcing agreement. This agreement must contain each party’s enumerated rights, obligations, and respective roles and responsibilities. The Regulation also focuses on the collective investment sector, providing further clarification about the due diligence measures that any investment fund manager (IFM) must implement for registrar and transfer agents, portfolio managers, and investment advisors that complements circular 18/698.
  • Please note that, even if a registrar and transfer agent is considered under the outsourcing contract to be part of the investment fund and/or IFM, it is not exempted from its own AML/CFT obligations.
  • Regarding their customers’ data, both professionals and the CSSF should have access rights to the third-party delegate’s systems and databases.

6. Governance and internal organization requirements

  • The Regulation distinguishes between the role of the person responsible for compliance with AML/CFT obligations or the Responsible du Respect (RR), who must be at authorized management or board of directors level, with the person responsible for the control of compliance with the AML/CFT obligations or the Responsible du Contrôle (RC), who must be a person in charge of implementing AML/CFT policies and controls
  • Along with their other various tasks and duties, the RC is obliged to provide a summary report on an annual basis, which should be communicated to the RR, the board of directors and authorized management.

7. How can KPMG assist you with Regulation 20-05?

KPMG’s forensic and AML services can help you review and update your AML/CFT framework to ensure you comply with the latest regulatory changes. Our specialist team provides a range of tailor-made solutions, including:

  • Impact analysis
  • Practical and effective AML/CFT gap analysis or enterprise-wide risk assessments
  • Risk-based approaches tailored to your risk level and appetite
  • Readiness training and customized workshops covering an array of subjects.

If you have any questions or would like additional advice, please get in touch.