Background
This new Regulation (the “New Regulation”), of 14 August 2020, amends Commission de Surveillance du Secteur Financier (“CSSF”) Regulation 12‑02 of 14 December 2012 ( “12-02”) on the fight against money laundering and terrorism financing. This is the first amendment of 12-02. It provides further details on certain provisions of the amended Law of 12 November 2004 (the “AML Law”) which implemented European Directive 2018/843 (the “Fifth EU Directive”) on 25 March 2020. The changes set out in the New Regulation are effective immediately.
Primary Change
While a number of amendments only reflect the update of references to the AML Law (see our article on the AML Laws of 25 March 2020), other changes are more substantial and include, inter alia:
· the introduction of Simplified Customer Due Diligence (“SDD”);
· reinforced internal management requirements, based on the frequently asked questions (“FAQ”) of 25 November 2019 on Persons involved in Anti Money Laundering and Counter Financing of Terrorism (“AML/CFT”) for a Luxembourg Investment Fund or Investment Fund Manager supervised by the CSSF for AML/CFT purposes;
· guidance on the risk-based approach to be taken in relation to investment business operations;
· further details on the use of AML systems (internal or via a third party provider);
· clarifications on the acceptance process;
· the definition of ‘customer’, encompassing the notion of investor registered in the investment fund register;
· further guidance on the outsourcing process.
Key points for Investment Fund Managers (“IFMs”) and Undertakings for Collective Investment (“UCIs”)
1. Customer due diligence measures
· Customer acceptance process:
In case of new clients with a low ML/TF risk profile, the acceptance process can be simplified. The CSSF allows professionals to use an automated process which does not require human intervention if it can be demonstrated that this process is a reliable and efficient alternative to manual approval by the professional. The process should be tested and regularly reviewed to ensure its robustness.
· SDD:
The New Regulation introduces SDD measures that professionals may apply to the business relationship in case of a justified low risk assessment (the professional should monitor the risk at all times to ensure that the conditions for the application of low risk still apply), for example:
- the exceptional acceptance of other types of ID documents which meet the
- criteria of reliable and independent sources (e.g. a letter addressed to the customer by a governmental body or other reliable public body). This is only possible where the customer cannot provide the usual identification documents and, insofar as there are no grounds for suspicion
- due diligence can be updated only upon certain trigger events (e.g. riskier product, relocated to different country, changes in the transaction behaviour or profile or any other trigger event which seems to indicate that the risk is no longer low), instead of being updated on a regular basis
- for persons purporting to act on behalf of a customer, initiator, promoter who launched an investment fund, obtaining information on the country of residence of these persons instead of asking for the full postal address
- for persons purporting to act on behalf of a customer where a customer is a regulated credit or financial institution, instead of requesting the complete identification of these persons, obtaining a letter confirming that the institution applied due diligence measures to these persons and that it carried out regular controls of these persons with respect to the applicable lists of restrictive measures in financial matters
- for customers subject to a compulsory authorisation or registration regime for AML/CFT purposes, the verification that the customer is subject to this regime by performing, for example, a search on the official website of the regulator and documenting the results of the search.
2. Risk-based approach
The New Regulation added a paragraph on Know Your Assets (“KYA”) in the context of investment businesses. The paragraph obliges professionals to analyze, based on a risk-based approach, the Money Laundering/ Terrorism Financing Risk (“ML/TF”) posed by the investment. Further due diligence measures should be taken commensurate with the outcome of the risk-based approach. The regulation stipulates that such risk-based approaches should be formalised and reviewed at least annually or based on a trigger event which would require a re-evaluation of the risk.
The professional also has the obligation to identify the States, persons, entities and groups subject to restrictive measures in financial matters with respect to the assets it manages and to ensure that funds will not be made available to these groups.
3. AML Systems
The professional must ensure that the internal system or system made available by an external service provider, used for the detection of persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters is adapted without delay to the latest lists.
The identification of politically exposed persons during the business relationship should be carried out at least every six months.
4. Outsourcing arrangements and agency relationships
It is re-iterated that the responsibility with regards to compliance with the provisions of the AML Law, the Grand-Ducal Regulation of 1 February 2010 as amended by Grand-ducal Regulation of 14 August 2020 and the New Regulation remains with the board of directors of the UCI and/or the IFM. Hence, further clarification is provided regarding the minimum content to be included in the contract for outsourcing arrangements to be used by the board of directors of the UCI and/or the IFM. The board of directors of the UCI and the IFM should ensure that the relevant contracts include (i) detailed clauses specifying the roles and responsibilities of each party as well as (ii) the conditions relating to the transmission of information to the professional, notably to make available immediately, regardless of confidentiality or professional secrecy rules or any other obstacle, the information gathered while fulfilling the customer due diligence obligations. In addition, a process should be put in place to transmit, upon request and without delay, of a copy of the original supporting evidence received.
The New Regulation mentions that the policies and internal procedures relating to outsourcing and agency relationships should include detailed provisions (Due Diligence requirements) on the process for the selection and evaluation of third-party delegates and sub-delegates.
The Regulation also specifies the monitoring obligations for third party delegates (most notably transfer agents, portfolio managers to which it outsources the management and investment advisors) which should occur on a regular and ad hoc basis (for example through on-site visits), in accordance with the risk-based approach, where the professional should verify (for example, through sampling) the compliance obligations incumbent upon the third-party delegate.
5. Non-face-to-face business relationships
Even though the AML Law does not foresee that non-face-to-face relationships automatically result in high risk, some additional measures have to be taken when there are no certain safeguards such as electronic identification means, relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification process which is regulated, recognised, approved or accepted by the relevant national authorities. If such safeguards are not available, additional measures have to be taken, most notably:
· measures ensuring that the customer's identity is established by additional identification documents, data or information;
· additional measures ensuring the verification or certification by a public authority of the provided documents;
· confirmatory certification by a credit institution or a financial institution subject to the AML Law or subject to equivalent professional obligations as regards the fight against money laundering and terrorist financing;
· measures ensuring that the first payment of the transactions is carried out via an account opened in the customer’s name with a credit institution or a financial institution subject to the AML Law or subject to equivalent professional obligations as regards the fight against money laundering and terrorism financing.
6. Internal Management
In its FAQ from 25 November 2019, the CSSF provided an introduction to the functions of ‘person responsible for compliance’(the “RR”[1]) and those of the ‘compliance officer’ (the “RC”[2]).
The RR should be a member of the board of directors or the board of directors as a collective body (or, where applicable, the authorised management responsible for the fight against ML/TF).
The RC is the person who must implement AML/CFT procedures, for example, the compliance officer, where applicable. The RC may delegate the exercise of his function to one or more employees connected to the professional provided that they have sufficient experience and knowledge of the Luxembourg legal and regulatory framework relating to AML/CFT and are of a sufficient level and authority within the entity.
The table below provides information on the RR’s and RC’s respective responsibilities:
Link to the CSSF Regulation 20-05
Link to the CSSF Regulation 12-02, as amended
[1] Responsable du respect des obligations
[2] Responsable du contrôle du respect des obligations