The EU AML4 Directive (Directive)1 – an EU directive aimed at combatting money laundering and terrorist financing – has finally been transposed into Luxembourg law through the adoption of bill 71282. This occurred several months after the 26 June 2017 deadline for the implementation of the Directive, through the entry into force of a law amending the Luxembourg AML Law3 (AML Amending Law4) on 18 February 2018.
The AML Law sets out new requirements relating to, inter alia, the due diligence obligations for all professionals subject to the AML Law (Professionals), as well as the supervision by control authorities and self-regulatory bodies with respect to Professionals’ compliance with such obligations. The legal framework is generally more rigorous, as Professionals must comply with new requirements and update their internal procedures accordingly. Further, Professionals are subject to increased sanctions in the case of non-compliance.
Although most provisions of the Directive have now been implemented through the entry into force of the AML Amending Law, neither the implementation of a register of beneficial owners5 nor a register of trusts6 has yet been completed.
The Luxembourg financial supervisory authority (Commission de Surveillance du Secteur Financier, CSSF) published CSSF Circular 18/684 on 13 March 2018, to draw attention of the Professionals under its supervision to the entry into force of the AML Amending Law and the key changes made to the AML Law.
Below is a non-exhaustive summary of such key changes effected by the AML Amending Law.
Risk-Based Customer Due Diligence
Through the implementation of the Directive, all Professionals have the obligation to take appropriate measures (proportionate to their nature and size) to identify and evaluate the risks of money laundering and terrorist financing to which they are exposed. Professionals are required to adapt their customer due diligence in accordance with the risks identified through this assessment. The risk assessments must be documented, kept up-to-date and made available to the relevant control authorities and self-regulatory bodies.
The AML Law now contains non-exhaustive lists7 of: (i) risk variables to be considered by Professionals when determining appropriate customer due diligence measures (e.g., purpose of the relationship, size of the transactions undertaken, regulatory or duration of the business relationship); and (ii) risk factors (relating to clients, countries or geographical areas, products, services, transactions or distribution channels) that may be indicative of the level of risk of money laundering and terrorist financing. For example, a potentially lower risk might be posed by a company listed on a stock exchange and subject to transparency obligations, whereas a higher risk might be posed through the use of nominee shareholders or bearer shares.
The identification by Professionals of their clients’ beneficial owners constitutes one of the main customer due diligence duties under the AML Law. The AML Amending Law, by providing clarification as to the concept of beneficial ownership for companies and fiduciary arrangements (fiducie) and trusts, has increased Professionals’ duties regarding the identification of beneficial owners.
Prior to the adoption of the AML Amending Law, ownership of at least 25% of a company was sufficient to create the presumption of being a beneficial owner of the company. A different approach is now taken by the AML Law, which construes an ownership of at least 25% as merely an indication of direct or indirect ownership in a company. By reducing the importance of the ownership threshold in the determination of beneficial ownership, the AML Law opens the door for other persons (including those holding less than 25% ownership in a company) to be considered as beneficial owners.
The AML Law also now provides that, if no beneficial owner can be identified, or where it is not clear that an identified person is the beneficial owner, the principal senior managing official(s) of a company shall be considered as the beneficial owner(s) of the company.
Further, the AML Law clarifies the concept of beneficial ownership in relation to fiduciary arrangements and trusts, by providing that the following participants in a fiduciary or trust arrangement must all be considered as beneficial owners: settlor; trustee; protector, beneficiaries and any natural persons exercising control over the arrangement or entity, in each case notwithstanding any ownership percentage.
Politically Exposed Persons
Professionals are also obliged under the AML Law to put in place appropriate risk management systems (including risk-based procedures) to determine whether their customers or the customers’ beneficial owners are persons entrusted with an important public function (“politically exposed persons” or PEPs)8 or are related to such persons. If so, Professionals must apply enhanced due diligence measures with respect to such PEPs, including, inter alia, the obligation to: (i) obtain senior management approval for establishing business relationships with the PEPs; (ii) take adequate measures to establish the source of wealth and source of funds involved in the business relationship or transaction; and (iii) conduct enhanced ongoing monitoring of the business relationship with the PEPs.
Prior to the adoption of the AML Amending Law, the enhanced due diligence measures applied only to foreign PEPs. The AML Law no longer provides for a distinction between domestic and foreign PEPs. Furthermore, the definition of PEPs has been expanded to include, inter alia: directors and members of the board of an international organisation; and brothers and sisters as family members of PEPs. Therefore, there is now a broader category of PEPs for purposes of application of the AML Law’s enhanced due diligence measures.
Enhanced Adequate Internal Organisation
Professionals are required to establish appropriate policies, controls and procedures9 (proportionate to their nature and size) to mitigate and effectively manage the risks of money laundering and terrorist financing that they identify, at the international, European, national and sectoral levels, as well as with respect to the Professionals themselves. In connection with this obligation, Professionals must take measures to make their employees aware of applicable professional obligations and data protection requirements10, including through participation in ongoing training programs to recognise operations that may be related to money laundering and terrorist financing, and how to respond in such cases. In this regard, Professionals must have in place appropriate procedures for their employees to report breaches of professional obligations internally through a specific, independent and anonymous channel.
Professionals that are part of a group are required to implement group-wide data protection and information sharing policies and procedures, and those policies and procedures must be implemented effectively at the level of the Professional’s branches and majority-owned subsidiaries.
Further, prior to developing, launching or utilising new products, business practices (including distribution channels) or technologies, Professionals must consider and evaluate the potential risks of money laundering and terrorist financing that may be involved and take appropriate measures to manage and mitigate those risks.
Supervision and Sanctions
The AML Law now specifically lists the Control Authorities11 and Self-Regulatory Bodies12 that are the entities charged with monitoring Professionals’ compliance with their obligations under the AML Law (and, if required, with the cooperation of the competent authorities in the Member State where a Professional operating in Luxembourg has its head office). The Control Authorities and Self-Regulatory Bodies perform this monitoring based on the risks of money laundering and terrorist financing to which the Professionals are exposed13, and periodically (or upon the occurrence of a major change in a Professional’s management or activities) evaluate Professionals’ risk profiles in relation to such risks14. The Control Authorities are entrusted with all powers of supervision and investigation necessary to the exercise of their functions, within the limits of the AML Law15 – this includes the right to (among other matters): request documents or information; temporarily prohibit persons under their prudential supervision (as well as employees of the Professional or members of the Professional’s managing body) from exercising professional activities; request that the Luxembourg public prosecutor freeze or sequester assets; and impose administrative sanctions and measures (e.g., warnings, reprimands, public statements, suspension or withdrawal of the Professional’s authorisation), as well as administrative fines.
The maximum amount of administrative fines that the Control Authorities may impose is double the amount of any determinable benefit gained by the Professional, or EUR 1,000,000 if such amount cannot be determined. In the case of a credit institution or financial institution, the maximum amount of administrative fines is EUR 5,000,000 or 10% of the company’s total annual turnover.
The maximum amount of criminal fines provided by the AML Law has been increased to EUR 5,000,000.
1) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing.
2) Bill of law n° 7128 dated 24 April 2017.
3) Luxembourg law dated 12 November 2004 on the fight against money laundering and terrorist financing, as amended.
4) Law of 13 February 2018 amending the Luxembourg law dated 12 November 2004 on the fight against money laundering and terrorist financing.
5) Bill of law n° 7217 dated 5 December 2017.
6) Bill of law n° 7216 dated 1 December 2017.
7) Two new appendices have been added in the AML Law with lists of factors indicating lower or enhanced risks of money laundering and terrorist financing.
8) The AML Law lists a number of categories of persons who are considered PEPs, including: (a) heads of State, heads of government, ministers and deputy or assistant ministers; (b) members of parliament or of similar legislative bodies; (c) members of supreme courts, constitutional courts or other high-level judicial bodies whose decisions are not subject to further appeal except in exceptional circumstances; (d) members of courts of auditors or of the boards of central banks; (e) ambassadors, chargés d’affaires and high-ranking officers in the armed forces; (f) members of the administrative, management or supervisory bodies of State-owned enterprises; (g) important officials and members of the management bodies of political parties; and (h) directors, deputy directors and members of the board of an international organisation, or persons holding an equivalent position in such entity.
9) Such policies, controls and procedures include (among others) those pertaining to: risk management models; customer due diligence; cooperation with the relevant control authorities and self-regulatory bodies; recordkeeping and document maintenance; internal controls; compliance, including appointment of a person responsible for supervising compliance (depending on the size and nature of the Professional’s activity); and an independent audit function (depending on the size and nature of the Professional’s activity).
10) The AML Amending Law enhances relevant data protection requirements by prohibiting the processing of personal data for any purpose other than the prevention of money laundering and terrorist financing. The subject of the data collection must be informed prior to the data processing and the subject’s right to access his or her data can be restricted or delayed under certain conditions of the AML Law.
11) The relevant control authorities (autorités de contrôle) are Luxembourg’s: (i) Commission de Surveillance du Secteur Financier (CSSF), the financial supervisory authority; (ii) Commissariat aux Assurances (CAA), the insurance sector supervisory authority; and (iii) Administration de l’Enregistrement et des Domaines (AED), the indirect tax administration.
12) The self-regulatory bodies (organismes d’autorégulation) are Luxembourg’s: (i) Institute of approved statutory auditors (Institut des Réviseurs d’Entreprises); (ii) Association of Chartered Accountants (Ordre des experts-comptables); (iii) Chamber of notaries (Chambre des Notaires); (iv) Council of the Luxembourg Bar (Conseil de l’Ordre du Barreau de Luxembourg); and (v) Chamber of bailiffs (Chambre des huissiers).
13) In this respect, the Control Authorities and Self-Regulatory Bodies: (i) ensure that they have an adequate understanding of the money laundering and terrorist financing risks present in Luxembourg; (ii) have access to information pertaining to risks related to the Professional’s clients, products or services offered; and (iii) monitor relevant risks in a manner and with a frequency in accordance with the Professional’s risk profile and the money laundering and terrorist financing risks present in Luxembourg.
14) This includes risks related to a Professional’s non-compliance with relevant AML Law obligations.
15) For example, a Professional must be able to justify to the Supervisory Authorities the appropriateness of the measures taken by the Professional in light of its risk assessment.