CSSF Regulation No

12-02 of 14 December

2012 on the fight

against money

laundering and

terrorist financing

as amended by CSSF

Regulation No 20-05 of 14

August 2020 amending CSSF

Regulation No 12-02 of 14

December 2012 on the fight

against money laundering

and terrorist financing

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

1/52

This coordinated text was drawn up by the CSSF for information purposes only. In case of

discrepancies between the French and the English text, the French text shall prevail.

CSSF Regulation No 12-02 of 14 December 2012 on the fight against

money laundering and terrorist financing

(Mémorial A – No 5 of 9 January 2013)

as amended by:

-

by CSSF Regulation No 20-05 of 14 August 2020 amending CSSF Regulation

No 12-02 of 14 December 2012 on the fight against money laundering and

terrorist financing

(Mémorial A – No 695 of 20 August 2020)

The Executive Board of the Commission de Surveillance du Secteur

Financier;

Considering Article 108a of the Constitution;

Considering the Law of 23 December 1998 establishing a financial sector

supervisory commission ("Commission de surveillance du secteur financier")“, as

amended,”¹and in particular Article 9(2);

Considering the Law of 12 November 2004 on the fight against money

laundering and terrorist financing“, as amended,”²and the Grand-ducal Regulation of

1 February 2010 providing details on certain provisions of that law“, as amended”³;

Considering the opinion of the Consultative Committee for prudential

regulation;

decides:

Chapter 1 Definitions

Article 1

(1) For the purposes of this regulation, the following definitions shall apply:

(CSSF Regulation No 20-05)

““ML/TF”:

Money Laundering/Terrorist Financing;

1

2

3

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

2/52

“customer”:

natural or legal person with whom a business

relationship exists or for whom an occasional

transaction is carried out within the meaning

of point (b) of Article 3(1) of the Law, including

persons purporting to act on behalf of the

customer.

As regards investment funds, the notion of

customer encompasses the notion of investor

registered in the investment fund register;”

"FIU":

the Financial Intelligence Unit “under the

administrative supervision of the Chief Public

Prosecutor”⁴;

“CSSF”:

the Commission de Surveillance du Secteur

Financier;

““Directive (EU) 2015/849”:

Directive (EU) 2015/849 of the European

Parliament and of the Council of 20 May 2015

on the prevention of the use of the financial

system for the purposes of money laundering

or terrorist financing, amending Regulation

(EU) No 648/2012 of the European Parliament

and of the Council, and repealing Directive

2005/60/EC of the European Parliament and

of the Council and Commission Directive

2006/70/EC,

as

amended,

and

its

implementing acts;”⁵

“management”:

“authorised management”:

“FATF”:

the persons having a real influence on the

overall management of the professional's

business;

the persons responsible for the “daily”⁶

management of the professional, authorised

by the CSSF (…)⁷;

the Financial Action Task Force;

4

5

6

7

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

3/52

(CSSF Regulation No 20-05)

““IFM”:

the Investment Fund Manager;”

“AML/CFT”:

“Law”:

Anti-Money Laundering and Countering the

Financing of Terrorism

the Law of 12 November 2004 on the fight

against money laundering and terrorist

financing“, as amended”⁸. “This definition

includes

the

European

regulations

implementing Directive (EU) 2015/849 which

are published on the CSSF website and which

are directly applicable in Luxembourg.”⁹

““Law implementing restrictive measures in financial matters”: the Law of 27 October

2010 implementing United Nations Security

Council resolutions as well as acts adopted by

the European Union concerning prohibitions

and restrictive measures in financial matters

in respect of certain persons, entities and

groups in the context of the combat against

terrorist financing or any law repealing and

replacing this law and which implements

restrictive measures in financial matters,

including its implementing measures;”¹⁰

“professional obligations”:

the obligations for professionals as regards

AML/CFT;

“professionals”:

“the persons referred to in Article 2-1(1) of the

Law”;¹¹

““Regulation (EU) 2015/847”:

Regulation (EU) 2015/847 of the European

Parliament and of the Council of 20 May 2015

on information accompanying transfers of

funds and repealing Regulation (EC) No

1781/2006;”¹²

8

9

CSSF Regulation No 20-05

10

11

12

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

4/52

“Grand-ducal Regulation”:

the Grand-ducal Regulation of 1 February

2010 providing details on certain provisions of

the Law“, as amended”¹³;

(CSSF Regulation No 20-05)

““compliance officer in charge of the control of compliance with the professional

obligations”: the person who shall implement

AML/CFT, for example, the compliance officer,

where applicable, and designated for the

purposes of this regulation as “compliance

officer”;

“person responsible for compliance with the professional obligations: the member of

the authorised management responsible for

the fight against money laundering and

terrorist financing and designated for the

purposes of this regulation as “person

responsible for compliance”. For professionals

which

do

not

have

an

authorised

management, this person is a member of the

Board of Directors or the Board of Directors as

a whole;”

(2) As for the notions which are not otherwise defined in this article, the

definitions given, where appropriate, in the Law or the Grand-ducal Regulation shall

apply.

Chapter 2 Scope

Article 2

(1) The provisions of this regulation shall apply to the professionals referred

to in Article 2 of the Law “which are supervised, authorised or registered by the CSSF,

including Luxembourg branches of foreign professionals notified to the CSSF, as well

as foreign professionals notified to the CSSF which provide services in Luxembourg

without establishing a branch”¹⁴.

13

14

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

5/52

(2) The provisions of “Article 4-1(3)”¹⁵of the Law relating to the application of

at least equivalent measures in foreign branches and “majority-owned”¹⁶subsidiaries

shall also apply for the enforcement of this regulation.

(CSSF Regulation No 20-05)

“(3) The réviseurs d’entreprises (statutory auditors), the réviseurs

d'entreprises agréés (approved statutory auditors), the cabinets de révision (audit

firms), the cabinets de révision agréés (approved audit firms) and the audit firms

within the meaning of point (3) of Article 1 of the Law of 23 July 2016 concerning the

audit profession, as amended, are not referred to in this regulation.”

(CSSF Regulation No 20-05)

“Chapter 3 Risk-based approach

Section 1 Identification, assessment and understanding of risks

Subsection 1 Risk relating to the intermediary”

Article 3

“(1)”¹⁷Where the units or shares of an undertaking for collective investment

or an investment company in risk capital are subscribed through an intermediary

acting on behalf of “others”¹⁸, the undertaking for collective investment, its

management company, the investment company in risk capital or, where applicable,

the respective proxy of the professionals shall put in place enhanced customer due

diligence measures for this intermediary which are applied mutatis mutandis pursuant

to the terms of Article 3-2(3) of the Law, Article 3(3) of the Grand-ducal Regulation

and Article 28 of this regulation in order to ensure that all the obligations under the

Law, the Grand-ducal Regulation and this regulation or at least equivalent obligations

are complied with.

15

16

17

18

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

6/52

(CSSF Regulation No 20-05)

“(2) In accordance with the preceding paragraph, the due diligence measures

which apply to the relationship with the intermediary shall be at two levels: (i) the

intermediary, the persons purporting to act on its behalf and its beneficial owners shall

be identified and their identity verified, where applicable, according to a risk-based

approach and (ii) enhanced due diligence measures shall be implemented for the

business relationship qualified as similar to correspondent relationship with the

intermediary which invests on behalf of others. These enhanced due diligence

measures, referred to in the above paragraph 1, aim notably to analyse the robustness

of the AML/CFT control framework of this intermediary.”

(…)¹⁹

(CSSF Regulation No 20-05)

“Subsection 2 Overall risk related to the activity”

Article 4

“(1) The identification, assessment and understanding of risks by the

professional, as provided for in Article 2-2 of the Law, shall allow it to determine which

due diligence measures shall be applied to the business relationship based on the

materiality of the risk.

To this end, the professional shall incorporate different sources in its risk

management procedures, including:

-

supranational report of the European Commission on the risks of money

laundering and terrorist financing (“Supranational Risk Assessment”);

national assessment of the risks of money laundering and terrorist financing

(“National Risk Assessment”);

-

sub-sectoral ML/TF risk assessments (“Sub-Sector Risk Assessments”);

joint guidelines issued by the three European Supervisory Authorities (ESMA, EBA

and EIOPA) (hereinafter referred to as the “European Supervisory Authorities”) on

money laundering and terrorist financing risk factors (“Risk Factor Joint

Guidelines”);

-

the relating CSSF publications.

(2) The professionals shall have communication means allowing them to

provide information on their risk assessment to the CSSF.

(3) The professionals shall be organised so as to be able to correctly and

exhaustively fill in annually the CSSF questionnaire on the collection of information

regarding risks of money laundering and terrorist financing and to submit it to the

CSSF within the time limits via the channel it determines.

19

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

7/52

(4) The determination by the professional of its “risk-based approach” shall be

based on the definition of the ML/TF risk appetite, as approved by the Board of

Directors and implemented by the authorised management. The strategy shall be

consistent with this approach. Policies, procedures and controls with respect to

AML/CFT implemented within the professional shall be consistent with the previously

defined risk appetite. This definition and strategy shall be communicated in a precise,

clear and comprehensible form to the whole staff.”²⁰

(CSSF Regulation No 20-05)

“Subsection 3 Individual risk related to the business relationship”

“Article 5

(1) For the purposes of Article 3(2a) of the Law, the professionals shall

categorise all their customers according to the different risk levels with regard to

money laundering and terrorist financing. These risks shall be subject to an

identification and assessment based on the understanding by the professional of the

nature and type of its business relationships as well as to a periodic review.

Besides the cases where the risk level shall be considered as high pursuant to

the Law, the Grand-ducal Regulation or this regulation, this level shall be assessed

according to a consistent combination of risk factors defined by each professional

according to the activity exercised and inherent to the following risk categories:

-

type of customers (including the customer, proxy, beneficial owner);

countries and geographic areas;

products, services and transactions, or

delivery channels.

(2) In order to determine whether it finds itself in a situation which presents

a higher risk, and except cases explicitly provided for in Article 3-2 of the Law or its

implementing measures, the professional shall rely on the non-exhaustive list of

factors and types of evidence of risk laid down in Annex IV of the Law. As this list

under Annex IV of the Law is a de minimis list of situations with potentially higher

risks, the professional shall also take into account all the other risk factors it deems

relevant in order to determine whether a business relationship requires the application

of enhanced due diligence measures.

20

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

8/52

In order to determine if it finds itself in a situation which presents a lower risk,

the professional shall rely on the non-exhaustive list of factors and types of evidence

of risk laid down in Annex III of the Law. The list under Annex III of the Law is a de

minimis list. The professional may also take into account other lower risk factors it

deems relevant before determining whether the business relationship may be

considered for the application of simplified due diligence measures. The application of

simplified due diligence measures must be justifiable and demonstrable to the

Luxembourg authorities responsible for AML/CFT.

(3) The assessment of the risk level shall not allow derogating from the

application of enhanced due diligence measures in the cases laid down in the Law, the

Grand-ducal Regulation or this regulation.”²¹

(4) The assessment of the risk level to be assigned to a customer shall take

place before the customer is accepted by the professional. During the monitoring of

the business relationship, the professional shall keep account of the development of

the risks and adapt its assessment according to any significant change affecting them

or any new risk.

(5) The professionals shall have appropriate arrangements to communicate

the information on their risk assessment to the CSSF.

Section 2 Risk management and mitigation

Article 6

(1) The professionals shall have policies, controls and procedures that enable

them to effectively manage and mitigate their money laundering and terrorist

financing risks. “These policies shall be approved by the professional’s Board of

Directors. The relevant procedures shall be approved by the authorised management

or by the Board of Directors for investment funds subject to the supervision of the

CSSF.”²²

21

22

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

9/52

(2) In accordance with “Article 3(2a) of the Law”²³, the professionals shall set

the extent of the due diligence measures laid down in Article 3(2) of the Law according

to the risk level assigned to each customer pursuant to Section 1 of this chapter.

Where enhanced due diligence measures are required pursuant to the Law, (…)²⁴the

Grand-ducal Regulation “or this regulation”²⁵, all such measures shall be applied

although the extent of such measures may vary according to the specific level of risk

set by the professional.

(3) The adaptation of the extent of due diligence measures to the risk level

shall take place during the identification and identity verification period within the

meaning of points (a) to (c) “of the first subparagraph” of Article 3(2)²⁶of the Law and

shall “be adapted afterwards”²⁷in the framework of the ongoing monitoring within the

meaning of point (d) “of the first subparagraph”²⁸of Article 3(2) of the Law.

Article 7

(1) For the purposes of applying Articles 3-1 and 3-3“, Annex III”²⁹of the Law

and Articles 4 and 5 of this regulation, it is for each professional to assess if a Member

State or a third country imposes obligations which are equivalent to those laid down

in the Law or Directive “(EU) 2015/849”³⁰. The reasons for concluding that a Member

State or a third country imposes equivalent obligations shall be documented when the

decision is taken and shall be based on relevant and up-to-date information. The

obligations imposed by a Member State shall be considered equivalent, except where

relevant information points to the fact that this assumption cannot be upheld. The

conclusion that these obligations are equivalent shall be regularly reviewed, in

particular when new relevant information about the country concerned is available.

23

24

25

26

27

28

29

30

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

10/52

(2) The conclusion that a Member State or a third country imposes obligations

which are equivalent to those laid down in the Law or Directive “(EU) 2015/849”³¹does

not relieve the professional from carrying out a risk assessment pursuant to this

chapter when accepting the customer and from the obligation to apply enhanced due

diligence measures in situations which present a high risk of money laundering or

terrorist financing.

Chapter 4 Customer due diligence

Section 1 Acceptance of a new customer

Article 8

The professionals shall decide on and put in place a customer acceptance policy

which is adapted to the activities they carry out, so that the entry into business

relationship with customers may be submitted to a prior risk “identification,”³²

assessment “and understanding”³³as provided for in Chapter 3, Section 1 of this

regulation.

Article 9

“(1)”³⁴Without prejudice to the obligations laid down in Article 3-2 “(2),”³⁵(3)

and (4) of the Law and in Article 3 “(1),”³⁶(3) and (4) of the Grand-ducal Regulation

“and this regulation”³⁷, the acceptance of a new customer shall be submitted to a

superior or to a specifically appointed professional body for written authorisation by

providing for an adequate hierarchical decision-making level and, where appropriate,

“for customers with a high-risk profile, at least the systematic intervention”³⁸(…)³⁹of

the (…)⁴⁰compliance officer (…)⁴¹.

31

32

33

34

35

36

37

38

39

40

41

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

11/52

(CSSF Regulation No 20-05)

“(2) The acceptance of a new customer with a low ML/TF risk profile, according

to the risk-based approach as implemented by the professional, may be carried out

based on an automated acceptance process which does not require the intervention of

a natural person for the professional, so as to constitute an efficient and reliable

alternative to the validation by a natural person of the professional. This process shall

be configured and tested beforehand and regularly reviewed by the professional so as

to analyse the robustness of the process. This process shall be in line with the AML/CFT

policies and procedures of the professional and with the instructions to be issued by

the CSSF.”

Article 10

(1) The (…)⁴²customer acceptance policy shall include a specific examination

“and acceptance procedure”⁴³for (…)⁴⁴the customers likely to represent a high risk

level of money laundering or terrorist financing.

(2) The acceptance of a customer who seeks to open a numbered account as

referred to in Article 5 of the Grand-ducal Regulation is subject to the production of

evidence by the customer demonstrating the necessity of such an account. This

evidence shall be documented in writing “and the opening of such an account shall be

submitted for written authorisation at least to the person responsible for compliance.

The opening of an account, passbook or safe-deposit box which is anonymous or under

a fictitious name is prohibited.”⁴⁵

(CSSF Regulation No 20-05)

“(3) The opening of a safe-deposit box is considered as a business relationship

and as such, the professional shall conduct all the related due diligence measures.”

Article 11

(1) The customer acceptance policy shall require the documentation of all

contact, no matter in which form, and shall notably envisage a customer questionnaire

adapted to the nature of the contact and the business relationship.

42

43

44

45

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

12/52

(2) The customer acceptance policy shall also provide for procedures to be

followed when there is suspicion of or “when there are reasonable grounds to

suspect”⁴⁶money laundering“, an associated predicate offence”⁴⁷or terrorist financing

in case contact with a possible customer fails. The reasons for a customer or

professional to refuse to enter into a business relationship or to execute a transaction

shall be documented “and retained in accordance with the arrangements provided for

in Article 25 of this regulation”⁴⁸, even if the professional's refusal does not ensue from

the observation of a money laundering or terrorist financing indication.

Section 2 Timing of identification and verification of the identity

Subsection 1 Opening an account before “or during”⁴⁹the completion of the

measures for the verification of the identity

Article 12

“In accordance with the third subparagraph of Article 3(4) of the Law which

derogates from the first subparagraph of Article 3(4) of the Law and without prejudice

to the first subparagraph of Article 3(2a) of the Law, the professionals may enter into

a business relationship, open a customer account or carry out a transaction for an

occasional customer before or during the verification of the identity of the customer

and beneficial owner pursuant to points (a) and (b) of the first subparagraph and to

the second subparagraph of Article 3(2) of the Law, provided that the following

conditions are fulfilled:”⁵⁰

- the money laundering and terrorist financing risk is low “and efficiently managed”⁵¹;

- “it is necessary not to interrupt the normal conduct of business;”⁵²

- the verification of the identity is carried out at the earliest opportunity after the first

contact with the customer. The impossibility to verify the identity of the “customer

and beneficial owner”⁵³within the timeframe set by the internal rules shall be subject

to an internal report which will be transmitted to the (…)⁵⁴compliance officer for the

required purposes;

46

47

48

49

50

51

52

53

54

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

13/52

- sufficient measures shall be put in place so that no exit of assets from the account

can be carried out before completing this verification.

Subsection 2 Opening an account for a company in the process of incorporation

Article 13

The professionals may open an account for a company in the process of

incorporation, insofar as the following conditions are met:

- the professionals shall identify and verify the identity of the company's founders

pursuant to “the first and second subparagraphs of”⁵⁵Article 3(2) of the Law. They

shall receive a declaration from the founders stating that they act, either for their

own account or for the account of beneficial owners which they name, and where

appropriate, the professionals shall take measures to identify and verify the identity

of the beneficial owners pursuant to point (b) “of the first subparagraph and to the

second subparagraph”⁵⁶of Article 3(2) of the Law;

- at the earliest opportunity after the incorporation of the company, the professionals

shall complete the measures for the identification and verification of the company’s

identity through information and documents referred to in Articles 16(2) and 19 of

this regulation as well as, where applicable, of the beneficial owners pursuant to

Articles 21 to 23 of this regulation. The impossibility to verify the identity of the

“founders, of the company and of the beneficial owners”⁵⁷within the timeframe set

by the internal rules shall be subject to an internal report which will be transmitted

to the (…)⁵⁸compliance officer for the required purposes;

- sufficient measures shall be put in place so that no exit of assets from the account

can be carried out before completing this verification.

55

56

57

58

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

14/52

Subsection 3 Occasional transactions carried out

Article 14

(1) “When”⁵⁹an occasional transaction of an amount higher than or equal to

EUR 15,000 within the meaning of Article 3(1)(b)”(i)”⁶⁰of the Law “is carried out, the

professional”⁶¹shall apply the measures for the identification and verification of the

identity required pursuant to “the first and second subparagraphs of”⁶²Article 3(2) of

the Law before the transaction is carried out and according to the same arrangements

as during the establishment of a business relationship.

(2) Where a transaction within the meaning of Article 3(1)(b)“(i)”⁶³of the Law

is carried out in several operations, the professional shall apply the due diligence

measures at the latest when it acknowledges that the total volume of the operations

reached the threshold referred to in paragraph 1 above. The professionals shall have

procedures or systems allowing them to detect that this threshold was reached, where

appropriate.

Subsection 4 “Transfers of funds within the meaning of Regulation (EU)

2015/847”⁶⁴

“Article 15

(1) Pursuant to Regulation (EU) 2015/847, Article 39(2) of the Law of 5 April

1993 on the financial sector and Article 3(1)(b)(ii) of the Law, where the professional

carries out an occasional transaction in the form of a transfer of funds within the

meaning of point (9) of Article 3 of Regulation (EU) 2015/847, it shall apply the

identification measures required by point (a) of the first subparagraph of Article 3(2)

of the Law before placing an order for the transfer of funds, according to the same

arrangements as for customers in business relationship. It shall make sure that the

transfer of funds comes with information on the payer and on the payee pursuant to

Articles 4 to 6 of Regulation (EU) 2015/847.

In accordance with Article 4(4) of Regulation (EU) 2015/847, prior to the

transfer of funds, the payment service provider of the payer shall verify the accuracy

of the information on the payer for the transfers of funds within the European Union

exceeding EUR 1,000.

59

60

61

62

63

64

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

15/52

(2) In the framework of the detection of missing or incomplete information on

the payer or the payee as referred to in Article 7 of Regulation (EU) 2015/847, where

the transfer of funds within the European Union exceeds EUR 1,000, the payment

service provider of the payee shall, before crediting the payee's payment account or

making the funds available to the payee, verify the accuracy of the information on the

payee.

Where the payment service provider of the payee detects missing or

incomplete information on the payer or payee, it shall, according to its risk

assessment, either reject the transfer of funds or ask the payment service provider of

the payer for the missing information. To this end, the payment service provider of

the payer shall, within three working days of receiving a request for information from

the payment service provider of the payee or from the intermediary payment service

provider, make available the information referred to in points (a) and (b) of Article

5(2) of Regulation (EU) 2015/847.

In case of transfers of funds where the payment service provider of the payee

is established outside the European Union and notwithstanding the paragraph 3 below,

the payment service provider of the payer need not verify the information on the payer

for transfers of funds which do not exceed EUR 1,000.

(3) In accordance with Article 5(3) and the last subparagraph of Article 6(2)

of Regulation (EU) 2015/847, measures to identify and verify the identity of the payer

shall apply to the payment service provider of the payer where it has received funds

to be transferred in cash or in anonymous electronic money or where it has reasonable

grounds for suspecting money laundering or terrorist financing, irrespective of any

threshold.

(4) In accordance with Article 7(4) of Regulation (EU) 2015/847, the measures

to identify and verify the correctness of the information on the payee shall apply to

the payment service provider of the payee where it effects the pay-out of the funds in

cash or in anonymous electronic money or where there are reasonable grounds for

suspecting money laundering or terrorist financing, irrespective of any threshold.

(5) The professional which provides services of transfer of funds or values shall

comply with all the obligations applicable with respect to wire transfers in countries in

which it operates, directly or through agents. In the case this professional controls

both the ordering and beneficiary side of a wire transfer, it shall take into account all

the information from both the ordering and beneficiary sides in order to decide whether

it is confronted with a suspicious transaction requiring a suspicious transaction report.

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

16/52

(6) The professionals shall apply the joint guidelines of the European

Supervisory Authorities adopted pursuant to Article 25 of Regulation (EU) 2015/847

on the measures that the payment service providers shall take to detect missing or

incomplete information on the payer or the payee, as well as the procedures to be put

in place to manage a transfer of funds which is not accompanied by the required

information as communicated via a CSSF circular.”⁶⁵

Section 3 “Standard”⁶⁶measures for the identification and verification of the identity of

customers

Subsection 1 Identification

Article 16

For the purposes of the identification of customers pursuant to point (a) “of

the first subparagraph”⁶⁷“and to the second subparagraph”⁶⁸of Article 3(2) of the

Law, the professionals shall gather and register at least the following information:

1. as regards customers who are natural persons:

- surname“(s)”⁶⁹and first name“(s)”⁷⁰;

- place and date of birth;

- nationality“(ies)”⁷¹;

- “full postal”⁷²address “of the customer’s main residence”⁷³;

- where appropriate, “the”⁷⁴official national identification number.

2. as regards customers which are legal persons or legal arrangements:

- denomination;

- legal form;

65

66

67

68

69

70

71

72

73

74

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

17/52

- address of the registered office “as well as”⁷⁵, if different, “the”⁷⁶principal place of

business;

- where appropriate, “an”⁷⁷official national identification number;

- “name of the”⁷⁸directors (dirigeants, members of the authorised management) (for

the legal persons) and directors (administrateurs) or persons exercising similar

positions (for the legal arrangements) “and involved in the business relationship with

the professional”⁷⁹;

- provisions governing the power to bind the legal person or arrangement;

- authorisation to enter into a relationship.

(CSSF Regulation No 20-05)

“3. The information listed under point (1) above shall also be gathered and registered

for initiators, promoters who launched an investment fund supervised by the CSSF

and which will be the customer of the professional.”

Article 17

At the time of the customer identification and for the purposes of the

obligations to identify and verify the beneficial owner laid down in Section 5 of this

chapter, the professionals shall determine if the customers act for their own account

or, where appropriate, for the account of other persons pursuant to “point (b) of the

first subparagraph and to the second subparagraph of Article 3(2) of the Law”⁸⁰. The

customers shall sign an explicit declaration in that respect and commit to communicate

any subsequent changes “of the beneficial ownership”⁸¹without delay to the

professional. “The professional shall ensure the credibility of this declaration.”⁸²

75

76

77

78

79

80

81

82

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

18/52

Subsection 2 Verification of the identity

Article 18

(1) The verification of the identity, within the meaning of point (a) “of the first

subparagraph”⁸³of Article 3(2) of the Law, of customers who are natural persons shall

be made at least with one valid “authentic”⁸⁴official identification document issued by

a public authority and which bears the customer’s signature and picture such as (…)⁸⁵

the customer's passport, his ID, (…)⁸⁶his residence permit“, his driving licence or any

other similar document”⁸⁷.

(CSSF Regulation No 20-05)

“Electronic identification means, including relevant trust services as set out in

Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification

process regulated, recognised, approved or accepted by the relevant national

authorities may be used by the professional to fulfil its due diligence obligation referred

to in point (a) of the first subparagraph of Article 3(2) of the Law.”

(2) According to their risk assessment “and without prejudice to other

enhanced due diligence obligations”⁸⁸, the professionals shall take additional

verification measures such as, for example, the verification of the address indicated

by the customer through the proof of address or by contacting the customer, among

others, per registered letter with acknowledgement of receipt.

Article 19

(1) In accordance with point (a) “of the first subparagraph”⁸⁹of Article 3(2) of

the Law (…)⁹⁰, the verification of the identity of customers who are legal persons or

other legal arrangements shall be made at least with the following documents of which

a copy shall be kept“, where appropriate, in electronic (digital) form”⁹¹:

- the last coordinated or up-to-date articles of incorporation (or an equivalent

incorporation document);

83

84

85

86

87

88

89

90

91

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

19/52

- a recent and up-to-date extract from the companies register (registre des sociétés)

(or equivalent supporting evidence).

(2) According to their risk assessment “and without prejudice to other

enhanced due diligence obligations”⁹², the professionals shall take additional

verification measures, such as, for example:

- an examination of the last management report and the last accounts, where

appropriate certified by a réviseur d'entreprises agréé (approved statutory auditor);

- the verification, after consulting the companies register or any other source of

professional data, that the company was not or is not subject to a dissolution,

deregistration, bankruptcy or liquidation;

- the verification of the information collected from independent and reliable sources

such as, among others, public and private databases;

- a visit to the company, if possible, or contact with the company through, among

others, registered letter with acknowledgement of receipt.

Section 4 Measures for the identification and verification of the identity of “persons

purporting to act on behalf of the customer”⁹³

Article 20

(1) “Without prejudice to the enhanced due diligence obligations or, where

applicable, to the application of simplified due diligence measures,”⁹⁴the identification

and identity verification measures of “persons (natural or legal, including legal

arrangements) purporting to act in the framework of the business relationship on

behalf of the customer”⁹⁵in accordance with point (a) “of the first subparagraph” of

Article 3(2) of the Law, (…)⁹⁶are subject to the provisions of Section 3 of this chapter.

(2) Moreover, the professionals shall know the power of representation of the

person“(s)”⁹⁷acting on behalf of the customer “in the framework of the business

relationship with the professional”⁹⁸and verify his identity through evidencing

documents of which they shall keep a copy“, where appropriate, in electronic (digital)

form”⁹⁹.

92

93

94

95

96

97

98

99

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

20/52

(3) The following are particularly referred to in this article:

-

legal representatives of customers who are unfit natural persons;

natural or legal persons authorised to act on behalf of customers pursuant to

a mandate;

-

persons authorised to represent customers which are legal persons or legal

arrangements in the relations with the professional.

Section 5 Measures for the identification and verification of the identity of beneficial

owners

Article 21

“Without prejudice to the enhanced due diligence obligations or, where

applicable, to the application of simplified due diligence measures, the identification of

beneficial owners under Article 1(7), under point (b) of the first subparagraph and

under the second subparagraph of Article 3(2) of the Law concerns their surname(s),

first name(s), nationality(ies), date and place of birth as well as the full postal address

of the main residence. According to the professional’s assessment, it shall also include

the official national identity number.”¹⁰⁰

Article 22

(1) The verification of these data shall be made, notably using information

obtained from customers, “central”¹⁰¹registers “within the meaning of Articles 30(3)

and 31(3a) of Directive (EU) 2015/849”¹⁰²or any other independent and reliable

source available. “The sole use of the central registers as referred to above shall not

constitute sufficient means to fulfil the due diligence obligations;”¹⁰³“thus,”¹⁰⁴the

professional shall take all reasonable measures in order to ensure that the real identity

of the beneficial owner is known. The reasonable nature of these measures shall be

defined, notably according to the level of money laundering or terrorist financing risk

that the professional considers to be linked to the customer profile or the nature of

the business relationship or of the transaction contemplated by the customer.

100

101

102

103

104

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

21/52

(2) Where, despite these measures, the professional has a doubt as to the real

identity of the beneficial owner, and, where it cannot remove this doubt, the

professional shall refuse to enter into a business relationship or carry out the

transaction contemplated by the customer and, (…)¹⁰⁵“where it knows, suspects or

has reasonable grounds to suspect that money laundering, an associated predicate

offence or terrorist financing is being or has been committed or attempted,”¹⁰⁶the

professional shall make a report “in accordance with”¹⁰⁷Article 5(1) “and (1a)”¹⁰⁸of

the Law and Article 8(2) of the Grand-ducal Regulation.

(CSSF Regulation No 20-05)

“(3) Article 21 and paragraphs 1 and 2 of Article 22 above shall also apply to

beneficial owners of fiducies, trusts or similar legal arrangements but, in accordance

with Article 3(2c) of the Law, the identification and verification may take place at the

time of the payout or at the time of the exercise by the beneficiary of its vested rights.

Where the professional is not able to identify the beneficiary of a trust, fiducie

or similar legal arrangement and where the beneficiary is designated by characteristics

or by class, the professional shall obtain sufficient information concerning the

beneficiary to ensure that it will be able to establish its identity at the time of the

payout or at the time of the exercise by the beneficiary of its vested rights.”

Article 23

“The beneficial owner, within the meaning of Article 1(7) of the Law, shall be

any natural person who ultimately owns or controls the customer or any natural person

on whose behalf a transaction or activity is being conducted.

This may be the case even if the threshold of the participation or control as

indicated in point (a)(i) of Article 1(7) of the Law is not met.”¹⁰⁹

105

106

107

108

109

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

22/52

Section 6. “Assessing, understanding and”¹¹⁰obtaining information on the purpose and

intended nature of the business relationship

Article 24

The professionals' obligation to know their customer includes the obligation to

gather, (…)¹¹¹register, “analyse and understand”¹¹²at the time of the customer

identification, “the”¹¹³information about the origin of the customer's funds and the

types of transaction for which the customer requests a business relationship, as well

as any adequate information allowing the determination of the customer’s purpose of

the business relationship in accordance with point (c) “of the first subparagraph”¹¹⁴of

Article 3(2) of the Law. This information shall allow the professional to carry out an

efficient ongoing customer due diligence as referred to in Section 9 of this chapter.

“Depending on the risk assessment, this obligation may include the obligation to obtain

supporting evidence.”¹¹⁵

Section 7 Obligation to retain documents and information

Article 25

(1) The obligation to retain documents“, data”¹¹⁶and information “regarding

business relationships”¹¹⁷pursuant to point (a) “of the first subparagraph”¹¹⁸“and to

the third subparagraph”¹¹⁹of Article 3(6) of the Law and Article 1(5) of the Grand-

ducal Regulation, covers all documents“, data”¹²⁰and information obtained under the

customer due diligence measures as required in points (a) to (d) “of the first

subparagraph”¹²¹of Article 3(2) of the Law, including the results of any performed

analysis.

110

111

112

113

114

115

116

117

118

119

120

121

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

23/52

(2) The obligation to retain certain documents“, data”¹²²and information

relating to (…)¹²³transactions, as defined in point (b) “of the first subparagraph”¹²⁴of

Article 3(6) of the Law and Article 1(5) of the Grand-ducal Regulation, also includes

the obligation to retain the written reports transmitted to the (…)¹²⁵compliance officer

(…)¹²⁶in accordance with Articles 12, 13 and 39(4) of this regulation, as well as the

analyses of the transactions and facts included in these reports that the (…)¹²⁷

compliance officer drew up and the decisions taken accordingly and the results of any

other performed analysis.

(3) The retention of the documents pursuant to Article 3(6) of the Law and

Article 1(5) of the Grand-ducal Regulation may be carried out on any archiving

medium, provided that the documents meet the conditions to be used as evidence in

(…)¹²⁸an investigation“, criminal investigation”¹²⁹or analysis of money laundering or

terrorist financing by the AML/CFT competent authorities.

Section 8 “Enhanced and simplified customer due diligence obligations”¹³⁰

Subsection 1 Enhanced due diligence measures “and simplified due diligence

measures”¹³¹

Article 26

Without prejudice to the cases where enhanced due diligence measures are

specifically prescribed by the Law, (…)¹³²the Grand-ducal Regulation “or this

regulation”¹³³, examples of enhanced due diligence measures that could be applied for

higher-risk business relationships“, according to the risk assessment carried out by

the professional,”¹³⁴include:

122

123

124

125

126

127

128

129

130

131

132

133

134

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

24/52

-

obtaining additional information on the customer and updating more regularly

the identification data of customer and beneficial owner;

obtaining additional information“/documents”¹³⁵on the intended nature of the

business relationship “or on the source of funds involved and of wealth”¹³⁶

;

obtaining information (…)¹³⁷“and, where applicable, evidence on”¹³⁸the

reasons for “and economic background of”¹³⁹the intended or performed

transactions “and on the plausibility of these transactions”¹⁴⁰

;

-

obtaining the approval of the authorised management to commence or

continue the business relationship;

requiring the first payment to be carried out through an account in the

customer's name with a professional subject to similar customer due diligence

standards;

-

verifying the additional information obtained by using independent and reliable

sources;

receiving

a

visit from the customer/company or contacting the

customer/company via registered letter with acknowledgement of receipt;

conducting enhanced monitoring of the business relationship, by increasing

the number and timing of controls applied, and selecting patterns of

transactions that need further examination.

(CSSF Regulation No 20-05)

“Article 26a

Simplified due diligence measures that professionals may apply to the business

relationship in case of a justified low risk include, for example:

-

for customers subject to a compulsory authorisation or registration regime for

AML/CFT purposes, the verification that the customer is subject to this regime

by performing, for example, a search on the official website of the regulator

and documenting the results of the search;

the presumption that a payment debited from an individual or joint account

held in the name of a customer by a credit institution or financial institution

regulated in a country member of the European Economic Area or a third

country imposing equivalent AML/CFT obligations, fulfils the requirements

provided for in points (a) of the first subparagraph of Article 3(2) of the Law;

the exceptional acceptance of other types of ID documents which meet the

criteria of reliable and independent sources, for example a letter addressed to

-

135

136

137

138

139

140

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

25/52

the customer by a governmental body or other reliable public body, where the

customer cannot provide the usual identification documents and, insofar as

there are no grounds for suspicion;

-

the update of the information on the customer due diligence measures only in

case of certain trigger events, for example if the customer requests a new or

riskier product or service or in the event of changes in the behaviour or

transaction profile of the customer which seem to indicate that the risk

associated with the relationship is no longer low;

-

for persons purporting to act on behalf of a customer as provided for in Article

20 of this regulation and for initiators, promoters who launched an investment

fund, obtaining information on the country of residence of these persons

instead of asking for the full postal address;

for persons purporting to act on behalf of a customer as provided for in Article

20 of this regulation, where a customer is a regulated credit or financial

institution, instead of asking the complete identification of these persons,

obtaining a letter confirming that the institution applied due diligence

measures to these persons and that it carried out regular controls of these

persons with respect to the applicable lists of restrictive measures in financial

matters.”

Subsection 2 Remote entering into business relationships “without any other

appropriate guarantees”¹⁴¹

Article 27

“Where the customer is not physically present or has not been met by or on

behalf of the professional for identification purposes, the so-called “non face-to-face”

relationship, and where the professional has not taken the necessary guarantees as

indicated in point (2)(c) to Annex IV of the Law, specific measures shall be applied by

the professional to compensate the potentially higher risk that this type of relation

presents.”

These measures may notably be:

-

measures ensuring that the customer's identity is established by additional

identification documents, data or information;

additional measures ensuring the verification or certification of the provided

documents by a public authority;

confirmatory certification by a credit institution or a financial institution subject

to the Law or subject to equivalent professional obligations as regards the fight

against money laundering and terrorist financing;

141

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

26/52

-

measures ensuring that the first payment of the transactions is carried out via

an account opened in the customer’s name with a credit institution or a

financial institution subject to the Law or subject to equivalent professional

obligations as regards the fight against money laundering and terrorist

financing.”¹⁴²

Subsection 3 Cross-border correspondent (…)¹⁴³relationships “and other similar

relationships”¹⁴⁴

Article 28

(1) The obligations laid down in points (a) and (b) of Article 3-2(3) of the Law

and in the first two indents of Article 3(3) of the Grand-ducal Regulation include the

obligation to gather information on:

-

the country of establishment of the respondent institution as well as the

applicable legal and regulatory provisions “and effectiveness of the controls”

relating to AML/CFT;

-

the applicable supervisory authority and regime;

the property and control structure of the respondent institution.

(2) The analysis of the obtained information and the resulting decision shall

be documented in writing and be available to the competent authorities. Moreover,

the professional shall carry out:

-

a periodic review according to the risk, and, where applicable, an update of

the information on which the decision to enter into a relationship was based;

a re-examination of this relationship, where information is obtained which is

likely to weaken the trust in the AML/CFT mechanism of the respondent's

country of establishment or in the efficiency of the AML/CFT controls set by

the latter;

-

verifications and periodic assessments according to the risk so that the

respondent institution ensures at all times the compliance with the subscribed

commitments, notably with respect to the communication, without delay and

upon request, of relevant identification data of customers with direct access to

payable-through accounts opened for them.

142

143

144

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

27/52

(CSSF Regulation No 20-05)

“(3) The cross-border correspondent services and other similar relationships

may present different high risk levels which justify, based on an analysis by the

professional, the application of enhanced due diligence measures with variable degree

of intensity by the professional.

(4) For the purposes of point (c) of Article 3-2(3) of the Law, “senior

management”, as defined in Article 1(19) of the Law, shall mean at least the person

responsible for compliance.”

Article 29

The "relationships similar" to cross-border correspondent (…)¹⁴⁵relationships

as referred to in Article 3-2(3) of the Law include notably those established for

securities transactions or fund transfers, whether on behalf of the cross-border

professional as principal or of its customers.

Subsection 4 Politically exposed persons

Article 30

“(1) The appropriate risk management systems (including the risk-based

procedures) allowing the determination whether a customer or the person purporting

to act on behalf of the customer or the beneficial owner is a politically exposed person

as defined in Article 1(9) to (12) of the Law and required in point (a) of the first

subparagraph of Article 3-2(4) of the Law shall include at least seeking relevant

information from the customer, referring to publicly available information or having

access to electronic databases of politically exposed persons. The identification of

politically exposed persons during the business relationship shall be carried out at least

every six months.

(2) For the purposes of point (b) of Article 3-2(4) of the Law, “senior

management”, as defined in Article 1(19) of the Law, shall mean at least the person

responsible for compliance.”¹⁴⁶

145

146

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

28/52

Subsection 5 “High-risk countries”¹⁴⁷

Article 31

(1) “Pursuant to Article 3-2(2) of the Law and Article 3(1) of the Grand-ducal

Regulation, the professionals shall give special attention and apply enhanced due

diligence measures to business relationships and transactions involving customers,

persons purporting to act on behalf of them or beneficial owners from high-risk

countries within the meaning of Article 1(30) of the Law.”¹⁴⁸

(2) The professionals shall apply a specific procedure for the acceptance and

monitoring of business relationships and transactions, referred to above, which

requires enhanced due diligence measures which are efficient and proportionate to the

risks as, among others:

-

systematic involvement of the (…)¹⁴⁹compliance officer in the customer

acceptance procedure and written authorisation of the authorised

management. “For the purposes of point (e) of Article 3-2(2) of the Law,

“senior management”, as defined in Article 1(19) of the Law, shall mean at

least the person responsible for compliance”¹⁵⁰

enhanced identification and verification of the identity including, in particular,

the verification of the origin of the funds involved “and of wealth”¹⁵¹

;

-

;

enhanced monitoring of the business relationship and transactions carried

out“, notably by increasing the number and timing of controls applied, and

selecting patterns of transactions that need further examination (irrespective

of the fact that the transactions originate from or are destined to high-risk

countries referred to in Article 3-2(2) of the Law) and, where appropriate,

obtaining supporting evidence”¹⁵².

(3) The professionals shall implement procedures and systems ensuring the

application of specific measures“, including countermeasures”¹⁵³specified, where

appropriate, by the CSSF in accordance with the third subparagraph of Article 3(1) of

the Grand-ducal Regulation.

147

148

149

150

151

152

153

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

29/52

Section 9 Ongoing due diligence

Subsection 1 (…)¹⁵⁴Complex and unusual transactions

Article 32

“(1)”¹⁵⁵With respect to the professionals' ongoing due diligence laid down in

point (d) “of the first subparagraph”¹⁵⁶of Article 3(2) of the Law and Article 1(3) of

the Grand-ducal Regulation, the professionals shall identify complex or unusual

transactions as referred to in Article 3(7) of the Law and Article 1(3) of the Grand-

ducal Regulation by taking into account, notably:

-

the importance of the incoming and outgoing assets and the volume of the

amounts involved. The transactions which involve small amounts but which

are unusually frequent are also concerned;

-

the differences compared to the nature, volume or frequency of the

transactions usually carried out by the customer in the framework of the

business relationship concerned or the existence of differences compared to

the nature, volume or frequency of the transactions normally carried out in

the framework of similar business relationships;

-

the differences compared to the declarations made by the customer during the

acceptance procedure and which concern the purpose and nature of the

business relationship, in particular, as regards the origin and destination of the

funds involved.

(CSSF Regulation No 20-05)

“To this end, the professionals shall take into account the guidance published

on this matter, particularly through CSSF circulars.”

(CSSF Regulation No 20-05)

“(2) Pursuant to the ongoing due diligence of the professionals laid down in

point (d) of the first subparagraph of Article 3(2) of the Law, the professional shall

analyse the economic background of the funds involved in the transactions presenting

an ML/TF risk or which are complex transactions, of an unusually large amount or with

an unusual pattern in the light of the risk profile of the customer and, where

appropriate, of the beneficial owner within the meaning of Article 1(7) of the Law. In

order to corroborate these transactions with respect to the customer’s profile or in

order to remove any doubt concerning these transactions, appropriate measures shall

be taken by the professional.”

154

155

156

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

30/52

Subsection 2 “States, persons, entities and groups subject to restrictive

measures in financial matters”¹⁵⁷

Article 33

(1) Ongoing due diligence referred to in point (d) “of the first subparagraph”¹⁵⁸

of Article 3(2) of the Law shall include “at least”¹⁵⁹the obligation to identify “without

delay”¹⁶⁰

:

-

pursuant to Article 8(2) of the Grand-ducal Regulation and in accordance with

the Law “implementing restrictive measures in financial matters, the

States,”¹⁶¹(…)¹⁶²persons, entities or groups involved in a transaction or

business relationship subject to (…)¹⁶³restrictive measures in financial matters

in the context of the fight against terrorist financing, including, notably, those

implemented in Luxembourg via EU regulations directly applicable in national

law or through the adoption“, among others,”¹⁶⁴of ministerial regulations; and

the “States,”¹⁶⁵persons, entities or groups involved in a transaction or

business relationship subject to (…)¹⁶⁶restrictive measures in financial

matters, including, notably, those implemented in Luxembourg via EU

regulations directly applicable in national law “or, where appropriate, through

-

the adoption of regulatory texts implementing them at national level”¹⁶⁷

.

157

158

159

160

161

162

163

164

165

166

167

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

31/52

(2) Where persons, entities or groups referred to in this article are identified,

and without prejudice to the obligations laid down in Article 5 of the Law and Article 8

of the Grand-ducal Regulation, the professional shall apply“, without delay”¹⁶⁸the

required restrictive measures and inform the authorities competent “for financial

sanctions”¹⁶⁹(…)¹⁷⁰. A copy of this communication shall be sent to the CSSF at the

same time.

(CSSF Regulation No 20-05)

“(3) Following the adoption or update of the official lists as referred to in

paragraph 1, the professional shall ensure that the internal system used for this control

or made available by an external service provider which it uses for the purposes of

this control is adapted without delay in order to be able to comply with the obligations

under paragraphs 1 and 2 of this article.”

Subsection 3 Activities requiring particular attention

Article 34

“(1)”¹⁷¹In the framework of ongoing due diligence, the following activities,

among others, require particular attention pursuant to Article 3(7) of the Law:

-

activities of customers whose acceptance was subject to a specific examination

in accordance with the customer acceptance procedure referred to in Article

10 of this regulation; (…)¹⁷²

-

“transfers of funds within the meaning of Regulation (EU) 2015/847 and the

respective requirements specified in that regulation or in this regulation.”¹⁷³

(CSSF Regulation No 20-05)

“(2) In the framework of investment business, the professionals shall carry

out an analysis of the ML/TF risk posed by the investment and take due diligence

measures adapted to the risk assessed and documented. Such analyses shall be

formalised. The risk analysis on investments shall be reviewed annually and when

particular events require it.”

168

169

170

171

172

173

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

32/52

Subsection 4 “Reviewing and”¹⁷⁴keeping information up to date

Article 35

(1) Ongoing due diligence includes the obligation to verify and, where

appropriate, to update“, in accordance with the maximum time limit provided for by,

and taking into account the appropriate times specified in, Article 1(4) of the Grand-

ducal Regulation”¹⁷⁵, within an appropriate timeframe to be set by the professional

according to its risk assessment, the documents, data or information gathered while

fulfilling the customer due diligence obligations, as specified in Chapter 4 of this

regulation. “With respect to high-risk business relationships, the frequency of review

shall be at least annual.”¹⁷⁶

“(2) Irrespective of the frequency of review of the business relationship, the

professional shall verify at least once a year whether the conditions which allowed the

application of simplified due diligence measures are still met. If there were no

transactions during this period, the professional shall carry out this verification during

the following reactivation of the business relationship.”¹⁷⁷

(CSSF Regulation No 20-05)

“(3) During the review and update of the documents, data and information on

the customers referred to above, the professional may take into account different

sources of information, among others:

- public data and information;

- national ML/TF risk assessment report from the customer’s country;

- mutual evaluation reports in relation to AML/CFT of the customer’s country;

- other information obtained from reliable and independent sources.

(4) Internal follow-up actions shall be adopted in the event the professional

cannot meet the deadlines for the update of the documentation.”

174

175

176

177

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

33/52

Section 10 Performance of due diligence by third parties

Subsection 1 Third-party introducers

Article 36

“(1)”¹⁷⁸The intervention of a third-party introducer within the meaning of

Article 3-3 “(1) to (4)”¹⁷⁹of the Law is subject to the following conditions:

-

prior to the introducer's intervention, the professional shall ensure that the

former complies with the definition of third-party laid down in Article 3-3(1) of

the Law (…)¹⁸⁰. The documentation used to verify the quality of the third-party

introducer shall be retained in compliance with the provisions of point (a) of

Article 3(6) of the Law;

-

first, the third-party introducer commits in writing to fulfil the obligations

specified in “Article 3-3(2) of the Law”¹⁸¹, notwithstanding any confidentiality

or professional secrecy rule applicable to the third-party introducer, where

appropriate.

(CSSF Regulation No 20-05)

“(2) The responsibility as regards its professional obligations laid down in the

applicable legal framework, including those of this regulation shall continue to lie with

the professional using the third-party introducer.”

Subsection 2 Outsourcing “and agency relationship”¹⁸²

Article 37

(1) The contract between the professional and the third-party “delegate”¹⁸³in

the context of outsourcing or agency relationships as referred to in Article 3-3(5) of

the Law shall at least include:

-

a detailed description of the due diligence measures and procedures to be

implemented in accordance with the Law (…)¹⁸⁴and this regulation and, in

particular, of the information and documents to be requested and verified by

178

179

180

181

182

183

184

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

34/52

the third-party delegate “(service provider in case of outsourcing or agent in

case of an agency relationship)”¹⁸⁵

;

-

the conditions regarding the transmission of information to the professional,

including, notably, to make available immediately, regardless of confidentiality

or professional secrecy rules or any other obstacle, the information gathered

while fulfilling the customer due diligence obligations and the transmission,

upon request and without delay, of a copy of the original supporting evidence

received in this respect.

“(2) The policies relating to outsourcing and agency relationship as well as the

internal procedures of the professional wishing to use third-party delegates shall

notably include detailed provisions on the process for the selection and evaluation of

third-party delegates, including of subcontractors at different levels in case of sub-

outsourcing. In particular, the professional shall ensure that the service provider has

the necessary resources to carry out all the outsourced functions (outsourced process,

service or activity).

The professionals shall carry out a regular control of compliance by the third-

party delegate with the commitments arising from the contract. In accordance with

the risk-based approach, the regular control shall ensure that the professional is

provided with means to test (for example, through sampling) and monitor regularly

and occasionally (for example, by carrying out on-site visits) compliance with the

obligations incumbent upon the third-party delegate. As regards its customers’ data,

the professional and the CSSF shall have access rights to the systems/databases of

the third-party delegate.”¹⁸⁶

(CSSF Regulation No 20-05)

“(2a) A risk assessment with respect to the outsourced functions and, where

appropriate, the outsourcing chain shall be carried out prior to the conclusion of the

outsourcing contract. In particular, any IFM shall implement due diligence measures

regarding notably registrar agents and transfer agents, portfolio managers to which it

outsources the management and investment advisers in accordance with a risk-based

approach.”

(3) The responsibility as regards compliance with the provisions of the Law,

the Grand-ducal Regulation and this regulation remains (…)¹⁸⁷with the professional

using the third-party delegate “and, where applicable, the third-party sub-delegate”¹⁸⁸.

185

186

187

188

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

35/52

(CSSF Regulation No 20-05)

“(4) In the framework of the outsourcing of AML/CFT functions, the rights and

obligations of the professional and service provider as well as their roles,

responsibilities and duties shall be clearly listed, distributed and defined in the

outsourcing contract.

In particular, where the service provider is a registrar and transfer agent which

acts on behalf of the investment fund, the Board of Directors of the fund (or equivalent)

and/or the IFM which outsource(s) some tasks to the registrar and transfer agent shall

remain liable. Thus, the Board of Directors of the fund (or equivalent) and the IFM

shall ensure that the relating contracts include detailed clauses specifying the roles

and responsibilities of each party. They shall also ensure that the contract allows them

to have access to any information necessary for the performance of their function and

to carry out an ongoing and formalised supervision of the service providers. The fact

that a registrar and transfer agent is considered, pursuant to the outsourcing contract,

as part of the investment fund and/or IFM does not exempt it from its own AML/CFT

obligations.

(5) The professionals using third-party delegates and third-party sub-

delegates shall ensure that the legal and regulatory provisions applicable in

Luxembourg and relating to professional secrecy and personal data protection are

complied with.

(6) The CSSF may specify the above conditions via a circular.”

Chapter 5 Adequate internal management requirements

Section 1 AML/CFT “policies and procedures”¹⁸⁹

Article 38

(1) The internal management procedures, policies and measures as referred

to in Article 4(1) “and in Article 4-1”¹⁹⁰of the Law and Article 7(1) of the Grand-ducal

Regulation shall take into account the specificities of the professional such as, among

others, its activity, structure, size, organisation and resources.

(2) The professional's AML/CFT “policies and procedures”¹⁹¹shall cover all the

professional obligations and, where appropriate, include the following, among others:

189

190

191

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

36/52

“1.”¹⁹²the customer acceptance policy as laid down in Chapter 4, Section 1 of this

regulation;

“2.” the detailed procedures as regards the identification, assessment, supervision,

management and mitigation of money laundering or terrorist financing risks as

laid down in Chapter 3 of this regulation. These procedures shall allow

monitoring the development of the identified risks, reassessing them on a

regular basis and identifying any significant change affecting them or any new

risk;

“3.” the specific risk management mechanisms relating to business relationships or

transactions not requiring the physical presence of the parties “and without

further guarantees being in place as referred to in Article 27 of this

regulation”¹⁹³

;

“4.” the measures designed to prevent the misuse of the products or the execution

of transactions that might favour anonymity pursuant to Article 3-2(6) of the

Law, in particular, as regards new technologies;

“5.” the procedures to be followed in case of a request to enter into a business

relationship or to execute an occasional transaction for a person whose normal

activity implies the holding of third-party funds with a professional or the

opening of a group account;

“6.” the procedure for accepting and monitoring business relationships referred to in

Chapter 4, Section 8 of this regulation;

“7.” the procedures to be followed when using a third-party introducer within the

meaning of Article 3-3 of the Law;

“8.” the procedures to be followed when using third-party “delegates”¹⁹⁴intervening

in the context of an outsourcing “or agency”¹⁹⁵contract as referred to in Article

37 of this regulation;

“9.” the procedures to observe in order to monitor the development of business

relationships as well as transactions executed for customers, notably to detect

suspicious transactions;

192

193

194

195

CSSF Regulation No 20-05, point (2)(b): “Each indent before each item shall be replaced by a number […]”

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

37/52

“10.” the procedures to be followed in case of suspicion or “reasonable grounds for

suspicion”¹⁹⁶of money laundering“, an associated predicate offence”¹⁹⁷or

terrorist financing;

“11.” the procedures to be followed in case an account is opened “during or”¹⁹⁸before

the measures to verify the customer's and, where applicable, the beneficial

owner's identity have been completed pursuant to (…)¹⁹⁹Article 3(4) of the Law;

“12.” the procedures to be followed for opening numbered accounts under the second

subparagraph of Article 5 of the Grand-ducal Regulation. These procedures,

applicable to all numbered accounts opened with the professional, including

those opened before the entry into force of the Grand-ducal Regulation, shall

ensure strict compliance with the professional obligations during the customer

acceptance procedure as well as the monitoring of the business relationships.

These procedures shall require that the customer's identity is known by all the

persons within the professional who must know the identity in order to

effectively carry out due diligence;

“13.” the procedures to be followed in order to fulfil the obligations of Regulation “(EU)

2015/847”²⁰⁰

;

“14.” “the policy for the selection of staff which guarantees the hiring of employees

according to stringent criteria,”²⁰¹a training and awareness-raising programme

as laid down in Section 5 of this chapter;

“15.” the accurate definition of the respective responsibilities of the various AML/CFT

functions of the personnel “as well as the procedure for the appointment of the

compliance officer and the person responsible for compliance”²⁰².

(CSSF Regulation No 20-05)

“16. the procedure allowing the internal report of breaches of the AML/CFT

professional obligations through a specific, independent and anonymous channel

as referred to in Article 4(4) of the Law;

17.

the procedures with respect to financial restrictive measures;

196

197

198

199

200

201

202

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

38/52

18.

the procedures to be followed in case of identification of the beneficiary of

fiducies, trusts or similar legal arrangements at the time of the payout or at the

time of the exercise by the beneficiary of its vested rights pursuant to Article

3(2c) of the Law.”

“(3) In order to comply with Article 2(2) of the Law, Article 4-1(1) of the Law

and Article 4 of the Grand-ducal Regulation and subject to other applicable laws and

regulations, including Commission Delegated Regulation (EU) 2019/758 of 31 January

2019 supplementing Directive (EU) 2015/849 of the European Parliament and of the

Council with regard to regulatory technical standards for the minimum action and the

type of additional measures credit and financial institutions must take to mitigate

money laundering and terrorist financing risk in certain third countries (“Delegated

Regulation (EU) 2019/758”), the professionals shall coordinate their AML/CFT policy

and procedures as well as their group-wide implementation with their branches and

majority-owned subsidiaries abroad. Where a foreign country’s law does not permit

the implementation of the group-wide policies, the professionals shall take additional

measures and ensure that their branches and majority-owned subsidiaries in that

country apply additional measures to effectively handle the risk of money laundering

and terrorist financing. To this end, the professionals shall take into account the

provisions laid down in Delegated Regulation (EU) 2019/758 and any other regulation

issued to this end.

In particular, they shall establish procedures for the communication to the

CSSF in case the application of certain measures is prohibited or restricted and shall

observe the communication deadlines set in this regulation.

For the purposes of Delegated Regulation (EU) 2019/758, “senior

management” shall mean at least the person responsible for compliance.”²⁰³

(4) “The AML/CFT policy shall be subject to validation by the Board of

Directors. The AML/CFT procedures shall be subject to validation by the authorised

management or, for investment funds supervised by the CSSF by the Board of

Directors, and a regular review by the compliance officer and the internal audit function

in order to assess whether the procedures remain adapted to the activities, customers

and to the AML/CFT standards and measures.”²⁰⁴

(CSSF Regulation No 20-05)

“(5) The professionals shall implement procedures and systems ensuring the

application of particular measures relating to:

-

arrangements for the control of AML/CFT compliance;

an independent audit function to test the internal control system;

203

204

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

39/52

-

the policy regarding the definition of ML/TF risk appetite;

the policy for sharing information at group level.”

Section 2 Systems for the supervision of business relationships and transactions

Article 39

(1) Professionals shall have procedures and implement control mechanisms

that allow them, when accepting customers or monitoring the business relationships,

to identify, among others:

-

the persons as referred to in Articles 30, 31 and 33 of this regulation;

the funds coming from or going to “States,”²⁰⁵persons, entities or groups as

referred to in Article 33 of this regulation, or countries as referred to in Article

31 of this regulation;

-

the complex or unusual transactions as referred to in Article 32 of this

regulation;

“a transfer of funds with missing or incomplete information within the meaning

of Regulation (EU) 2015/847 as referred to notably, in Article 15 of this

regulation”²⁰⁶

.

(CSSF Regulation No 20-05)

“(1a) For the purposes of Article 33 of this regulation, the professional also

has the obligation to identify the States, persons, entities and groups subject to

restrictive measures in financial matters with respect to the assets it manages and to

ensure that the funds will not be made available to these States, persons, entities or

groups.”

205

206

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

40/52

(2) “The implementation of a complete and up-to-date “customer” database

shall be an integral part of this supervisory system. Where a natural person of the

professional performs the encoding, this work shall be subject to a 4-eyes principle.”²⁰⁷

This supervisory system shall include all the accounts of customers and their

transactions and shall apply to customers, “persons purporting to act on behalf of the

customer, initiators”²⁰⁸and beneficial owners as well as, as regards the supervision of

transfers of funds, to the payer of an incoming transfer “of funds”²⁰⁹and the recipient

of a transfer “of funds”²¹⁰going out of the customer's account. The system shall take

into account the risks identified by the professional and which impact it according, in

particular, to the characteristics of its activity and customers. The system shall be

automated, except when the professional can prove that the volume and nature of the

customers and the transactions to be supervised do not require such automation.

(3) The identification researches carried out using this supervisory system

shall be duly documented, including in cases where there are no positive results.

(4) The identified transactions or persons, as well as the criteria which led to

the identification, shall be subject to written reports. These reports shall be

transmitted to the (…)²¹¹compliance officer for the required purposes, in particular,

for compliance with Article 5 of the Law. The professional shall specify in writing the

procedure relating to the transmission of written reports to the (…)²¹²compliance

officer and the required transmission deadlines.

(5) The supervisory system shall allow the professional to take rapidly and,

where appropriate, automatically the required measures where a suspicious activity or

transaction is identified. The (…)²¹³compliance officer shall be solely competent to

decide on the application and scope of these measures and their termination, where

appropriate, in consultation with the management “and the person responsible for

compliance”²¹⁴

.

207

208

209

210

211

212

213

214

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

41/52

(6) The supervisory system shall be subject to initial validation “at least by the

person responsible for compliance”²¹⁵and regular control by the (…)²¹⁶compliance

officer in order to adapt this system, where necessary, to the development of the

activities, the customers and the AML/CFT standards and measures.

(CSSF Regulation No 20-05)

“(7) The adequate and effective supervisory system shall be part of a sound

governance and internal management with respect to AML/CFT as laid down in Article

4 of the Law. This governance and internal management system with respect to

AML/CFT shall follow the three lines of defence:

-

the first line of defence shall be composed of operational units (persons in

charge of the execution of business), which is, in principle, in direct contact

with the customers and which shall have a good understanding of ML/TF risks;

the second line of defence shall be composed of the compliance officer,

including other support, control and compliance functions involved in AML/CFT.

The role of the second line of defence includes providing support, verifying the

controls carried out by the first line of defence and contributing to the

independent risk control. The involvement of the second line of defence shall

increase according to the level of risk attributed to a customer;

-

the third line of defence shall be composed of the internal audit function which

assesses independently the first two lines of defence and which verifies also

the effectiveness of the implemented AML/CFT policies, procedures and

programmes.”

Section 3 “Person responsible for compliance with the AML/CFT professional obligations

and compliance officer in charge of the AML/CFT professional obligations”²¹⁷

Article 40

(1) “Pursuant to the fourth subparagraph of Article 4(1) of the Law, the

professionals shall appoint a person responsible for compliance with the AML/CFT

professional obligations at the level of the authorised management or Board of

Directors according to the arrangements specified in Article 1 of this regulation.

Pursuant to point (a) of the second subparagraph of Article 4(1) of the Law,

the professionals shall appoint a compliance officer in charge of the control of

compliance with the AML/CFT professional obligations.

215

216

217

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

42/52

The IFMs and investment funds subject to AML/CFT supervision by the CSSF

may appoint a third party.

In this context, the professional shall take into account the guidance published

by the CSSF, notably via circulars or frequently asked questions.”²¹⁸

(2) “The names”²¹⁹of the person responsible for compliance and the (…)²²⁰

compliance officer appointed in accordance with the above paragraph 1 as well as “any

information prior to”²²¹changes regarding “these functions”²²²shall be communicated

to the CSSF.

(3) “The compliance officer and the person responsible for compliance”²²³shall

have the professional experience, knowledge of the Luxembourg legal and regulatory

framework relating to AML/CFT, the hierarchy and powers within the entity (including

the power to access on a timely basis the identification data of customers and other

information and documentation required by the due diligence measures), as well as

the availability necessary to the effective and autonomous exercise of their functions.

Article 41

Without prejudice to his responsibility, the “compliance officer may delegate

the exercise of his function to one or more employees connected to”²²⁴the

professional, provided that the latter fulfil the criteria of Article 40(3) of this regulation.

Article 42

“(1) The compliance officer shall apply the AML/CFT policy and procedures of

the professional and shall have the power to propose to the authorised management,

on his own initiative, any measure necessary or useful to this end, including the release

of required means.

(1a) The compliance officer shall ensure the quality of the AML/CFT controls

carried out by the first line of defence and, as the second line of defence, he shall

verify compliance by the professional with all the AML/CFT professional obligations.

218

219

220

221

222

223

224

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

43/52

(2) He controls compliance with the professional obligations applicable to

branches and majority-owned subsidiaries by the professional in Luxembourg and

abroad. To this end, he analyses, among others, the summary of all the reports of the

audit missions and, where appropriate, of the compliance function of these entities

that the professional must obtain.

He shall ensure compliance by the professional with the group-wide policies,

procedures and measures concerning, in particular, data protection and sharing of

information within the group for the purposes of AML/CFT in accordance with the legal

provisions in force in Luxembourg.

(3) He shall prepare, implement and ensure the realisation of the continuing

training and awareness-raising programme of the personnel as referred to in Article

46 of this regulation.

(4) The compliance officer shall be the privileged contact person for the

Luxembourg authorities in charge of AML/CFT as regards AML/CFT issues and for the

competent authorities with respect to the application of restrictive measures in

financial matters. He shall also be in charge of the transmission of any information or

statement to these authorities.

(5) The compliance with the AML/CFT policy shall be subject to regular controls

and verifications, at a frequency determined according to the money laundering and

terrorist financing risks to which the professional is exposed. The compliance officer

shall report in writing on a regular basis and, if necessary, on an ad hoc basis to the

person responsible for compliance, to the authorised management and, where

appropriate, to the Board of Directors (or specialised committees). These reports

concern the follow-up of the recommendations, problems, shortcomings and

irregularities identified in the past as well as the new problems, shortcomings and

irregularities identified. Each report shall specify the risks related thereto as well as

their seriousness (measuring the impact) and propose corrective measures, as well as

in general the position of the persons concerned. These reports shall allow assessing

the scale of the suspicions or reasonable grounds for suspicion of money laundering,

an associated predicate offence or terrorist financing which were identified and

expressing a judgement on the adequacy of the AML/CFT policy, procedures and

systems and on the collaboration between the professional's departments as regards

AML/CFT. In this context, the compliance officer shall take into account, among others,

the written reports transmitted pursuant to Articles 12, 13 and 39(4) of this regulation.

(6) The compliance officer shall prepare, at least once a year, a summary

report on his activities and his operation. This summary report shall be submitted by

the compliance officer to the person responsible for compliance, the authorised

management and the Board of Directors and, where appropriate, the specialised

committees.

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

44/52

(7) The person responsible for compliance shall submit to the CSSF on an

annual basis the summary report referred to in the above paragraph 6 which covers

the past year within five months following the end of the professional’s financial year.

This requirement is not applicable to Luxembourg investment funds which designated

a Luxembourg management company submitting this annual report.”

Article 43

The accumulation of the function of (…)²²⁵compliance officer and one or more

other functions shall not impede the independence, objectivity and decision-making

autonomy of the (…)²²⁶compliance officer. His workload shall be adapted so that the

efficiency of the AML/CFT framework is not compromised.

(CSSF Regulation No 20-05)

“The accumulation of the function of the person responsible for compliance

and one or more other functions shall not impede his independence and objectivity.”

Section 4 Internal audit control

Article 44

(1) The control of the AML/CFT “policies and procedures”²²⁷shall be an integral

part of the mission of the professional's internal audit function. “To this end, the

internal audit shall test and assess the risk management and control, the AML/CFT

policies and procedures in an independent manner.”²²⁸

(2) (…)²²⁹“It shall”²³⁰report to the authorised management and Board of

Directors (or specialised committees) by providing them, at least once a year, with a

summary report on the compliance with the AML/CFT “policies and procedures”²³¹. It

shall show due diligence by ensuring that its recommendations or corrective measures

are acted upon.

(CSSF Regulation No 20-05)

“(3) The internal audit shall analyse the information on the branches and

majority-owned subsidiaries made available pursuant to Article 4-1(1) of the Law.”

225

226

227

228

229

230

231

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

45/52

Section 5 Recruitment, training and awareness-raising of the personnel

Article 45

The professionals shall set up recruitment procedures for all the staff and

particularly for the (…)²³²compliance officer “and person responsible for compliance”²³³

in order to ensure that each staff member fulfils the criteria of adequate professional

standing and experience according to the risk of money laundering and terrorist

financing related to the duties and functions to be carried out. In particular,

information as regards the possible judicial record of the persons concerned shall be

obtained when hiring members of the management by requiring, among others, an

extract of the police record or an equivalent document from the person concerned.

Article 46

(1) The “ongoing”²³⁴training and awareness-raising measures for the staff

taken by the professional pursuant to Article 4(2) of the Law (…)²³⁵“shall cover all the

members of staff, including the members of the management bodies and authorised

management. These measures”²³⁶shall be adapted to the participants' needs (…)²³⁷

.

“As regards”²³⁸, in particular, “the”²³⁹staff members who are in direct contact with

customers or whose duties expose them to the risk of being confronted with attempts

of money laundering or terrorist financing or whose duties directly or indirectly consist

in AML/CFT“, specific training programmes in relation to their function shall be

developed”²⁴⁰.

(2) Every professional shall have a training and awareness-raising programme

for the whole personnel which observes highly qualitative criteria and whose content

and calendar take into account the specific needs of the professional. This programme,

as well as its realisation, shall be documented in writing. The programme shall take

into account the development of money laundering and terrorist financing techniques

and shall be adapted when relevant legal or regulatory requirements change.

232

233

234

235

236

237

238

239

240

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

46/52

The training and awareness-raising programme of the personnel shall include, among

others:

-

for all the newly hired employees, the participation to an internal or external basic

training as soon as they are hired, making them aware of the professional's

AML/CFT policy as well as of the relevant legal and regulatory requirements;

for all the employees, the regular participation to internal or external continuing

education which is addressed, in particular, to the members of the personnel in

direct contact with customers in order to help them identify unusual transactions

and recognise money laundering or terrorist financing attempts. This continuing

education shall also concern the professional's internal procedures to be followed

by the employees in case they suspect "or have reasonable grounds to suspect”²⁴¹

money laundering“, an associated predicate offence”²⁴²or terrorist financing;

regular informative meetings for employees in order to keep them up to date with

the developments as regards the techniques, methods and trends with respect to

money laundering and terrorist financing as well as the preventive rules and

procedures to be followed in this matter;

-

the appointment of one or more contact person(s) for employees who is/are

competent and available to answer any questions which relate to money

laundering or terrorist financing and which may concern, notably, all the aspects

of the laws and obligations regarding AML/CFT, the internal procedures, the

customer due diligence duties and the report of suspicious transactions;

the periodic distribution of an AML/CFT documentation which includes, in

particular, examples of money laundering or terrorist financing transactions.

-

(3) Where the professionals adopt a training and awareness-raising

programme developed abroad, e.g. by their registered office or parent company, they

are required to adapt this programme to the “legal and regulatory”²⁴³rules applicable

in Luxembourg“, as well as with respect to ML/TF typologies and their specific

activities”²⁴⁴

.

241

242

243

244

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

47/52

Chapter 6 Cooperation requirements with the authorities

Article 47

In accordance with Articles 4(3) and 5(1) of the Law and Article 8”(3) and”²⁴⁵

(4) of the Grand-ducal Regulation, the professionals shall be able to answer quickly

and comprehensively all information requests from the “Luxembourg”²⁴⁶authorities “in

charge of AML/CFT”²⁴⁷, and, in particular, those which tend to determine whether they

are or were in business relationships or whether they do or did carry out transactions

in relation to specific persons including those referred to in Articles 31 and 33 of this

regulation. This cooperation requirement does not end with the business relationship

or the transaction.

Article 48

(1) The requirement to inform the FIU “without delay”²⁴⁸, as provided for in

point (a) of Article 5(1) of the Law, also covers the cases in which the professional

came into contact with a natural or legal person, or “a”²⁴⁹legal arrangement without

entering into a business relationship or carrying out a transaction, insofar as there are

(…)²⁵⁰suspicions “or reasonable grounds for suspicion”²⁵¹of money laundering“, an

associated predicate offence”²⁵²or terrorist financing.

245

246

247

248

249

250

251

252

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

48/52

(2) The professional shall equip itself with the means required with respect to

procedures and organisation of the (…)²⁵³compliance officer function which allows the

analysis of the reports transmitted to him and the determination of the necessity to

communicate a fact or transaction to the FIU pursuant to point (a) of Article 5(1) of

the Law. “To this end, the professional shall register itself in the tool implemented by

the FIU.”²⁵⁴The procedures shall include the conditions, deadlines and steps for the

customer relationship manager to communicate reports to the (…)²⁵⁵compliance

officer. The analysis and the resulting decision shall be retained in writing and made

available to the competent authorities.

(3) Without prejudice to the obligations laid down in Article 5(3) of the Law, a

business relationship which is subject to a report of suspicion with the FIU, shall be

monitored with enhanced due diligence and, where appropriate, in line with the FIU

instructions by the professional. In case of new indications, the professionals shall

carry out a complementary suspicious transaction report (…)²⁵⁶.

(CSSF Regulation No 20-05)

“(4) The professional shall communicate in parallel to the CSSF the information

transmitted to the FIU based on Article 5(1) and (1a) of the Law, where this

information identifies as suspect a professional subject to the CSSF's supervision, or,

according to its knowledge, a member of the personnel or management bodies of such

a professional or where this information is likely to have a more material impact on

the financial sector.”

Chapter 7 Audit by “an external audit function”²⁵⁷

“Article 49

(1) The audit of the professional's annual accounts by the réviseur

d'entreprises agréé (approved statutory auditor) shall also include the compliance with

the legal and regulatory AML/CFT obligations and provisions. In that respect, the

réviseur d'entreprises agréé (approved statutory auditor) shall, among others, carry

out sampling tests, the methodology and the results of which he shall describe and

comment.

253

254

255

256

257

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

49/52

(2) Without prejudice to the application of paragraph 3 of this article, the long

form report of the réviseur d'entreprises agréé (approved statutory auditor) mentioned

in the above paragraph 1 shall include, among others:

-

the description of the AML/CFT policy set up by the professional in order to prevent

money laundering and terrorist financing, the verification of its compliance with

the provisions of Part II, Chapter 5 of the Law of 5 April 1993 on the financial

sector, the Law, the Grand-ducal Regulation, Regulation (EU) 2015/847, CSSF

regulations and circulars relating to AML/CFT and the control of their sound

application;

-

the assessment of the professional's analysis of money laundering and terrorist

financing risks to which it is exposed. The réviseur d'entreprises agréé (approved

statutory auditor) shall verify if the implemented procedures, infrastructures and

controls, as well as the scope of the AML/CFT measures are appropriate

considering the money laundering and terrorist financing risks to which the

professional is exposed, particularly through its activities, the nature of its

customers and the provided products and services;

-

a declaration on the performance of a regular audit of compliance with the

professional's AML/CFT policy by the internal audit function and the compliance

officer;

the verification of the training and awareness-raising measures for employees as

regards money laundering and terrorist financing, and, in particular, with respect

to the identification of money laundering and terrorist financing transactions;

the historical statistics concerning the detected suspicious transactions which

indicate the number of suspicious transaction cases reported to the FIU by the

professional, as well as the total amount of funds involved;

the control of the application of the provisions of Regulation (EU) 2015/847 by the

professional, in its respective role, and the percentage of transfers of funds for

which data on the payer or payee were missing or incomplete and the measures

taken in this context by the professional.

(3) The above-mentioned long form report shall encompass the professional's

branches and majority-owned subsidiaries abroad. It shall cover, in particular, the

branches' and majority-owned subsidiaries' compliance with the applicable provisions

as regards the prevention of money laundering and terrorist financing and it shall

include, in that respect:

-

an analysis of money laundering and terrorist financing risks incurred by the

branches and majority-owned subsidiaries;

a description and assessment of the risk management in the branches and

majority-owned subsidiaries;

the verification of the implementation of and compliance with the professional's

AML/CFT policy in the branches and majority-owned subsidiaries.

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

50/52

(4) The CSSF may require the substitution of the AML/CFT section of the long

form report referred to in this article, with a report to be submitted to the CSSF and

dedicated to AML/CFT. In that case, a CSSF circular will define the arrangements for

the completion, content and transmission of this report dedicated to AML/CFT.

(5) The professionals which are not legally obliged to have a réviseur

d'entreprises agréé (approved statutory auditor) to audit their annual accounts shall

mandate the drawing-up of a report dedicated to AML/CFT which will be submitted to

the CSSF as soon as the arrangements for the completion, content and transmission

have been specified in a specific circular addressed to these professionals.”²⁵⁸

Luxembourg, 14 December 2012

Commission de Surveillance du Secteur Financier

******************

Director

******************

Director

******************

Director

******************

Director General

258

CSSF Regulation No 20-05

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

51/52

Commission de Surveillance du Secteur Financier

283, route d’Arlon

L-2991 Luxembourg (+352) 26 25 1-1

direction@cssf.lu

CSSF REGULATION NO 12-02 OF 14 DECEMBER 2012 ON THE FIGHT AGAINST MONEY LAUNDERING AND

TERRORIST FINANCING

www.cssf.lu

52/52