Administrative sanction of 2 April 2024 for non-compliance  
with professional obligations related to general  
organisational requirements, oversight of delegates, and  
anti-money laundering/counter financing of terrorism  
Luxembourg, 12 July 2024  
Administrative decision  
On 2 April 2024, the CSSF imposed an administrative fine amounting to EUR 126,200 in total on the  
investment fund manager ****************** Luxembourg S.A. (the “Manager”) subject to Chapter  
15 of the amended Law of 17 December 2010 relating to undertakings for collective investment (the  
Law of 2010”) and authorised as alternative investment fund manager according to the provisions  
of the amended Law of 12 July 2013 on alternative investment fund managers.  
Legal framework/motivation  
The administrative fine is composed of:  
an amount of EUR 109,000 imposed pursuant to Article 148(2)(g), Article 148(2)(j) and  
Article 148(4)(e) of the Law of 2010 read together for failure to comply with the provisions of Article  
109(1)(a) of the Law of 2010 regarding the requirements to have sound administrative procedures  
and adequate internal control mechanisms, and the provisions of Article 110(1)(f) of the Law of 2010  
regarding the supervision of delegates; and  
an amount of EUR 17,200 imposed pursuant to Article 8-4(3)(a) of the Law of 12 November  
2004 on the fight against money laundering and terrorist financing, as amended (the “AML/CFT  
Law”) for failure to comply with provisions of this law and of the CSSF Regulation No 12-02 of 14  
December 2012 on the fight against money laundering and terrorist financing as applicable at the  
time of the Inspection (the “CSSF Regulation No 12-02”), regarding customer due diligences  
obligations.  
In order to determine the type and amount of the administrative sanction, the CSSF considered,  
pursuant to Article 149a of the Law of 2010 and Article 8-5 of the AML/CFT Law, respectively, (i) the  
nature, gravity and duration of the breaches existing at the time of the on-site inspection, (ii) the  
conduct and past record of the Manager as well as (iii) the fact that the Manager provided a detailed  
action plan and initiated remedial actions in order to resolve the breaches identified.  
The professional obligations in relation to which the breaches were observed are namely quoted in  
the relevant provisions of:  
ADMINISTRATIVE SANCTION  
1/4  
the Law of 2010;  
the AML/CFT Law;  
CSSF Regulation No 12-02;  
CSSF Regulation No 10-04 transposing Commission Directive 2010/43/EU of 1 July 2010  
implementing Directive 2009/65/EC of the European Parliament and of the Council as  
regards organisational requirements, conflicts of interest, conduct of business, risk  
management and content of the agreement between a depositary and a management  
company (the “CSSF Regulation No 10-04”);  
Circular CSSF 18/698 regarding the authorisation and organisation of investment fund  
managers incorporated under Luxembourg Law (the “Circular CSSF 18/698”);  
Circular CSSF 17/654 on IT outsourcing relying on a cloud computing infrastructure and  
meanwhile repealed by the Circular CSSF 22/805 (the “Circular CSSF 17/654”);  
as applicable at the time of the facts.  
Legal bases for the publication  
The publication is made pursuant to the provisions of Article 149(1) of the Law of 2010 and Article  
8-6 of the AML/CFT Law, respectively, insofar as, following an assessment of proportionality, the  
CSSF considered that the present publication on a nominative basis is not disproportionate and does  
neither jeopardise the stability of the financial markets nor an ongoing investigation.  
Context and major cases of non-compliance with the  
professional obligations identified  
This administrative fine follows an on-site inspection carried out by the CSSF on the Manager  
between 22 April and 19 June 2020, during which the CSSF identified persistent breaches in the  
internal governance and AML/CFT frameworks of the Manager (the “Inspection”) which related in  
particular to the following points:  
1.  
Breaches subject to administrative sanction pursuant to the Law of 2010  
The CSSF identified that the Manager did not have a clear understanding of its distribution  
network in terms of role and involvement of the entities composing its distribution network. This  
lack of understanding evidenced that the internal governance arrangements and internal controls  
implemented by the Manager were not sufficient to enable a sound and prudent management of the  
distribution activities and their related risks, constituting a failure to comply with the provisions of  
ADMINISTRATIVE SANCTION  
2/4  
point 153 of Circular CSSF 18/698 specifying the requirements of Article 109(1)(a) of the Law of  
2010.  
The CSSF identified that the Manager had not established a cloud register and had not  
performed a risk assessment for the cloud applications used, constituting a failure to comply with  
the provisions of point 26 of Circular CSSF 17/654 (which was applicable to the Manager by virtue  
of point 143 of Circular CSSF 18/698 specifying the requirements of Article 109(1)(a) of the Law of  
2010).  
In addition, the CSSF identified that no management information was reported to the executive  
committee with regard to IT continuity management and that the Manager did not define any  
recovery point objectives, evidencing the implementation and maintenance of an effective business  
continuity plan, constituting a failure to comply with the provisions of point 342 of Circular CSSF  
18/698 and Article 5(3) of the CSSF Regulation No 10-04 specifying the requirements of Article  
109(1)(a) of the Law of 2010.  
The CSSF observed that the Manager encountered delays in the performance of its periodic  
due diligences on distributors. In addition, the Manager had not implemented a multi-year due  
diligence plan.  
As such, the CSSF concluded that, at the time of the Inspection, the periodic monitoring of the  
distribution network was not sufficient to enable the Manager to assess all risks arising from the said  
business relationships, constituting a failure to comply with the provisions of point 442 of Circular  
CSSF 18/698 specifying the requirements of Article 110(1)(f) of the Law of 2010.  
The Manager delegated some IT activities to its group. In that regard, the CSSF observed  
that the conclusion of the periodic due diligence performed by the Manager relied on the ISAE3402  
control’s report of the Manager’s group. However, this control report covered only a small portion of  
the applications used by the Manager.  
In addition, the CSSF observed that, to the exception of the activities related to one IT service, the  
Manager did not receive any Key Performance Indicators (“KPIs”) aiming at monitoring the activities  
performed by its group, constituting a failure to comply with the provisions of point 442 and point  
474 of Circular CSSF 18/698 specifying the requirements of Article 110(1)(f) of the Law of 2010.  
In that context, the CSSF concluded that, at the date of the Inspection, the Manager had no sound  
administrative procedures, internal control, and safeguard arrangements for electronic data  
processing. In addition, the CSSF concluded that the Manager did not perform a proper oversight of  
its distribution network and delegated IT activities.  
Although the Manager confirmed having implemented corrective measures to remedy breaches  
identified, the CSSF concluded that, at the time of the Inspection, the Manager contravened Article  
109 (1)(a) and Article 110(1)(f) of the Law of 2010.  
2.  
Breaches subject to administrative sanctions pursuant to the AML/CFT Law  
ADMINISTRATIVE SANCTION  
3/4  
For one delegate acting as distributor for the Manager, the CSSF observed that the  
agreement had been signed before the completion of an initial due diligence, including the collection  
of AML/KYC documentation on the intermediary, its representatives and its beneficial owners,  
constituting a failure to comply with the provisions of Article 3(2)(a) and Article 3(2)(b) of the  
AML/CFT Law.  
For two delegates acting as distributors for the Manager and for which due diligences should  
have been performed on a yearly basis as per the Manager’s internal policies, the CSSF observed  
that, after a delay of two years, the due diligences were still not completed, thus constituting a  
failure to conduct ongoing due diligence to ensure that the documents, data or information collected  
under the customer due diligence process is kept up-to-date and relevant. In this regard, it was a  
failure to comply with the provisions of Article 3(2)(d) of the AML/CFT Law.  
For five delegates acting as distributors for the Manager, the CSSF observed that the  
Manager did not perform initial name screenings controls against international and European  
financial sanction lists and PEP lists in due time, thus constituting a failure to comply with the  
obligation to detect persons, entities and groups without delay so that the necessary restrictive  
measures can be applied to them, and a failure to have appropriate procedures regarding the  
identification of PEPs. In this regard, it was a failure to comply with the provisions of Article 30,  
Article 33(1), Article 33(2), Article 39(1), Article 39(2) of CSSF Regulation No 12-02, and with the  
provisions of Article 3-2(4)(a) of the AML/CFT Law.  
In that context, the CSSF concluded that, at the date of the Inspection, the Manager failed to  
establish and implement adequate control mechanisms with regard to its customer due diligences in  
the context of the fight against money laundering and terrorist financing.  
Although the Manager confirmed having implemented corrective measures to remedy breaches  
identified, the CSSF concluded that, at the time of the Inspection, the Manager contravened Article  
3(2)(a), Article 3(2)(b), Article 3(2)(d), Article 3-2(4)(a) of the AML/CFT Law; and Article 30, Article  
33(1), Article 33(2), Article 39(1) and Article 39(2) of CSSF Regulation No 12-02.  
ADMINISTRATIVE SANCTION  
4/4