Administrative sanction of 19 July 2024 for non-compliance  
with professional obligations related to “anti-money  
laundering / counter financing of terrorism”  
Luxembourg, 25 September 2024  
Administrative decision  
On 19 July 2024, the CSSF imposed an administrative fine amounting to EUR 40,000 on the  
electronic money institution “****************** S.A.” (the “EMI”), authorised as electronic money  
institution in accordance with the provisions of the Law of 10 November 2009 on payment services.  
Legal framework/motivation  
This administrative fine was imposed by the CSSF pursuant to Article 2-1(1) of the amended Law of  
12 November 2004 on the fight against money-laundering and terrorist financing (“AML/CFT Law”)  
read in conjunction with the provisions of Article 8-4(1), (2) and (3)(a) of the AML/CFT Law for non-  
compliance with anti-money laundering / counter financing of terrorism (“AML/CFT”) professional  
obligations.  
In order to determine the type and amount of the administrative sanction, the CSSF duly took into  
account all the legal and factual elements set out and discussed, the gravity and duration of the  
breach and the financial situation of the legal person held responsible for the breach existing at the  
time of the on-site inspection in accordance with the provisions of Article 8-5(1) of this law.  
The professional obligations in relation to which the breaches were observed are namely quoted in  
the relevant provisions of:  
(i) the AML/CFT Law,  
(ii) the amended Grand-ducal Regulation of 1 February 2010 (“AML/CFT Grand-ducal  
Regulation”) providing details on certain provisions of the AML/CFT Law,  
(iii) the Law of 19 December 2020 on the implementation of restrictive measures in financial  
matters (“Law of 19 December 2020”),  
(iv) the amended CSSF Regulation No 12-02 of 14 December 2012 on the fight against money  
laundering and terrorist financing (“CSSF Regulation 12-02”) which constitutes an  
implementing measure of the AML/CFT Law, and  
(v) Circular CSSF 17/650 regarding the application of the AML/CFT Law and AML/CFT Grand-  
ducal Regulation to predicate tax offences (“Circular CSSF 17/650”),  
in their version applicable at the time of the on-site inspection.  
ADMINISTRATIVE SANCTION  
1/4  
Legal bases for the publication  
This publication is made pursuant to Article 8-6(1) of the AML/CFT Law, insofar as, following an  
assessment of proportionality, the CSSF considers that the publication on a nominative basis is not  
disproportionate and jeopardises neither the stability of the financial markets nor an ongoing  
investigation.  
Context and major cases of non-compliance with the  
professional obligations identified  
This administrative fine follows a CSSF on-site inspection at the EMI between 8 December 2021 and  
28 November 2022 covering the AML/CFT framework. During the on-site inspection, the CSSF  
identified important breaches by the EMI of its AML/CFT professional obligations, which related in  
particular to the following points:  
A substantial part of the EMI’s client portfolio was not subject to name screening controls on  
a daily basis, over a substantial period of time, thus constituting a failure to comply with the  
obligation to detect persons, entities and groups subject to restrictive measures in financial  
matters without delay so that the necessary restrictive measures can be applied to them in  
line with all United Nations Security Council resolutions, acts adopted by the European Union  
(resolutions and acts directly applicable in Luxembourg) and national regulations concerning  
prohibitions and/or restrictive measures in financial matters with respect to certain States,  
persons, entities or groups in the context of the fight against terrorist financing or with  
respect to other financial embargos as well as with Article 6 of the Law of 19 December  
2020.  
In this regard, it was a failure to comply with the provisions of Articles 33(1) and 39(1) of  
the CSSF Regulation 12-02 which requires the detection of persons subject to prohibitions  
and restrictive measures in financial matters as it constitutes an essential professional  
obligation to ensure compliance with the above-mentioned provisions.  
Although the EMI had identified indicators that generated serious suspicions of money  
laundering in 11 client files, the EMI had reported them with substantial delays to the  
Financial Intelligence Unit (“FIU”), further to questions raised by the CSSF during the on-  
site inspection. This constitutes a breach of the obligation to inform promptly the FIU of each  
fact which might be an indication of money laundering as foreseen by Article 5(1)a) of the  
AML/CFT Law and Article 8(2) of the AML/CFT Grand-Ducal Regulation.  
The website of the EMI was advertising for one of its services with statements, which could  
have encouraged some persons to become clients in order to hide revenues, and thereby  
evade paying taxes on them. In this context, the CSSF identified some cases where  
indicators existed, suggesting that client accounts could have been used for avoiding  
reporting revenues to local tax authorities and hence to evade paying taxes and finally, for  
laundering the monies. The EMI failed to further investigate these indicators and/or file  
suspicious activity reports to the FIU, which resulted in a breach of Article 5(1)a) of the  
AML/CFT Law.  
ADMINISTRATIVE SANCTION  
2/4  
The internal governance framework was deficient notably due to insufficient controls  
performed by the second and the third lines of defence.  
The Compliance function was indeed not sufficiently staffed to cope with the high number of  
clients, and the respective number of controls that had to be performed. This lack of  
resources within the Compliance function to adequately cope with its AML/CFT duties  
resulted in a breach of Article 4(1) of the AML/CFT Law and Article 40(3) of the CSSF  
Regulation 12-02.  
Moreover, the Compliance Monitoring Plan did not include any controls on key AML/CFT tasks  
outsourced to other entities of the same group (such as handling of alerts for name screening  
and transaction monitoring, handling of incomplete files and controls on refused and  
terminated accounts). The absence of such controls did not enable the Compliance function  
to ensure the quality of AML/CFT controls performed by the first line of defence, resulting in  
a breach of Articles 39(6) and 39(7), as well as Article 42(1a) and (5) of the CSSF Regulation  
12-02.  
It was further noted that the outsourcing agreement lacked a detailed description of the  
measures and procedures to be implemented to fulfil the outsourced tasks, thus resulting in  
a breach of Article 3-3(5) of the AML/CFT Law and of Article 37(1) of the CSSF Regulation  
12-02. It further lacked a detailed description on the periodicity, content and format of the  
reporting.  
Furthermore, significant deficiencies were not detected by the internal audit function (a  
third-party service provider), namely the ones subject to the current administrative fine.  
This constituted a breach of Articles 39(7) and 44(1) of the CSSF Regulation 12-02 which  
insist on the necessity for the internal audit to verify the effectiveness of the implemented  
AML/CFT policies and procedures.  
Finally, the internal audit reports showed a lack of understanding of the business activities  
of the EMI and failed to differentiate in its findings between the different client types  
(“Business-to-Consumer”,  
“Business-to-Business”  
and  
“Business-to-Business-to-  
Consumer”) and as such missed to formulate the recommendations in a way that would fit  
the respective client type.  
The money laundering and terrorist financing (“ML/TF”) risk self-assessment did not include  
all the relevant risks that the EMI faced, in particular (i) the inherent risk attributed to e-  
money institutions in the Luxembourg 2020 ML/TF national risk assessment, (ii) risks related  
to predicate tax offences and (iii) risks related to a part of its clients type, which constituted  
a non-compliance with Article 2-2(1) and (2) of the AML/CFT Law and Article 4(1) of the  
CSSF Regulation 12-02 which clarify the different sources and risk factors that shall be  
considered in the ML/TF risk self-assessment.  
In the context of the application of the risk based approach, it has been established that,  
when classifying clients according to their ML/TF risks, there was a lack of consideration of  
all risk factors and an insufficient discriminatory weight attributed to country risk, which  
constitutes a failure to comply with Article 3(2a) of the AML/CFT Law, Article 5(1) of the  
CSSF Regulation 12-02 and Point 2 of the Circular CSSF 17/650.  
ADMINISTRATIVE SANCTION  
3/4  
The CSSF also identified that the EMI applied standard due diligence measures for all its  
clients, irrespective of their risk rating, resulting in a breach of Article 3-2(1) of the AML/CFT  
Law and Article 26 of the CSSF Regulation 12-02 which require the application of enhanced  
due diligence measures in situations presenting a higher risk.  
As the EMI did not meet physically its clients, and certain safeguards were absent, it has  
been established that for some of them, no sufficient measures to compensate the potentially  
higher risk that such non-face-to-face business relationships pose had been implemented in  
order to verify the identity of those clients or of the persons purporting to act on their behalf,  
which constituted a failure to comply with Article 27 of the CSSF Regulation 12-02.  
The transaction monitoring process did not operate efficiently as the CSSF had identified  
that some alerts generated were closed without proper investigation or with substantial  
delay, constituting a breach of Articles 3 (7) and 5(1)a) the AML/CFT Law as well as Article  
39(1) and (5) of the CSSF Regulation 12-02, which emphasise the obligation to pay  
particular attention to unusually large transactions and unusual patterns of transactions and  
to take rapidly the required measures where a suspicious activity or transaction is identified.  
The CSSF had identified that (i) some clients having incomplete KYC documentation were  
not adequately blocked, (ii) blocking measures were not systematically applied on all  
products linked to the same client and (iii) the involvement of the Compliance function in  
the blocking/unblocking process was not sufficient in order to allow it to ensure compliance  
with the related obligations, constituting a breach of Article 3(4) indent 4 of the AML/CFT  
Law which foresees notably that no transaction should be carried out while the customer  
due diligence measures regarding the identification and verification of identity of the client  
or beneficial owner have not been finalised.  
In the context of the applied customer due diligence measures, the CSSF had identified that  
insufficient information and documentation regarding the source of funds involved and  
business activities of some medium and high-risk clients were collected, which constituted  
a failure to comply with Article 3(2)d) of the AML/CFT Law as further detailed in Article 24  
of CSSF Regulation 12-02 which insist on the obligation to collect, record, analyse and  
understand information on the origin of clients’ funds and, depending on the risk  
assessment, to obtain supporting evidence.  
ADMINISTRATIVE SANCTION  
4/4