Implementation Checklist for CSSF Regulation No 12-02 on AML/CFT
This checklist is structured per chapter/section/article references from the regulation text.
It covers core requirements from customer due diligence through risk assessment, monitoring/supervision systems,
internal management responsibilities including compliance officers/audit/training, cooperation with authorities, and
external audit obligations.
The references enable easy navigation back to the regulation text.
Version:
26 May 2025, based on CSSF Regulation No. 12-02 (v20200826)
License:
This Implementation Checklist for CSSF Regulation No 12-02 on AML/CFT © 2025 by concilio et labore GmbH is licensed under CC BY-SA 4.0
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, even for commercial purposes. If others remix, adapt, or build upon the material, they must license the modified material under identical terms.
Chapter 1: Definitions
| Requirement | Reference | Status |
|---|---|---|
| Define key terms related to AML/CFT such as "ML/TF", "customer", "FIU", "CSSF", "Directive (EU) 2015/849", "management", "authorised management", "FATF", "IFM", "AML/CFT", "Law", "professional obligations" and "professionals". | Article 1 | ✅ □ ❌ □ |
| Apply definitions from the Law and Grand-ducal Regulation where not otherwise defined. | Article 1(2) | ✅ □ ❌ □ |
Chapter 2: Scope
| Requirement | Reference | Status |
|---|---|---|
| Apply the Regulation to professionals supervised, authorised or registered by the CSSF including Luxembourg branches of foreign professionals and foreign professionals providing services in Luxembourg. | Article 2(1) | ✅ □ ❌ □ |
| Apply equivalent AML/CFT measures in foreign branches and majority-owned subsidiaries as per Article 4-1(3) of the Law. | Article 2(2) | ✅ □ ❌ □ |
| Note that statutory auditors and audit firms are excluded from this regulation. | Article 2(3) | ✅ □ ❌ □ |
Chapter 3: Risk-based approach
Section 1: Identification, assessment and understanding of risks
Subsection 1: Risk relating to the intermediary
| Requirement | Reference | Status |
|---|---|---|
| Apply enhanced customer due diligence measures for intermediaries acting on behalf of others to ensure compliance with AML/CFT obligations. | Article 3 | ✅ □ ❌ □ |
| Identify and verify identity of intermediaries, persons acting on their behalf, and beneficial owners according to risk-based approach; implement enhanced due diligence for correspondent-like relationships. | Article 3(2) | ✅ □ ❌ □ |
Subsection 2: Overall risk related to the activity
| Requirement | Reference | Status |
|---|---|---|
| Identify, assess and understand ML/TF risks to determine due diligence measures based on materiality of risk, incorporating supranational, national, sub-sectoral risk assessments, joint guidelines, and CSSF publications. | Article 4(1) | ✅ □ ❌ □ |
| Provide communications on risk assessments to CSSF and timely fill in annual CSSF risk questionnaires. | Article 4(2), (3) | ✅ □ ❌ □ |
| Define ML/TF risk appetite approved by Board of Directors and implemented by authorised management; ensure AML/CFT policies, procedures and controls align with risk appetite and communicate clearly to staff. | Article 4(4) | ✅ □ ❌ □ |
Subsection 3: Individual risk related to the business relationship
| Requirement | Reference | Status |
|---|---|---|
| Categorise customers by ML/TF risk levels based on business relationships' nature and periodically review; assess risk considering customer type, geography, products/services, delivery channels. | Article 5(1) | ✅ □ ❌ □ |
| Use Annex IV of the Law’s non-exhaustive list and other relevant factors to determine higher risk requiring enhanced due diligence; similarly use Annex III for lower risk cases allowing simplified due diligence with justifiable application. | Article 5(2) | ✅ □ ❌ □ |
| Risk assessment shall not exempt application of enhanced due diligence where legally required; conduct risk assessment before customer acceptance and update based on significant changes during relationship. | Article 5(3), (4) | ✅ □ ❌ □ |
| Establish arrangements to communicate risk assessment information to CSSF. | Article 5(5) | ✅ □ ❌ □ |
Section 2: Risk management and mitigation
| Requirement | Reference | Status |
|---|---|---|
| Implement policies, controls, and procedures approved by Board of Directors (or authorised management) for effective management and mitigation of ML/TF risks. | Article 6(1) | ✅ □ ❌ □ |
| Adapt due diligence measures’ extent to customer risk levels as per Article 3(2) of the Law; apply all enhanced due diligence measures where required by law or regulation. | Article 6(2) | ✅ □ ❌ □ |
| Adjust due diligence measures during identification/verification and ongoing monitoring phases as per legal requirements. | Article 6(3) | ✅ □ ❌ □ |
| Assess whether jurisdictions impose AML/CFT obligations equivalent to Luxembourg law/Directive (EU) 2015/849; document reasons and regularly review; equivalence does not remove risk assessment or enhanced due diligence obligations. | Article 7 | ✅ □ ❌ □ |
Chapter 4: Customer due diligence
Section 1: Acceptance of a new customer
| Requirement | Reference | Status |
|---|---|---|
| Implement a customer acceptance policy adapted to the activities, including prior risk identification, assessment and understanding. | Article 8 | ✅ □ ❌ □ |
| Submit acceptance of new customers to written authorization by a superior or appointed body, with systematic intervention for high-risk customers involving compliance officer. | Article 9 | ✅ □ ❌ □ |
| Allow automated acceptance for low-risk customers under a tested and regularly reviewed process aligned with AML/CFT policies. | Article 9(2) | ✅ □ ❌ □ |
| Include specific examination and acceptance procedures for customers likely to represent a high ML/TF risk, including numbered accounts and safe-deposit boxes with strict documentation and authorization. | Article 10 | ✅ □ ❌ □ |
| Document all customer contact and have procedures for cases of suspicion or refusal of business relationship, retaining documentation accordingly. | Article 11 | ✅ □ ❌ □ |
Section 2: Timing of identification and verification of the identity
| Requirement | Reference | Status |
|---|---|---|
| Business relationship may start before or during identity verification if low ML/TF risk, normal business continuity is ensured, earliest opportunity to verify identity, and no asset exit before verification completion. | Article 12 | ✅ □ ❌ □ |
| For companies in incorporation process, identify and verify founders and beneficial owners promptly; complete company identity verification earliest after incorporation; prevent asset exit before verification. | Article 13 | ✅ □ ❌ □ |
| Apply identification and verification measures for occasional transactions equal or above EUR 15,000 before transaction execution; consider aggregated transactions to reach threshold. | Article 14 | ✅ □ ❌ □ |
| For fund transfers (Regulation EU 2015/847), verify payer and payee information as required, especially for transfers over EUR 1,000 within the EU; apply enhanced measures if suspicion or cash involved. | Article 15 | ✅ □ ❌ □ |
Section 3: Standard measures for identification and verification of customers
| Requirement | Reference | Status |
|---|---|---|
| Gather and register minimum identification information for natural persons and legal entities/customers as specified (e.g. names, DOB, nationality, legal form, officers). | Article 16 | ✅ □ ❌ □ |
| Determine if customers act for their own account or on behalf of others; obtain explicit declaration and ensure its credibility. | Article 17 | ✅ □ ❌ □ |
| Verify natural person identity using valid official documents bearing signature and photo; use electronic ID means recognized by authorities; take additional verification measures based on risk. | Article 18 | ✅ □ ❌ □ |
| Verify legal persons' identity using incorporation documents, recent company register extracts, management reports, and other reliable sources as appropriate. | Article 19 | ✅ □ ❌ □ |
Section 4: Measures for identification and verification of persons acting on behalf of the customer
| Requirement | Reference | Status |
|---|---|---|
| Identify and verify persons acting on behalf of the customer according to standard due diligence measures; know and verify their power of representation through documents. | Article 20 | ✅ □ ❌ □ |
Section 5: Measures for identification and verification of beneficial owners
| Requirement | Reference | Status |
|---|---|---|
| Identify beneficial owners including full name, nationality, DOB, place of birth, main residence address, and official national identity number if applicable. | Article 21 | ✅ □ ❌ □ |
| Verify beneficial owner data using customer information, central registers, independent reliable sources; take reasonable measures to confirm real identity beyond sole use of central registers. | Article 22(1) | ✅ □ ❌ □ |
| If doubt remains on beneficial owner identity after measures, refuse business relationship or transaction; report suspicions to FIU as required. | Article 22(2) | ✅ □ ❌ □ |
| The definition of beneficial owner includes any natural person who ultimately owns or controls the customer or on whose behalf a transaction or activity is conducted, even if participation thresholds are not met. | Article 23 | ✅ □ ❌ □ |
Section 6: Assessing, understanding and obtaining information on the purpose and intended nature of the business relationship
| Requirement | Reference | Status |
|---|---|---|
| The obligation to know the customer includes gathering, registering, analyzing, and understanding information about the origin of funds, types of transactions requested, and business relationship purpose at identification stage; may include supporting evidence depending on risk. | Article 24 | ✅ □ ❌ □ |
Section 7: Obligation to retain documents and information
| Requirement | Reference | Status |
|---|---|---|
| Retain all documents, data, and information obtained under customer due diligence measures including results of analysis and reports transmitted to compliance officer. | Article 25(1)-(3) | ✅ □ ❌ □ |
| Ensure retention media allow use as evidence in investigations or criminal proceedings. | Article 25(3) | ✅ □ ❌ □ |
Section 8: Enhanced and simplified customer due diligence obligations
| Requirement | Reference | Status |
|---|---|---|
| Apply enhanced due diligence measures for higher-risk business relationships adjusted to risk level. | Article 26(1)-(3) | ✅ □ ❌ □ |
| Apply simplified due diligence measures for justified low-risk business relationships, including verification by official regulator website or presumption of payment from regulated institutions. | Article 26a | ✅ □ ❌ □ |
| Implement specific measures compensating risks in non face-to-face customer relationships without additional guarantees. | Article 27 | ✅ □ ❌ □ |
| Conduct due diligence on cross-border correspondent and similar relationships, including documentation, periodic review, and enhanced measures according to risk. | Article 28-29 | ✅ □ ❌ □ |
| Implement risk management systems to identify politically exposed persons with biannual updates. | Article 30 | ✅ □ ❌ □ |
| Apply enhanced due diligence to business relationships involving customers from high-risk countries including compliance officer involvement, enhanced ID verification, and monitoring. | Article 31(1)-(3) | ✅ □ ❌ □ |
Section 9: Ongoing due diligence
| Requirement | Reference | Status |
|---|---|---|
| Identify complex or unusual transactions by considering asset volume, transaction patterns, and discrepancies with customer profile. | Article 32(1) | ✅ □ ❌ □ |
| Analyze economic background of funds in transactions posing ML/TF risk; take appropriate corroborating measures. | Article 32(2) | ✅ □ ❌ □ |
| Identify persons/entities subject to restrictive financial measures (sanctions) without delay; apply required restrictive measures and inform competent authorities and CSSF simultaneously. | Article 33(1)-(3) | ✅ □ ❌ □ |
| Pay particular attention to activities such as customers subject to specific acceptance procedures and transfers of funds within Regulation (EU) 2015/847; conduct formalized annual ML/TF risk analysis on investments. | Article 34(1)-(2) | ✅ □ ❌ □ |
| Verify and update customer documents, data, and information according to risk assessment with at least annual review for high-risk relationships; verify conditions for simplified due diligence at least annually. | Article 35(1)-(4) | ✅ □ ❌ □ |
Section 10: Performance of due diligence by third parties
Subsection 1: Third-party introducers
| Requirement | Reference | Status |
|---|---|---|
| Ensure third-party introducer complies with definition in Article 3-3(1) of the Law and retain verification documentation | Article 36(1) | ✅ □ ❌ □ |
| Obtain written commitment from third-party introducer to fulfill obligations of Article 3-3(2) of the Law | Article 36(1) | ✅ □ ❌ □ |
| Maintain responsibility for AML/CFT professional obligations despite using third-party introducer | Article 36(2) | ✅ □ ❌ □ |
Subsection 2: Outsourcing and agency relationship
| Requirement | Reference | Status |
|---|---|---|
| Include detailed due diligence measures and document transmission conditions in contract with third-party delegate | Article 37(1) | ✅ □ ❌ □ |
| Establish internal policies and procedures for selecting and evaluating third-party delegates and subcontractors | Article 37(2) | ✅ □ ❌ □ |
| Perform regular controls and monitoring of compliance by third-party delegates, including on-site visits where appropriate | Article 37(2) | ✅ □ ❌ □ |
| Conduct risk assessment of outsourced functions and outsourcing chain before contract conclusion, particularly for IFMs | Article 37(2a) | ✅ □ ❌ □ |
| Retain responsibility for compliance with AML/CFT obligations despite outsourcing or sub-delegation | Article 37(3) | ✅ □ ❌ □ |
| Clearly define roles, responsibilities, rights, and duties in outsourcing contract, especially for registrar and transfer agents | Article 37(4) | ✅ □ ❌ □ |
| Ensure compliance with professional secrecy and personal data protection laws when using third-party delegates and sub-delegates | Article 37(5) | ✅ □ ❌ □ |
Chapter 5: Adequate internal management requirements
Section 1: AML/CFT policies and procedures
| Requirement | Reference | Status |
|---|---|---|
| Establish AML/CFT internal management procedures, policies and measures tailored to professional's activity, structure, size, organisation and resources. | Article 38(1) | ✅ □ ❌ □ |
| Develop AML/CFT policies covering all professional obligations including customer acceptance policy, risk management procedures, supervision of business relationships, use of third-party introducers and delegates, suspicious transaction reporting, numbered accounts handling, staff recruitment, training and responsibilities. | Article 38(2) | ✅ □ ❌ □ |
| Coordinate AML/CFT policies and procedures with branches and majority-owned subsidiaries abroad; apply additional measures if foreign laws restrict group-wide policies. | Article 38(3) | ✅ □ ❌ □ |
| Ensure AML/CFT policies are validated by the Board of Directors; procedures validated by authorised management or Board for investment funds; regular review by compliance officer and internal audit. | Article 38(4) | ✅ □ ❌ □ |
| Implement arrangements ensuring control of AML/CFT compliance, independent audit function, ML/TF risk appetite policy, and group-level information sharing policy. | Article 38(5) | ✅ □ ❌ □ |
Section 2: Systems for the supervision of business relationships and transactions
| Requirement | Reference | Status |
|---|---|---|
| Implement supervisory systems and control mechanisms to identify persons referred to in Articles 30, 31, and 33; identify funds coming from or going to restricted States/persons; identify complex or unusual transactions; identify transfers of funds with missing or incomplete information. | Article 39(1) & (1a) | ✅ □ ❌ □ |
| Maintain a complete and up-to-date customer database subject to a 4-eyes principle if data is entered by a natural person. | Article 39(2) | ✅ □ ❌ □ |
| Document identification research results including negative findings. | Article 39(3) | ✅ □ ❌ □ |
| Report identified transactions or persons to compliance officer with documented criteria and deadlines. | Article 39(4) | ✅ □ ❌ □ |
| Allow compliance officer to take immediate measures on suspicious activities; compliance officer to decide scope and termination of measures in consultation with management. | Article 39(5) | ✅ □ ❌ □ |
| Subject supervisory system to initial validation by person responsible for compliance and regular controls by the compliance officer for adaptation. | Article 39(6) | ✅ □ ❌ □ |
| Ensure governance with three lines of defence: operational units (first line), compliance officer and support functions (second line), internal audit (third line). | Article 39(7) | ✅ □ ❌ □ |
Section 3: Person responsible for compliance with the AML/CFT professional obligations and compliance officer in charge
| Requirement | Reference | Status |
|---|---|---|
| Appoint a person responsible for compliance at authorised management or Board level and a compliance officer to control compliance with AML/CFT obligations; IFMs and investment funds may appoint a third party. | Article 40(1) | ✅ □ ❌ □ |
| Communicate names and changes of person responsible for compliance and compliance officer to CSSF. | Article 40(2) | ✅ □ ❌ □ |
| Ensure compliance officer and person responsible have adequate experience, knowledge of legal/regulatory framework, organisational powers, and availability. | Article 40(3) | ✅ □ ❌ □ |
| Allow compliance officer to delegate functions to qualified employees meeting criteria of Article 40(3). | Article 41 | ✅ □ ❌ □ |
| The compliance officer shall apply AML/CFT policies, propose measures, verify controls by first line of defence, ensure compliance by branches/subsidiaries, prepare training programmes, act as contact for authorities, conduct regular controls and reporting to management/Board. | Article 42 | ✅ □ ❌ □ |
| The person responsible for compliance shall submit an annual summary report to the CSSF within five months after the financial year end (except certain investment funds). | Article 42(7) | ✅ □ ❌ □ |
| The accumulation of compliance officer or person responsible functions with other roles shall not impair independence or effectiveness; workload must be manageable. | Articles 43 | ✅ □ ❌ □ |
Section 4: Internal audit control
| Requirement | Reference | Status |
|---|---|---|
| The internal audit function shall independently test and assess AML/CFT risk management, policies and procedures as part of its mission. | Article 44(1) | ✅ □ ❌ □ |
| The internal audit shall report at least annually to authorised management and Board/specialised committees on AML/CFT compliance, ensuring recommendations are acted upon. | Article 44(2) | ✅ □ ❌ □ |
| The internal audit shall analyse information on branches and majority-owned subsidiaries pursuant to the Law. | Article 44(3) | ✅ □ ❌ □ |
Section 5: Recruitment, training and awareness-raising of the personnel
| Requirement | Reference | Status |
|---|---|---|
| Set recruitment procedures ensuring staff meet professional standing and experience criteria appropriate to ML/TF risk related to their duties; obtain judicial record extracts for management members. | Article 45 | ✅ □ ❌ □ |
| Implement ongoing training and awareness programs covering all staff including management; adapt training to participants' needs; develop specific programs for staff exposed to ML/TF risks or in direct contact with customers. | Article 46(1) | ✅ □ ❌ □ |
| Create a documented training program covering basic training for new hires, regular continuing education, informative meetings on evolving ML/TF techniques and preventive rules, appoint competent contact persons for ML/TF questions, and distribute AML/CFT documentation regularly. | Article 46(2) | ✅ □ ❌ □ |
| If adopting foreign-developed training programs, ensure adaptation to Luxembourg legal/regulatory requirements and specific ML/TF typologies relevant to activities. | Article 46(3) | ✅ □ ❌ □ |
Chapter 6: Cooperation requirements with the authorities
| Requirement | Reference | Status |
|---|---|---|
| Respond quickly and comprehensively to information requests from Luxembourg AML/CFT authorities, including for determining business relationships or transactions related to specific persons. | Article 47 | ✅ □ ❌ □ |
| Inform the FIU without delay of suspicions or reasonable grounds for suspicion of money laundering, associated predicate offences or terrorist financing, even if no business relationship or transaction is established. | Article 48(1) | ✅ □ ❌ □ |
| Equip compliance officer function with appropriate procedures and organisation to analyse reports and decide on communication to FIU, including registration in FIU tool; document decisions and make available to authorities. | Article 48(2) | ✅ □ ❌ □ |
| Monitor business relationships subject to suspicious transaction reports with enhanced due diligence and follow FIU instructions; submit complementary reports if new indications arise. | Article 48(3) | ✅ □ ❌ □ |
| Communicate in parallel to CSSF any information transmitted to FIU identifying a professional supervised by CSSF, personnel or management, or relevant to the financial sector. | Article 48(4) | ✅ □ ❌ □ |
Chapter 7: Audit by an external audit function
| Requirement | Reference | Status |
|---|---|---|
| The audit of the professional's annual accounts shall include compliance with AML/CFT legal and regulatory obligations, including performing sampling tests with described methodology and results. | Article 49(1) | ✅ □ ❌ □ |
| The long form audit report shall include a description of the AML/CFT policy, verification of its compliance, assessment of ML/TF risk analysis, and verification of training and awareness measures for employees. | Article 49(2) | ✅ □ ❌ □ |
| The long form audit report shall include historical statistics on suspicious transactions reported to FIU, and control of Regulation (EU) 2015/847 application including missing or incomplete payer/payee data. | Article 49(2) | ✅ □ ❌ □ |
| The audit shall cover the professional's branches and majority-owned subsidiaries abroad, including risk analysis, risk management assessment, and compliance verification. | Article 49(3) | ✅ □ ❌ □ |
| The CSSF may require a dedicated AML/CFT report instead of the AML/CFT section of the long form audit report. | Article 49(4) | ✅ □ ❌ □ |
| Professionals not legally obliged to have an approved statutory auditor must mandate a dedicated AML/CFT report to be submitted to CSSF as specified by circular. | Article 49(5) | ✅ □ ❌ □ |
