www.pwc.

lu

Flash News
New anti-money laundering (AML)
and counter terrorist financing (CTF)
legislation

21 January 2013

The CSSF Regulation No12-02 of 14 December 2012 has just been released.
The Regulation confers a legally binding character to existing professional
obligations that were, until now, set forth in the form of CSSF Circulars.
Additionally, CSSF Circular 13/556 repeals CSSF Circulars 08/387 and
10/476.

This Regulation is a further step in enhancing the Luxembourg AML/CTF regulatory

framework designed to protect the Luxembourg financial centre and replying to the
3rd Financial Action Task Force (FATF) AML/CTF mutual evaluation report of
Luxembourg issued in Feburary 2010. This Regulation comes in addition to the
currently applicable laws, Grand Ducal Decrees and CSSF Circulars.
Its aim is to provide more detailed measures as to how the existing AML/CTF laws and
regulations are to be implemented. The Regulation also emphasises the fact that
professionals in the scope of the AML/CTF laws and regulations need to document all
measures applied and executed in order to demonstrate that they properly fulfil the
professional AML/CTF requirements. This also means that policies and procedures as
well as relevant processes and documents, including customer identification
documents, need to be appropriately kept up-to-date. In this respect, the Regulation
includes specific measures applicable to the investment funds industry as well.

Key aspects:
Risk based approach
Overall, the Regulation stresses that all AML/CTF measures taken have to be properly
aligned to the assessed risk. The risk based approach methodology set forth in the
Regulation comprises a risk assessment based on various criteria such as client risk,
country risk, risk associated with products, transactions or the distribution/selling of
the product. For the investment fund industry, the latter risk variable will be of
particular relevance.

 Risk Assessment
With regards to the written AML/CTF risk assessment of the professionals own
activity, an obligation as required by the Law of 12 November 2004, as amended,
Article 5 of the Regulation specifies that:

the risk assessment of each new client and for each new product needs to be
done prior to client acceptance/ product launch;
the risk score of each client must be kept up to date;
the professional must be in a position to communicate its risk assessment to
the CSSF.

Country risk assessment

The professional must perform, pursuant to Article 7 of the Regulation, a country risk
assessment for all countries. The underlying reasons why a country, including EU
member states or a third country, is deemed as imposing AML/CTF measures that are
equivalent to those applied in Luxembourg need to be formally documented. The
country risk assessments must be updated on a regularly basis.

Investment fund distribution via intermediaries

Particularly relevant to the investment fund industry is that the Regulation addresses
the level of due diligence to be performed when investment funds are distributed via
intermediaries. According to Article 3 of the Regulation, the intermediaries used are
subject to enhanced due diligence measures and the professional must have
appropriate documentation and measures in place to ensure that the intermediary
applies AML/CTF measures that are equivalent to those in place in Luxembourg, as
the responsibility remains with the Luxembourg professional. When the professional
has delegated the execution of AML/CTF due diligence measures to intermediaries via
contract, Article 37 of the Regulation foresees that the professional must have ongoing
monitoring controls in place to ensure that the delegate complies with the AML/CTF
relevant terms of the contract.

Customer Due Diligence

Each customer relationship needs to be approved in writing by an appropriately
authorised employee or member of management, depending on the level of client risk.
In case of high risk customers, senior management and the person in charge of
AML/CTF need to be involved.

Client Identification
Pursuant to Article 18 of the Regulation, the identity of a customer must be verified by
means of a valid official document issued by a competent authority and bearing a
photo and signature. In addition to passports and identity cards, other official
documents such as residential permits can be accepted. Article 24 of the Regulation
now clearly states that when establishing the client relationship the information on the
origin of funds must be part of this initial customer due diligence.

Beneficial Owners
Beneficial owners must be identified and their identification needs to be verified in line
with the requirements applicable to a natural person this is, so far, nothing new.
However Article 23 of the Regulation further clarifies that a beneficial owner can,
notwithstanding the 25% of ownership threshold, be a person who owns or controls
less than 25% of a legal structure but who is nevertheless the person who ultimately
controls this legal structure. Finally, according to Article 17 of the Regulation, the
professionals are required to obtain a declaration of beneficial ownership signed by
their clients. The beneficial owner is no longer required to sign such a declaration
himself, but the clients must inform the professional in case of any change in beneficial
ownership.

Monitoring of client relationship and transactions

Article 39 of the Regulation now clearly states that the blacklist, PEP (Politically
Exposed Persons) and country screening controls need to be applied to all clients,
beneficial owners, and proxies for all accounts and all transactions. All results of such
screenings must be evidenced and documented, whether the result is a negative or
positive match. For the blacklist screening positive matches must be reported, as
previously defined, to the Luxembourg Financial Intelligence Unit, but must now as
well be reported to the CSSF. Moreover the professionals in scope must be able to
detect incomplete incoming and outgoing payment messages, where not all
information as required by Regulation (CE) 1781/2006 is included. An automated
control should be systematically put in place except if the professional is able to
demonstrate that such automation is not required because of its nature and volume of
business.

Adequate internal organisation

Policies and Procedures
The Regulation clarifies that the professionals policies and procedures need to be
sufficiently complete. They should include sufficient detail covering all AML/CTF
professional duties even if procedures, policies, and controls measures may be adapted
to the activity, structure, size, organisation and resources available. The policies and
procedures must be validated, and if required regularly be updated, by the person in
charge of AML/CFT. The approval of authorised management is mandatory (for banks
and investment firms, the approval of the Board of Directors is also mandatory).

Role of the person responsible for AML/CTF

In case of banks and investment firms, the Chief Compliance officer as defined in
Circular CSSF 12/552 is the person responsible for AML/CFT controls. For other
entities, the person responsible for AML/CTF can be another member of management,
provided that appropriate safeguards are in place to prevent conflicts of interest. The
qualifications of the person responsible for AML/CTF are specifically detailed in the
Regulation. Amongst its duties is to issue regular reporting to authorised management
and to the Board of Directors as well as the issuance of a formal annual summary
report to these same parties.

Hiring staff and training

In line with the Grand Ducal Decree of 1 February 2010, the Regulation further
specifies that adequate internal organisation must include the implementation of
appropriate screening procedures to ensure high standards when hiring employees.
The Regulation also provides details regarding the professionals training requirements
with regards to new and current employees.

Internal audit
Until now, no fixed internal audit timing was defined for professionals except for the
fact that their AML/CTF internal audit work should be regular and coordinated with
the Compliance Officers work. The new CSSF Regulation now specifies in Article 44
that a specific AML/CTF internal audit must be carried out on an annual basis.

The new Regulation does not dramatically change the way

Luxembourg professionals in scope will perform their
AML/CTF obligations; but it provides further detail on the
extent and frequency of certain AML/CTF measures that are
already in place.
How we can help:

Review your AML/CTF policies and procedures;

Perform a gap analysis between your current processes and the newly required
updates;
Write or review your risk assessments;
Provide support for establishing your country risk assessments;
Support you in initial and ongoing AML/CTF distributor due diligence.

Should you have any questions, please do not hesitate to consult our website: www.pwc.lu
and/or to contact any of the contacts below:

.
Roxane Haas

Partner, AML Services Leader

+352 49 48 48 5703

roxane.haas@lu.pwc.com

Rima Adas

Partner

+352 49 48 48 2513

rima.adas@lu.pwc.com

Pierre-Franois Wery

Partner

+352 49 48 48 6087

pierre-francois.wery@lu.pwc.com

Birgit Goldak

Director

+352 49 48 48 5687

birgit.goldak@lu.pwc.com

Michael Weis

Director

+352 49 48 48 6087

michael.weis@lu.pwc.com

.
.
.
.
.

The information in this publication is presented in a summarised form and is intended to provide general guidance only - specific
professional advice should be obtained before action is taken.
PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 2,200 people employed from 57 different
countries. It provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice to
a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and
the Greater Region. It helps its clients create value they are looking for by giving comfort to the capital markets and providing advice
through an industry focused approach.
The global PwC network is the largest provider of professional services in audit, tax and advisory. Were a network of independent firms
in 158 countries and employ more than 180,000 people. Tell us what matters to you and find out more by visiting us at www.pwc.com
and www.pwc.lu.
2013 PricewaterhouseCooper, Socit Cooprative. All rights reserved.