5MLD - Creation of a Luxembourg central electronic data retrieval system concerning accounts and safe deposit boxes
17 January 2020
In accordance with Article 32bis of 5MLD, the Bill principally aims at creating a Luxembourg automated centralised system whereby any person (natural or legal person) holding or controlling a bank or a payment account identified by IBAN or a safe deposit box held at a Luxembourg credit institution3, can be identified.
In its current form, the Bill provides that the system will comprise (I) data files maintained by Obliged Entities (as defined below) and (II) a central electronic data retrieval system to be set-up by the Luxembourg regulator of the financial sector, the Commission de surveillance du secteur financier (the CSSF).
I. Data files kept by Obliged Entities
The following professionals will have to maintain internal data files:
- any person established in Luxembourg, including Luxembourg branches, offering the keeping of payment or bank accounts identified by an IBAN number (as defined by Regulation (EU) No 260/2012 of the European Parliament and of the Council4); and
- any credit institution (within the meaning of the Luxembourg act of 5 April 1993 on the financial sector, as amended (the Banking Act 1993) or Luxembourg branches of local, EU5 or third-party financial institutions), offering the keeping of safe deposit boxes in Luxembourg,
(together, Obliged Entities).
The internal data files will include, for bank or payment accounts, identification information on a client – account holder, any person purporting to act on behalf of a client, the beneficial owner of a client – account holder (if appropriate), the account itself and, for safe deposit boxes, information on the tenant of a safe deposit box and the duration of the rental agreement. This information must be kept up to date. The structure of, and details to be included in, the data files will be further defined by the CSSF.
The obligation to maintain the above data files will only apply in relation to accounts opened or safe deposit boxes rented at the date of entry into force of the law or afterwards (in other words, it will not apply to accounts or safe deposit boxes that have been closed before the date of entry into force of the law).
An Obliged Entity must ensure, at its own expenses, that the CSSF has at all times secure, automated and continued access to the data contained in the data files in accordance with a procedure to be defined by the CSSF.
The Bill expressly provides that all or part of the obligations of an Obliged Entity may be delegated to a third party, provided that certain conditions are complied with.
Compliance with the relevant obligations is achieved through various supervisory and investigation powers for the CSSF (including upon service providers to which Obliged Entities may delegate the performance of certain tasks) as well well as injunction powers and the right to impose administrative sanctions or take other administrative measures
(including their publication) against Obliged Entities.
II. Central system set-up by the CSSF
The CSSF must set up and manage a central electronic data retrieval system allowing for the identification of any
natural or legal person holding or controlling payment or bank accounts identified by an IBAN number or safe
deposit boxes held at an Obliged Entity.
To that end, designated personnel at the CSSF can access directly, immediately and without filtering the data files
held by the Obliged Entities by means of a secure procedure and afterwards consolidate the relevant data.
The Luxembourg financial intelligence unit will also have direct, immediate and unfiltered access to the central
electronic retrieval system managed by the CSSF. Other national authorities and self-regulatory bodies (as defined
in the Bill) will only have a right to receive the relevant data upon request to the CSSF, in accordance with a
procedure to be set up by the CSSF. In addition, these national authorities and self-regulatory bodies must provide
the CSSF with a list of a limited number of persons, who are entitled to make such requests and receive the relevant
Any processing of personal data for the purpose of the combat against money laundering and terrorist financing in
the context of the Bill is subject to Regulation (EU) 2016/679 (GDPR) and is considered to be a public interest issue
1. Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
2. The full text of the Bill is available via the following link: https://bit.ly/38d0avm
3. Note that the Bill also aims at amending the act of 12 November 2004 on the combat against money laundering and terrorist financing. Those changes will be addressed in a separate eAlert.
4. Within the meaning of Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 establishing technical and business requirements for credit transfers and direct debits in euro.
5. EU refers to Member States of the EU as well as states which are parties to the European Economic Area agreement.