Implementation of the fourth AML directive in Luxembourg: what will be the new obligations?
15 February 2018
The Luxembourg Parliament has now finally adopted bill n° 71281, which implements most of the provisions of the Directive (EU) 2015/849, the so-called 4th anti-money laundering directive (AMLD IV), into Luxembourg law. The bill will soon become law after its execution and publication and its provisions will immediately be applicable without a transitional period. This is a major step in the implementation of the AMLD IV, which was due to be completed by 26 June 2017 at the latest.
As a reminder, in Luxembourg, the implementation of the AMLD IV has been divided into five different pieces of legislation:
• the tax reform law of 23 December 2016, which has led to the insertion of criminal tax offences (fraude fiscale aggravée and escroquerie fiscale) in the list of predicate offences to money laundering;
• the bill n° 7128, which was voted on 6 February 2018: it implements the main provisions of the AMLD IV and amends the law of 12 November 2004 on the fight against money laundering and terrorist financing (the AML Law);
• the bill n° 7208, introduced before the Luxembourg Parliament on 8 November 2017: it implements the directive 2016/2258 pursuant to which national tax authorities shall be granted access to the mechanisms, procedures, documents and information referred to in articles 13 and 40 of the AMLD IV;
• the bill n° 7216, which was introduced before the Luxembourg Parliament on 6 December 2017: it implements article 31 of the AMLD IV pertaining to the register of trusts;
• the bill n° 7217, which was introduced before the Luxembourg Parliament on 6 December 2017: it implements article 30 of the AMLD IV pertaining to the register of ultimate beneficial owners.
Those last three bills are now undergoing the standard legislative process and there is not yet any visibility on the date at which the final laws will be adopted.
The note below provides an overview of the actions that you are expected to be taking as a result of the implementation of the provisions set out in bills n° 7128, 7216 and 7217, depending on whether you are a professional within the meaning of the AML Law, manage an entity registered with the Luxembourg trade and companies register or act as a fiduciary agent. Note that the comments below are based on the current version of bills n° 7216 and 7217, which may further evolve until the final laws are passed. Unless otherwise stated, any reference to the AML Law in the below comments is to be understood as a reference to this law as amended by the bill n° 7128.
1. HOW DOES THIS IMPACT THE PROFESSIONALS WITHIN THE MEANING OF THE AML LAW?
Alike the current version of the AML Law, the obligations set out in the revised version of the AML Law apply to all professionals within the meaning of article 2 (2) of said law (the Professionals). At first sight, the list of Professionals remains the same and is only completed with new professions such as the persons providing family office services or bailiffs in relation to certain of their activities.
It is however interesting to note that:
• for financial institutions which are categorised as Professionals because they exercise an activity listed in the Annex to the AML Law, the latter will be replaced with a new Annex I. The content of this Annex is not only amended in terms of denomination of certain existing categories of activities but also to include new types of activities. In addition, the current criterion that the activities listed therein be performed as a business to be categorised as Professional has been removed;
• for other natural or legal persons trading in goods, the obligations will now apply whenever payments are made in cash in an amount of EUR 10,000 or more (it was EUR 15,000 before).
1.1 WHAT ARE THE NEW RULES IN TERMS OF CUSTOMER DUE DILIGENCE?
(a) More detailed rules on risk assessment
Under the current regime, Professionals already have to perform an assessment of the AML/CTF risks pertaining to their activities. Guidance on the implementation of this general obligation set out in the AML Law has been provided by the Commission de surveillance du secteur financier (the financial regulator) (the CSSF) in circular letters.
The contemplated amendments to the AML Law aim at providing further detail, in the AML Law itself, on the manner and circumstances in which such an assessment must be performed. Those amendments also insist on the obligation of documenting those assessments. Some derogations to this obligation may be possible but further guidance will, in our view, be required as regards the conditions on which they may be obtained.
(b) Extended list of cases in which Professionals have to perform due diligence measures
This extension concerns natural or legal persons trading in goods (when executing cash transactions in an amount exceeding EUR 10,000), persons providing gambling services (under certain circumstances) and Professionals who execute, on an occasional basis, a transfer of fund (in the meaning of article 3, point 9 of the Regulation 2015/847) in an amount exceeding EUR 1,000.
(c) Adjustment of the scope of the due diligence measures to be applied to a client based on the Professional’s risk assessment
The Professionals may adjust the scope of their due diligence measures to each individual customer based on a prior risk assessment. However, such an assessment must be based at least on certain pre-determined criteria that are listed in a new Annex II to the AML Law.
Professionals must be able to justify to control authorities or self-regulatory bodies (organismes d’autorégulation) the appropriateness of the measures taken in light of their assessment.
(d) Identification and verification of the identity of beneficial owners
The definition of beneficial owner is amended and provides in particular that in respect of corporate entities, if no beneficial owner can be identified and provided there are no grounds for suspicion, a senior managing official may be considered as the beneficial owner.
Although new registers will be created, as further detailed sub. 2 and 3. below, Professionals cannot rely exclusively upon the information available at such registers to perform their due diligence obligations.
The identification and verification of the identity of beneficial owners must, in principle, be performed in all instances (and no longer “where applicable”).
(e) Mandatory assessment of both the purpose and intended nature of the relationship
The AML Law provides that Professionals must make an assessment of the purpose and intended nature of the business relationship and, if relevant, collect information in that respect.
(f) Customer due diligence to be repeated at all relevant times
Customer due diligence measures must apply to new customers and, at all relevant times, to existing customers after taking into consideration the due diligence measures already performed and the date of performance, in particular where relevant elements of the client situation change.
(g) Detailed requirements on the records to be kept
The AML Law lists more precisely the records to be kept and is also more specific about the circumstances in which Professionals may retain the relevant data for a period exceeding five years following the carrying-out of the transactions or the end of the business relationship.
(h) Increased guidance on data protection rules to be complied with
The AML Law provides for a specific disclosure obligation of the Professionals towards new clients for data protection purposes.
It also specifies the conditions on which a Professional may restrict or defer the exercise of a right of access to his or her personal data by a client.
(i) Simplified due diligence based on criteria listed in the new Annex III
While the current version of the AML Law lists the situations in which simplified due diligence measures may be applied by a Professional, the contemplated amendments follow a different approach. Hence, the AML Law generally provides that Professionals may apply simplified due diligence measures wherever they identified a reduced AML/CTF risk (this risk assessment is to be performed based on the criteria listed in a new Annex III to the AML Law). In such cases, the Professional must nonetheless monitor the transactions performed to detect any unusual or suspicious transaction.
A specific regime is nonetheless provided for electronic money. Hence, based on a prior assessment of the (reduced) AML/CTF risk, Professionals are authorised not to apply certain due diligence measures as regards electronic money if, in a nutshell, the relevant payment instrument fulfils certain strict conditions and the Professional monitors the transactions performed via such a payment instrument in order to detect any unusual or suspicious transaction. It is not yet clear whether the insertion of such a specific regime in the AML Law itself will entail modifications to article 2 of Grand-ducal Regulation of 1 February 2010 providing details on certain provisions of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing (the Regulation) and to which extent.
(j) Enhanced due diligence based on criteria listed in Annex IV
Alike the current version of the AML Law, the amended version continues to list specific situations in which enhanced due diligence measures will have to be applied by a Professional.
However, the AML Law also provides for a general obligation to identify relationships for which a high AML/CTF risk exists (this risk assessment is to be performed based on the criteria listed in the AML Law and in a new Annex IV to the AML Law) and therefore for which the Professional has to apply enhanced due diligence measures. In this context, it is worth noting that the entry into business relationships at distance is no longer one of the specific situations listed by the AML Law that entails, per se, enhanced due diligence, but a distance relationship is one of the elements to be considered when assessing whether a business relationship entails higher risks. Conversely, the entry into relationships with persons established in third countries which do not apply or insufficiently apply AML/CTF measures is now listed, in the AML Law itself, as a situation which requires per se enhanced due diligence (until now, this was mentioned in the Regulation).
(k) Extended list of third parties that may perform due diligence obligations
The AML Law sets out new specific requirements for Professionals that wish to rely upon other entities of their group for the performance of their due diligence obligations.
(a) Mandatory internal policies, controls and procedures
Professionals must have in place internal policies, controls and procedures to mitigate and manage effectively the AML/CTF risks, including model risk management practices, customer due diligence, reporting, record-keeping, internal control, compliance management including, where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at management level, and employee screening. Those measures must be approved by senior management.
In addition, where appropriate with regard to the size and nature of the business, an independent audit function to test the internal policies, controls and procedures referred to above will have to be created.
Where applicable, Professionals must also designate among the members of their management body the person who is responsible for the compliance with the professional obligations under the AML/CTF legislation.
(b) Mandatory risk management procedure
Professionals must implement risk management procedures as regards the conditions under which their clients may benefit from a business relationship before full completion of the verification of identity.
(c) Mandatory risk assessment when developing new products and new business practices
Professionals must identify and assess the AML/CTF risks that may be incurred before launching or using any new product, practices or technologies and take appropriate measures to mitigate such risks.
(d) Risk assessment systems with respect to politically exposed persons
Professionals must have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person and take specific measures when entering into a business relationship with a politically exposed person.
The above applies to both domestic and foreign politically exposed persons and for a period of at least 12 months after the relevant person has ceased to hold a prominent public office.
(e) Mandatory staff training programmes proportionate to the risks, nature and size of the Professional
Employees must be made aware of the AML/CTF obligations, including relevant data protection requirements. Specific training programmes must be put in place to help them identify indications of money laundering or terrorist financing and dealing with such situations.
(f) Whistleblowing measures to protect staff
Professionals must have in place appropriate measures proportionate to their nature and size to allow their staff or persons in a comparable position to internally report any breach of the AML/CTF obligations.
(g) Implementation of group-wide policies and procedures
Professionals that are part of a group must implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CTF purposes.
The AML Law is completed by a series of provisions detailing the powers that are granted to control authorities and the self-regulatory bodies (organismes d’autorégulation) in the context of the implementation of the AML Law. Similarly, it includes a list of the administrative sanctions and other measures that can be taken by control authorities in the context of the implementation of the AML Law (including when a Professional does not provide information or documents or provide incomplete, inaccurate or false information or documents to control authorities). Note that decisions taken by control authorities are published: such publications will, in principle, include the name of the sanctioned person, except in exceptional circumstances.
The amount of the criminal fines that may be imposed upon the persons who knowingly contravene their professional obligations under the AML Law is substantially increased and ranges from EUR 12,500 to EUR 5,000,000 (it currently ranges from EUR 1,250 to EUR 1,250,000).
2. HOW DOES THIS IMPACT ENTITIES REGISTERED WITH THE LUXEMBOURG TRADE AND COMPANIES REGISTER?
The requirements in that respect derive from the bill n° 7217.
Under its current drafting the bill n° 7217 applies to all entities registered with the Luxembourg trade and companies register pursuant to article 1, points 2 to 4, 6 to 13 and 15 of the law of 19 December 2002 on the trade and companies register and the accounting and annual accounts of undertakings, as amended. It will therefore apply to the commercial companies such as, among others, sociétés anonymes (public limited liability companies) and sociétés à responsabilité limitée (private limited liability companies) as well as certain other legal entities governed by Luxembourg law as further detailed in the bill n° 7217 (together, the Concerned Entities).
It has to be noted that investment funds in the form of a fonds commun de placement are not included in the list of Concerned Entities.
Similarly, the bill n° 7217 expressly excludes from its scope listed companies whose securities are admitted to trading on a regulated market. One may regret that a similar exemption has not been included for companies whose securities are transferred via a settlement scheme.
Note that the bill n° 7217 does not impose obligations upon the beneficial owners themselves.
The bill n° 7217 provides for a 6 months transitional period after the entry into force of the law for the Concerned Entities to comply with the provisions of the law. This means that the legal representatives of the Concerned Entities will have 6 months to:
(i) obtain and hold information on the beneficial ownership of the Concerned Entity 2 including their first names, last name, nationalities, date and place of birth, country of residence, address, identification number, and the nature and extent of the beneficial interests held. That information must be accurate and up to date at all times;
(ii) file the above information as well as supporting evidence with the trade and companies register acting as manager of the Register of beneficial owners (the REBECO). The list of documents to be provided as supporting evidence as well as the manner in which the electronic filing can be performed will be determined in a grand ducal regulation which is not yet available.
In addition to these initial steps, the legal representatives will then have to:
(i) update such filing within one month of any event that would make such information inaccurate or obsolete;
(ii) upon request provide access to the information to:
(A) the national authorities (among others the State prosecutor, the investigating judges, the financial intelligence unit, the CSSF, the Commissariat aux assurances (the insurance regulator) (the CAA) as well as the tax authorities);
(B) the self-regulatory bodies (organismes d’autorégulation) (e.g. the council of the Luxembourg bar, the Chamber of notaries etc. in connection with the exercise of their supervisory powers in relation to the fight against money laundering and terrorist financing); and
(C) the Professionals (e.g. credit institutions, lawyers, notaries etc. in connection with the performance of customer due diligence measures); and
(iii) indicate the place where the above information will be kept for five years after the Concerned Entity has been dissolved or has ceased to exist.
2.3 WHO CAN ACCESS THE INFORMATION IN THE REGISTER?
First of all, the national authorities (as described above) will have access to all the information kept in the REBECO and at the registered office of the Concerned Entity.
Self-regulatory bodies and Professionals will have access to all the information, except the address and the national identification number of the beneficial owners, as kept in the REBECO and at the registered office of the Concerned Entity.
As currently drafted, the bill n° 7217 further provides that any person or organisation residing in Luxembourg that can demonstrate a legitimate interest may have access to the following information held in the REBECO: the first names, last name, nationalities, month and year of birth (not day), country of residence and the nature and extent of the beneficial interests held by the beneficial owners. In order to get access the person or organisation will have to apply to the trade and companies register and specify either the name of the entity, its registration number or its national identification number. The request will then be transferred to a coordination commission. The commission will examine the request and decide whether access can be granted. The Concerned Entity will be notified of the decision to grant access and may institute legal proceedings to object to the decision.
In exceptional circumstances, where granting access would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation, or where the beneficial owner is a minor or otherwise incapable, a Concerned Entity may request an exemption whereby the access will be restricted to the national authorities only.
The bill n° 7217 currently provides for criminal fines ranging from EUR 1,250 to EUR 1,250,000 against the Concerned Entities and their legal representatives if they fail to provide information on the beneficial owners as and when required by law, if they have voluntarily provided inaccurate, incomplete or obsolete information on the beneficial owners, if they have failed to obtain and hold the required information at the registered office of the entity, or if they have voluntarily provided the national authorities, self-regulatory bodies or Professionals with information on the beneficial owners that was inaccurate or obsolete.
3. HOW DOES THIS IMPACT FIDUCIARY AGENTS?
The requirements in that respect derive from the bill n° 7216. It is important to bear in mind that such requirements are only applicable in relation to fiduciary arrangements within the meaning of the Luxembourg law of 27 July 2003 relating to trusts and fiduciary contracts, as amended (the 2003 Law).
Fiduciary agents (fiduciaires) who have entered into a fiduciary contract governed by the 2003 Law.
3.2 WHAT ARE THE NEW OBLIGATIONS?
The bill n° 7216 provides for a 6 months transitional period after the entry into force of the law for the fiduciary agents to comply with the provisions of the law. This means that the fiduciary agents will have 6 months to:
(a) obtain and hold at their registered office information on the beneficial owners of the fiducies in respect of which they act as fiduciary agent. This information includes: the identity of the principal, the fiduciary agents, the protectors (the reference to protectors seems however inappropriate to the extent that the bill applies to fiduciary contracts governed by the 2003 Law), the beneficiaries (and if not yet known, sufficient information to identify them at the relevant time), and any individual who has control over the fiducie. The above information must be accurate and up to date at all times;
(b) only when the fiducie generates tax consequences, register the fiducie in the Register of Fiducies held by the Administration de l’Enregistrement et des Domaines (the AED) (the VAT and indirect tax administration), obtain a registration number for the fiducie, file information on the principal, the fiduciary agents, the protectors (if any), the beneficiaries and any individual who has control over the fiducie with the Register of Fiducies and update such filing within one month of any event that would make such information inaccurate or obsolete;
(c) provide the above information and registration number (if any) to the national authorities (among others the State prosecutor, the investigating judges, the financial intelligence unit, the CSSF, the CAA as well as the tax authorities) upon request;
(d) inform Professionals of their acting as fiduciary agent and provide them with the above information and registration number (if any) when they enter in a business relationship with them or enter into a transaction whose amount exceeds certain thresholds; and
(e) retain the above information for five years after they have ceased to be involved in the fiducie.
3.3 WHO WILL HAVE ACCESS TO THE INFORMATION ON THE BENEFICIAL OWNERS OF A FIDUCIE?
In principle, only the national authorities (as described above) will have access to the information held in the Register of Fiducies and kept by the fiduciary agent at its registered office. Professionals may nonetheless have access to certain information in the circumstances described above.
Unlike the bill n° 7217, the bill n° 7216 does not provide for a right, in favour of any person or organisation residing in Luxembourg that can demonstrate a legitimate interest, to have a restricted access to certain information held in the Register of Fiducies.
3.4 WILL THERE BE PENALTIES?
The AED will have the possibility to pronounce administrative penalties and take administrative measures if, among others, information on a fiducie which has been filed by a fiduciary agent is inaccurate or missing.
More generally, the bill n° 7216 provides that control authorities, such as the CSSF or the CAA, and the AED must control that the fiduciary agents comply with the requirements set out in the law. As a result the AED, the CSSF and the CAA have the right, among others, to access any document or give injunctions to the fiduciary agents. The above authorities may also pronounce administrative penalties and take administrative measures against the fiduciary agents and the members of their management body, actual managers or other persons responsible for the failure to comply with the law.
1 The bill was first voted on 6 February 2018 and was granted clearance by the State Council on 12 February 2018.
2 In order to determine the beneficial ownership of the entity reference shall be made to the definition provided by the AML Law as amended (see sub. 1 above).
Already signed up for Client alerts? Click here to access your portal