Luxembourg regulator announces new requirements on central administration, internal governance and risk management

On 22 April 2022, the CSSF released Circular CSSF 22/807 which updates the Circular CSSF 12/552 on central administration, internal governance and risk management in order to integrate several EBA guidelines into the CSSF’s administrative practice and regulatory approach.

The updated Circular CSSF 12/552 (the “Circular”) is applicable (i) to credit institutions and their branches, (ii) to Luxembourg branches of credit institutions originating from third countries, (iii) to Luxembourg branches of institutions authorised in another Member State for the areas where the CSSF is competent, and (iv) in part to professionals performing lending operations (the “Entities”).

The Circular integrates (i) the possibility to outsource certain tasks in accordance with CSSF Circular 22/806 (please refer to our eAlert on Circular CSSF 22/806), (ii) environmental, social and governance (“ESG”) issues and (iii) the whistleblower mechanism within the meaning of Directive (EU) 2019/1937. The Circular also extends the central administration, internal governance and risk management framework to (i) the institution's strategy on AML risks, ESG risks and risks in the provision of investment services, and (ii) the principles on equality and non-discrimination. Thus, the Entities' policies should ensure fair treatment and equal opportunities for all staff.

The supervisory body should also have non-discrimination guidelines and should improve the representation of the under-represented gender among staff in management positions. In addition, the majority of its meetings must now be held at the headquarters of the Luxembourg institution with a majority of its members present (on site). The decision-making of the supervisory body must not be dominated by a single member or a small group of members.

As to compliance with the AML requirements, the Circular specifies that all internal functions contribute to compliance with such requirements. A person responsible for compliance with the professional AML obligations is appointed by the authorised management among its members. The internal control system also includes AML processes and procedures, such as the assessment of exposure to the risk of being abused for ML/FT purposes and the training of staff in this respect. The code of conduct provides examples of acceptable and unacceptable or prohibited professional behaviours and practices, including in the area of AML. The specialised committees may request any information, including on AML, and the summary report of the compliance function, inter alia, assesses the seriousness of the events covered and the adequacy of the AML compliance monitoring plan. AML risks are also analysed as part of the approval process for new products.

The Entities shall not create or maintain opaque or unnecessarily complex structures and shall analyse the structures according to the elements listed in the Circular.

The management body establishes a decision-making framework dedicated to related party transactions, which now includes transactions with (i) spouses, partners, children, parents of members of the management body and (ii) business entities in which a member of the management body, or a close member of his or her family, holds a qualifying interest representing at least 10% of the capital or voting rights, in which these persons can exercise significant influence or in which these persons hold positions in the general management or the management body. Among other things, specific documentation must be collected, kept and made available to the competent authority in the event of the granting of a loan to a member of the management body and a related party.

Circular CSSF 22/807 applies as from 30 June 2022.