Implementation of the 5th AML Directive into Luxembourg law: the last piece of the puzzle – Key aspects and changes of the la…

The law1 of 25 March 2020 implementing EU Directive 2018/8432 (the “5th AML Directive”) and amending the law of 12 November 2004 on the fight against money laundering and terrorism financing, as amended (the “2004 Law”) entered into force on 30 March 2020 (the “New Law”).

This New Law is part of a legislative package, including the law of 25 March 2020 establishing a central electronic data retrieval system concerning IBAN accounts and safe- deposit boxes (the “Central Register Law”). Additional information on the Central Register Law may be found at the following link.

The aim of the New Law is to make the necessary adaptations to the 2004 Law in order to ensure the implementation of most parts of the 5th AML Directive (although certain aspects of the 5th AML Directive have already been implemented in the law relating to the register of beneficial owners – more information can be found at the following link). The New Law also to a certain extent goes further than the 5th AML Directive, by directly implementing certain of the recommendations of i.a. the Financial Action Task Force (“FATF”) which are not contained in the 5th AML Directive.

In the above context, the current newsflash aims at setting out the main changes brought by the New Law to the 2004 Law, and thus affecting all professionals subject to anti-money laundering and counter terrorism financing (“AML-CTF”) obligations (such as credit institutions, investment firms and other professionals of the financial sector, investment funds and their management companies, insurance companies, etc.). The main changes of the New Law are in essence the following:

-  New extended scope of professionals subject to AML-CTF obligations;

-  Reinforcement of the customer due diligence (“CDD”) measures applicable to professionals, including new rules for enhanced CDD (“EDD”) measures;

-  New rules relating to the recourse by professionals to third parties to carry out their CDD measures on their behalf (the so-called third party introducer regime);

-  Reinforcement of the powers of competent authorities and self-regulatory bodies in charge of the supervision of professionals subject to AML-CTF obligations; and

-  Strengthening of both national and international cooperation between competent authorities and self-regulatory bodies.

1. Extended scope of the 2004 Law

The New Law, in line with the requirements of the 5th AML Directive, broadens the scope of the 2004 Law to take into account new technologies when it comes to payment services, and now includes virtual currency service providers, including exchange services between virtual currencies and fiat currencies, and conservation and administration service providers, including custodian wallet providers. All these new terms have been defined in the 2004 Law. Pursuant to the Central Register Law, these new actors (together with trust or company service providers) are also now subject to a registration obligation with the Commission de Surveillance du Secteur Financier (the “CSSF”).

Traders of works of art or persons acting as intermediaries in the trade of works of art (including through art galleries or auction houses) and persons storing, trading or acting as intermediaries in the trade of works of art when this is carried out by Freeports and where the transaction (or a series of linked transactions) amounts to at least EUR 10,000 are also included in the scope of the law.

Real estate developers and estate agents acting as intermediaries with regards to the purchase or letting (where the rent amounts to or exceeds EUR 10,000 per month) of immovable property (in addition to real estate agents) are also now subject to the 2004 Law.

In addition, the New Law provides that any person which commits to provide, directly or via another person to whom it is related, a material assistance or advice from a tax perspective as a principal economic or professional activity is now also considered as falling within the scope of the 2004 Law.

Finally, and although this was already provided for in the previous version of the 2004 Law, the New Law emphasizes that the Luxembourg AML-CTF obligations apply to all Luxembourg branches of persons incorporated outside of Luxembourg as well as professionals providing services into Luxembourg on a cross-border basis without a physical presence in Luxembourg (upon notification to the CSSF or Commissariat aux Assurances (the “CAA”)). The relevant Luxembourg regulators are required to ensure compliance by entities providing their services on a cross-border basis into Luxembourg with such AML-CTF obligations.

These professionals falling within the scope of the 2004 Law as listed above will thus now need to comply with all relevant AML-CTF obligations contained in the 2004 Law (CDD obligations, internal organisation and cooperation with authorities).

2. Amendments and specifications in relation to CDD measures 2.1 Risk assessment at the level of professionals

The New Law reminds professionals that, when carrying out their own risk assessment (i.e. the risk of being used for money laundering and/or terrorism financing they are subject to), all relevant risk factors must be taken into account before coming to a conclusion on their global risk level and the types of measures to be taken to mitigate such risk. In addition, this risk assessment must take into account the national and supranational risk assessments (cf., for instance, the Luxembourg national risk assessment which all professionals must request from their competent authorities).

2.2 Use of prepaid cards

The New Law further limits the use of prepaid cards and e-money, by lowering the threshold for identifying their purchasers to EUR 150. The same threshold now also applies to prepaid instruments which may only be used within Luxembourg’s borders (the previously applicable EUR 500 threshold has now indeed been deleted).

2.3. Reliance on third parties

The New Law reminds professionals that before having recourse to a third-party introducer, they must ensure that the relevant third party meets the eligibility criteria of the 2004 Law (i.e. it is subject to regulation and supervision and it takes appropriate AML-CTF measures, including record-keeping measures, which are in line with those provided for under the 2004 Law).

More generally, the New Law reminds professionals that they must take adequate steps to ensure that the third party provides immediately, upon request, relevant copies of identification and verification data and other relevant documentation on the identity of the customer or the beneficial owner.

The New Law also adds a new criterion for the reliance on third-party introducers which are part of the same group, requiring professionals to also ensure that the group company takes appropriate measures to ensure that any risk related to a high-risk third country is efficiently mitigated and to ultimately consider that the presumption of Article 3-3 (4) of the 2004 Law may apply.

2.4 Specifications relating to the carrying out of CDD measures

2.3.1 Recourse to electronic means of identification and verification of identity

The New Law provides a clearer legal framework for electronic identification and verification of the identity of the customer (and/or beneficial owners and proxies, if applicable), by enabling the electronic identification and verification of identity via trusted services as set out in Regulation (EU) No 910/2014, or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities.

2.3.2 Specifications relating to the measures to be taken in relation to the identification and verification of identity of legal persons or arrangements

The New Law further clarifies the methodology for the identification and verification of the identity of the beneficial owners of companies and legal arrangements (i.e. identification of the natural persons who ultimately own or control a legal entity within the meaning of Article 1(7) of the 2004 Law). This should, in our opinion, be read in line with the new CSSF Circular 19/732.

Furthermore, the New Law also clarifies the measures to be taken regarding the identification and verification of the identity of the person acting in the name and/or on behalf of the customer (i.e. the customer’s proxy), as well as the measures to be taken in order to ensure a proper understanding of the nature of the customer’s activity and legal structure of the customer as well as a series of additional information to be obtained on the customer itself and its directors.

2.3.3 Specifications relating to the identification and verification of beneficiaries of life insurance contracts or insurance contracts relating to placements

The New Law finally specifies (and this provides for some comfort to the sector) that credit institutions and financial institutions are only required to identify and verify the identity of the beneficiary of the life insurance contract or contract related to placements where the relevant contract was entered into or negotiated by them (as intermediary).

In such case, the beneficiary must be taken into account when carrying out the risk assessment of the relevant relationship.

2.4 Clarifications relating to EDD measures

2.4.1 Clarifications relating to the concept of politically exposed persons (“PEPs”)

Pursuant to the New Law, the 2004 Law has deleted the reference to the fact that a person is no longer considered as a PEP if such person has not been entrusted with prominent public functions for a year or more. Professionals are consequently required to continue applying appropriate risk-based measures to an ex-PEP until the relevant person no longer presents a particular risk (and in any case for a minimum period of twelve months).

In addition, the New Law includes in the definition of PEP the relevant persons which will be listed on the list of PEPs to be published by the European Commission in this context.

2.4.2 Clarifications regarding transactions which must be subject to enhanced scrutiny

The New Law specifies what is to be understood by a complex and unusual transaction (which are to be subject to EDD measures), through the inclusion of four alternative criteria (complex transaction, transaction with an unusually high amount, transaction operated in an unusual manner, the transaction does not have an apparent economic/legal object). Transactions meeting one or more of these criteria must also be subject to enhanced scrutiny by the professional, which must assess the context and objective of such a transaction.

2.4.3 Clarifications relating to the measures to be taken in relation to transactions involving high-risk third countries

The New Law introduces several clarifications in relation to the measures that shall be taken by professionals carrying out transactions involving high-risk countries as identified by the

European Commission, the FATF or by the supervisory authorities or professionals as part of their AML-CTF risk assessment.

First of all, the 2004 Law provides for a minimum set of EDD measures to be taken by professionals which are in line with the 5th AML Directive requirements (such as for instance obtaining additional information on the customer and/or on the beneficial owner(s)) when facing a relationship involving i.a. a customer in a high-risk country.

In addition, and in line with the 5th AML Directive, which provided for the possibility for Member States to take additional measures in relation to high-risk countries, the New Law provides for measures which may be taken by national competent authorities and self- regulatory bodies towards high-risk countries, such as, but not limited to, denying the right for entities subject to the 2004 Law to establish subsidiaries, branches or representation offices in such countries. Such measures will need to be notified to the European Commission prior to their implementation.

2.4.5 Extension of EDD measures to be applied to correspondent banking relationships

The New Law has abandoned the distinction between correspondent banking relationships with respondent institutions situated in third countries/Member States presenting higher risks, and now requires the application of EDD measures to all correspondent banking relationships, irrespective of the country in which the respondent is situated.

3. Internal organization and intra-group policies

The New Law reminds professionals of the fact that their internal control functions, including their internal audit function, must have sufficient resources and independence in order to ensure the verification of all relevant procedures, policies and control measures. The New Law also specifies that an adequate internal organization includes the setting up of appropriate procedures for the hiring and training of employees.

Regarding more particularly the policies and procedures to be set up at group level, the New Law specifies the elements to be included in such procedures, and in particular which information must be circulated within the group, and by which entities.

4. Enhanced powers and cooperation between the supervisory authorities

In view of the high volume of cross-border activities in Luxembourg, the New Law, in line with the 5th AML Directive requirements, further strengthens the cooperation framework between supervisory authorities (including the Cellule de Renseignements Financiers) and self- regulatory bodies at both national and international level (including cooperation between the CSSF and the European Central Bank and European Banking Authority) by providing a clear framework for such cooperation. The sanctioning powers of self-regulatory bodies have also been aligned with the powers of the other national competent authorities (such as the CSSF or CAA).

1 Bill of law °7467
2 EU Directive 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing