AML-CTF amended regulation for the Luxembourg financial and asset management sectors


On 20 August 2020, two important texts from an anti-money laundering and counter-terrorism financing (“AML-CTF”) perspective were published:

  • the Commission de Surveillance du Secteur Financier (« CSSF ») regulation n°20-05 of 14 August 2020 amending CSSF regulation n°12-02 of 14 December 2012 relating to the fight against money laundering and terrorism financing (“ML-TF”) (the “CSSF Regulation”); and
  • the Commissariat aux Assurances (“CAA”) regulation n°20/03 of 30 July 2020 relating to the fight against ML-TF (the “CAA Regulation”) which repeals the CAA regulation n°13-01 of 23 December 2013 relating to the fight against ML-TF. The CAA Regulation is completed by an interpretative note which provides useful guidance on the provisions of the CAA Regulation (the “Interpretative Note”).

Both texts, which either amend or replace previous provisions, have been adopted in order to take into account the current legislative framework on the fight against ML-TF. Indeed, since respectively 2012 and 2013, the law of 12 November 2004 on the fight against ML-TF (“the 2004 Law”) has been amended several times in order notably to implement directives 2015/849 (the “4th AML Directive”) and 2018/843 on the fight against ML-TF. In that context, on 24 August 2020, the Grand Ducal regulation of 14 August 2020 amending the Grand Ducal regulation of 1 February 2010 providing details on certain provisions of the 2004 Law, as amended, has also entered into force[1]. The regulatory framework in the financial and insurance sectors therefore required updating.

We will briefly analyse in the present note the changes implemented by the CSSF Regulation. Changes implemented by the CAA Regulation are set out in a separate note which you will find at the following link : AML-CTF new regulation for the Luxembourg insurance sector 

Generally, the CSSF Regulation has been amended in order to update references to the 2004 Law following recent amendments thereof. In addition, the amended version of the CSSF Regulation reflects changes to the 2004 Law, such as, for example, the risk assessment methodology and risk factors, reliance on a digital identity process, etc.. Minor changes have also been carried out which will not be detailed hereunder. The present note will indeed concentrate on certain specific elements which do not merely constitute an implementation of recent legislative changes but rather reflect regulatory practice, notably in the asset management industry.

A. Automated client acceptance process in low risks situations

By exception to the general requirement relating to the acceptance of a new client, whenever the relevant client presents a low ML/TF risk, such acceptance may be carried out on the basis of an automated acceptance process at the level of the relevant professional, which does not involve a natural person[2].

B. Simplified due diligence

The CSSF Regulation in its amended version now also takes into account the application of simplified due diligence measures which was previously not the case. Examples of simplified due diligence measures are provided such as:

  • when dealing with regulated entities, verifying that the client is indeed subject to registration/licensing requirements by carrying out a research on the official website of the regulator and documenting the results thereof;
  • when dealing with a credit institution or financial institution which is regulated, for the persons who are acting on behalf of this institution, instead of requiring the exhaustive identification of these persons, obtaining from the relevant institution a letter confirming that the latter carried out due diligence measures in relation to these persons and regularly screens these persons against restrictive financial measures lists; or
  • updating information only in case of certain triggering factors [3].

C. Non-face-to-face business relationships

In case of a non-face-to-face business relationship for which the relevant professional did not take into account the necessary guarantees as set out under Annex IV of the 2004 Law, the professional is required to take additional measures considering the potentially higher risk presented by this relationship such as:

  • measures to guarantee that the identity of the client is established by way of additional identification documents, data or information;
  • additional measures enabling the verification or certification by a public authority of the documents provided; or
  • measures guaranteeing that the first payment is carried out by way of an account opened in the name of a client at the level of a credit or financial institution subject to the 2004 Law or to equivalent AML/CTF professional obligations[4].

Therefore, even though the 2004 Law no longer provides for the automatic application of enhanced due diligence measures in relation to non-face-to-face business relationships, the CSSF Regulation requires professionals to take additional measures nonetheless in order to compensate for the potentially higher risk presented by this type of relation.

D. Carrying out of investment operations

In the context of the carrying out of investment operations, professionals are required to carry out an assessment of the ML/TF risk presented by the relevant investment and take due diligence measures adapted to the assessed and documented risk. This risk assessment, should be formalised and reviewed annually and whenever particular facts require such review[5].

E. Outsourcing arrangements and agency relationships

The obligations of a professional relying on a service provider or an agent are further detailed in the CSSF Regulation[6]. In particular, the CSSF Regulation specifies the monitoring obligation of the professional which, beyond the requirement to occur regularly, should enable the professional to verify and control (for example by way of sample testing and on-site controls) compliance with the obligations of the service provider.

Furthermore, the CSSF Regulation introduces new requirements for fund managers which are required to carry out due diligence measures in relation notably to registrar and transfer agents, portfolio managers to which management is outsourced and investment advisors on a risk-based approach.

In addition, in case the service provider is a registrar and transfer agent which acts on behalf of an investment fund, the board of directors of the investment fund (or equivalent) and/or the investment fund manager which outsources certain tasks to the registrar and transfer agent remain responsible thereof. Thus, the board of directors (or equivalent) of the fund and the fund manager need to ensure that relevant outsourcing arrangements comprise detailed clauses specifying the roles and responsibilities of each party to the relevant arrangement. They furthermore need to ensure that the outsourcing arrangement enables them to have access to any information necessary for the accomplishment of the functions and carry out a continuous and formalised monitoring of the service providers.

The above requirements may be specified by the CSSF by way of a circular letter, option which we expect the CSSF to exercise.

F. Persons responsible for compliance and for control

The CSSF Regulation specifies the functions of person responsible for compliance with the obligations in AML-CTF matters (the “Person Responsible for Compliance” or “RR”) and that of the person responsible for the control of compliance with such obligations (the “Person Responsible for Control” or “RC”)[7].

Whilst the CSSF had already provided guidance for the fund industry in relation to these persons[8], the CSSF Regulation now defines these persons and clarifies their role and responsibilities.

The Person Responsible for Compliance (RR) should be designated at the level of the authorised management or board of directors of the relevant professional. In particular, the Person Responsible for Compliance (RR) should be the member of authorised management which is responsible for the fight against ML/TF. Where the relevant professionals do not have an authorised management, the Person Responsible for Compliance (RR) should either be a member of the board of directors or the board of directors as a whole.

The Person Responsible for Control (RC) is the person in charge of implementing the AML/CTF, for example the compliance officer where such role exists.

Fund managers and investment funds subject to the supervision of the CSSF in AML/CTF matters may designate a third party to that effect.

Finally, the CSSF Regulation further specifies the role and responsibilities of the Person Responsible for Control (RC) adding notably:

  • the Person Responsible for Control acts as the second line of defence and therefore notably verifies compliance by the professional with its AML/CTF obligations;
  • the Person Responsible for Control furthermore ensures compliance by the branches and subsidiaries in which the professional holds by a majority established either in Luxembourg or a foreign country with their professional obligations;
  • the Person Responsible for Control ensures compliance by the professionals with the policies and procedures at the level of the group and pertaining notably to data protection and the sharing of information at the level of the group for AML/CTF purposes;
  • the Person Responsible for Control is required to provide on an annual basis to the CSSF the summary report; this requirement is, however, not applicable to Luxembourg investment funds which have designated a Luxembourg management company which provides such summary report.

For any questions regarding the above or more generally AML-CTF matters, please do not hesitate to contact one of our specialists.


[1] A coordinated version of the Grand Ducal regulation of 1 February 2010 providing details on certain provisions of the amended 2004 Law as amended by the Grand Ducal regulation of 14 August 2020 was drawn up by the CSSF and is available on the CSSF website since 24 August 2020.

[2] Article 9 of the CSSF Regulation.

[3] Article 26a of the CSSF Regulation.

[4] Article 27 of the CSSF Regulation.

[5] Article 34 of the CSSF Regulation.

[6] Article 37 of the CSSF Regulation.

[7] Article 40 of the CSSF Regulation.

[8] CSSF FAQ of 25 November 2019 – Persons involved in AML/CFT for a Luxembourg Investment Fund or Investment Fund Manager supervised by the CSSF for AML/CFT matters.