AML/KYC Working Group

Our aims…

AML Blog…

28 January 2025 Update: 

Revised requirements for fund assets

• Following the publication of CSSF FAQ 13 December 2024 is it still required to risk assess the unlisted assets and add the issuers of high-risk unlisted securities to OGS?
• Assets due diligence for UCITS

Listed assets: The revised CSSF requirements no longer require a risk rating of the assets, but evidence each asset is screened against sanctions and listed or traded on a regulated exchange should be produced.

There is not much guidance on AML due diligence requirements on unlisted assets. Members agree the requirement is similar to that applied to client due diligence and that ALFI is expected to issue updated guidelines shortly. A risk- based approach should be followed in line with the fund strategy.

The requirement to risk rate unlisted assets remains in place. Ongoing due diligence is required for certain transactions.

How do we determine a regulated market and how is this managed? Some may have a global committee; others have their internal list of regulated markets managed by their Investments team or regulatory compliance. 

A regulated market should operate standards equivalent to the EU as per  

Directive 2004/109/ EC (‘Transparency Directive’) https://eur-lex.europa.eu/eli/dir/2004/109/oj/eng

Blocked accounts

• Industry progress on defining and blocking AML accounts as per CSSF requirements:

The CSSF requires all TAs require to review the reason recorded for each blocked account and ensure only those in direct non-compliance with the law are marked as blocked the AML reasons (this excludes accounts that failed the ODD / KYC refresh exercise as they were verified at onboarding).

Members commented if their TA had completed this and are fully compliant with the requirement. Most confirmed the exercise is in progress or has not started, reason being the TA is still waiting for industry guidance. It was concluded that the CSSF has been clear on its expectations in various conferences over the past year and no guidelines will be issued.

Some members have asked their TA to add reference to the article of the law to each accounts with a true AML block.

It is recognized that some TA systems have limitations on the functionality and scope for blocking, e.g. accounts blocked for internal operational purposes, such as potential fraud flag. These should not be included in their regular MIS/KPI reporting.

Members expect the CSSF to check the next annual CSSF AML Questionnaire market response to monitor progress and start taking action.

Members discussed requirements to perform ongoing due diligence and the need to continue to contact ‘ODD’ clients on a regular basis to remind them their account is not in good order.

It was noted that the Caisse de Consignation will publish new guidelines on its website for the transfer of assets.

Sub-distributor due diligence

• What AML due diligence is applied to sub-distributors of external distributors?

ManCo’s typically rely on the main external distributor to manage their sub-distribution network, but were asked if others perform any independent checks or due diligence on sub-distributors.

Some do not perform independent checks while others apply various levels of due diligence which may consist of initial and/or screening and evidence of proof of regulation.

One member asked how to manage the scenario where a sub-distributor is located or operates in a high risk country or country on the EU or FATF grey list. The point was raised that the Manco needs to ensure by its monitoring that the main distributor can evidence it has a look through to the underlying investors in these countries. An AML comfort letter is not sufficient.

A separate question was raised on distributor KPIs , to which it was mentioned that FINDEL also operates the Distributor Advisory Group who has published a paper on this as an industry guide and standard – Distributor Advisory Group | The Findel Group

October  2024 Update

TA Investor Risk Methodology                                                                                                                                                                                                   One member raised the fact that their TPA in Luxembourg had revised their client risk methodology to align with their head office, without engaging the ManCo.  The newly amended risk rating of their clients has resulted in significant changes in the fund risk profile and leading to a higher percentage of high-risk clients in particular. This has impacted the level and frequency of due diligence, impacting the client experience.

Members concluded the TPA should always collaborate with the ManCo ahead of making any such proposed change and should not do this without ManCo Consent.  It was noted that some ManCo’s do not adopt the TPA’s standard risk methodology as it does not meet their requirements in terms of scope and risk appetite. ManCo’s would however move to the TPA standard if it were further developed to meet their requirements.

Separate Terrorist Financing / Proliferation Financing Risk Assessment                                                                                                              Members were asked if they maintain individual risk assessments for Terrorist Finance and Proliferation of Arms.  Nearly all replied they incorporate these two areas within one risk assessment document, adding designated sections or appendix to call out specific risks.                  The process to screen assets against proliferation of arms was discussed and members agreed the approach is to sell all assets associated with the proliferation of arms within a set time period, typically 3-6 months.

Unclaimed monies following Fund liquidation (TA)                                                                                                                                                   Members were asked how they maintain the record of assets / proceeds from account closures following a fund liquidation that have not been transferred to the Caisse de Consignation. In particular what process is in place to receive future claims on the assets.  General consensus is the TPA should be the point of contact; the TPA should know to refer all such claims to the ManCo. The risk is the TPA may not respond to the claim as the client account and details no longer appear on the client register.

Do you consider VA (virtual assets) or VASP (virtual assets service provider) as a risk factor in your distributor or client AML risk rating methodology?                                                                                                                                                                                                                                 The question was raised as to if and how members include virtual assets in their AML risk methodology where a distributor or client/intermediary offers virtual assets to their underlying clients.  Also if the definition of a VASP should be limited to a provider of virtual assets (only) or extend to all financial institutions who offer virtual assets in addition to their ‘traditional’ service and products.  Members confirmed they adopt varying approaches on this:

Some do not consider virtual assets as a risk factor, rationale being that this does not impact the marketing or investment into their own funds. Secondly, all distributors and clients/intermediaries are required to apply AML regulations equally to their underlying clients who deal in virtual assets (or a mix of virtual assets and traditional products).

Others adopt virtual assets as a high-risk factor as part of their methodology, but not necessarily give an overall high-risk rating.

Some specifically ask the distributor or client/intermediary if they offer virtual assets to their underlying clients and may subsequently reject the relationship or insist that these underlying clients be excluded in the legal agreement. Typically, this would involve a crypto platform rather than a traditional financial institution.

It was also noted that some members themselves offer tokenized funds and contract a VASP platform to market them, however this will have a different legal framework and structure to the distribution model of traditional funds.

June 2024 Update

Question on a need for a 4 eyes principle for client screening and due diligence following recent external audits.

Open question as to whether a 4 eyes principle is needed for client sanctions, PEP and adverse media screening. This is not clearly stated in the regulations and we have also been advised that the CSSF is looking with ALFI to revise areas regarded as gold-plating ahead of the implementation of the new EU AML regulations in the future which provide a level playing field for all EU countries.

A distinction in 4 eyes principle requirements should be made between sanctions and PEP / adverse media screening: Regulations require a 4 eyes principle upon the initial screening for sanctions, when the name is first entered, but does not mention ongoing screening nor PEP or adverse media screening.

It was also noted that the CSSF recently shared a table on this which includes the need for the Compliance function involvement which is questionable as it draws the 2 line of defence into 1^st line processing. Members also questioned why the CSSF and auditors are directing firms on how to manage their first line AML operations.

Members questioned if they should wait before recruiting and updating their screening process to apply the 4 eyes principle beyond initial screening for sanctions until the industry issue has been clarified by the CSSF and ALFI.

Action: Members to raise AML requirements and areas that go above and beyond the regulatory requirements and regarded as gold-plating for the ALFI-CSSF review.

Reliance on the TA due diligence instead of performing due diligence on all Manco contractual relationships (intermediary or not): Circular CSSF 21/782 section 16.14

Reference to the EBA Guidelines Circular 21/782 section 16 on customer categorization: To what extent may the ManCo rely upon the TA to perform due diligence on parties (distributors, intermediaries, nominees etc) who invest on behalf of third-parties?

It was concluded that the ManCo is required to complete the requirements where it enters into an agreement and pays rebate fees, and that a distinction is made between distributors who purely market the funds and those who also introduce business and manage the client account when it comes to the ongoing AML monitoring requirements, i.e. there is no AML delegation in the first scenario.

The ManCo may not outsource its AML KYD obligation to the TA. However the TA may rely on the due diligence and KYC performed by the ManCo on its distributors to avoid duplication by the TA . On the other hand, the obligation to perform monitoring/testing on intermediaries (as opposed to distributors) may be outsourced to the TA.

Transaction Monitoring and negative media alerts in relation to SARs.

Reference made to the annual CSSF AML Questionnaire and question on how many transaction monitoring and adverse media alerts have been received and how many SARS filed? The CSSF may question the low volume of SARS filed compared to the volume of alerts, especially by TPAs, where for example the TPA procedure may include a parameter to simply close aged media alerts.

ManCos should be aware of and review the TPA’s transaction monitoring rules and adverse media process to ensure they are adequate and assessed according to the business model and nature of transactions.

Article 5r of EU Council Regulation 833/2014: Reporting obligation on transfers leaving the EU for relevant Russian-owned companies or Russian UBO

Awareness raised of Article 5r and the new reporting obligation to the Ministry of Finance effective from July concerning payments and accounts that have 40% Russian ownership or control.

Members confirmed they were checking that their TPAs have the necessary controls and reporting process in place.

Oversight by ManCos on Distributors/Sub-distributors

• How is the risk rating applied?
• Address the approach when the KYC risk differs from the KYD risk

It was noted that the AML risk assessment and rating of a distributor can be separate and differ to the overall ‘KYD’ risk rating. How is this managed generally?

One member noted they look at both risk ratings and determine the overall end rating on an individual risk basis depending on the key elements of both assessments.

Other members shared their approach:

• The rating of the distributor is checked against the TA’s rating of the client account, where applicable, but is not amended unless there is strong criteria to do so.
• The distributor AML ODD or refresh can be performed according the AML rather than overall risk rating.
• The target countries for distribution, including sub-distribution network, is a significant risk factor to the overall risk rating and may trigger a manual adjustment.
• The volume of assets by low/medium/high risk countries may be taken into account.
• The AML risk rating feeds into and is a factor in the overall risk rating.

SRRC report: Interpretation of sample testing questions (linked to investors/ intermediaries/ assets) eg. what type of activity is being considered in scope/ what approach is being considered where there is no formal sample testing?

It was noted that samples sizes reported may appear small. No distinction is made between Audit and Compliance testing. Concerning the question on assets it was concluded that this is aimed at unlisted assets as testing isn’t performed or required for listed assets, only screening.

Sanctions due diligence oversight by ManCos on distributors/sub distributors – form/frequency/testing

Question was raised as to how ManCo’s monitor and test for any sanctioned underlying investors who are sanctioned, in particular on the Euroclear and Clearstream platforms.

It was noted that many ManCo’s have in the past written to all their distributors to remind them of their obligations in this respect and to notify any sanctioned party to the ManCo. This is also covered in the legal agreement and oversight, e.g. distributor DDQ. It was also noted that Euroclear and Clearstream have tightened their processes and will report any such cases to the TA or ManCo.

Board resolutions & approval process by RR of investor redemptions/ transfers where full investor due diligence/ remediation is not completed by fund Transfer Agent

In the scenario where client KYC has been remediated to the extent that it may not be 100% complete but the Manco is satisfied it is sufficient and they know their client, has the TA a right to insist on a Fund Board resolution to make a payment to the client?

Members concluded that ManCo RC approval should be sufficient.

April 2024 Update

Third Party Transfer Agency – AML blocked accounts reporting

An Industry working group was formed last year following the issuance of the FATF report on Luxembourg.  Following email correspondence with some members a discussion followed around what would constitute inclusion in blocked account reporting in the annual CSSF AML survey e.g. only if it constituted a SAR or other reason for missing KYC.

There was further discussion around when blocking may apply and under what circumstances different types of transactions or distributor trail fee payments may be blocked.

The members expressed their strong desire to review a draft of industry working group paper prior to it being finalised.

High risk investors – wet ink signatures (originals) alternatives

Following a member’s question, the group discussed the circumstances where wet ink signatures (originals) apply including alternatives to that medium.

Some members will require wet ink originals for high risk though will permit transactions to proceed pending the originals. I.e. PDF accepted in advance. Other members advised that they would rarely require wet ink signatures due to the face to face nature of their relationships.

Panama – EU high risk third country list removal (Distribution)

High Risk Distributors – EDD (onsite visits)       LM advised the group of the impending update to the EU High Risk Third Country list amending Delegated Regulation (EU) 2016/1675.  The amendment adds Kenya and Namibia to the table in point I of the Annex and deletes Barbados, Gibraltar, Panama, Uganda and the United Arab Emirates.

The members discussed how ongoing due diligence is performed on high risk distributors.  Most do not consider an onsite visit necessary, with reviews conducted offsite as they would as if onsite e.g. Calls, review of P&P, sampling etc.  Where a review of P&P is challenging, most firms will engage with the distributor’s Compliance department which usually elicits the required information.

February 2024 Update

KYC requirements and process for retail clients in Poland

Poland requires  a local TA or processing agent to manage investments from local resident investors to Luxembourg Funds. The local model can differ:

1. Appoint a local processing agent rather than a sub-TA model and rely on the local distributor to cover AML requirements on the investors and therefore perform oversight of the distributor. The Luxembourg TA performs the investor screening and transaction monitoring.
2. Operate a sub-TA in Poland with limited scope of delegated AML services.

Members confirmed they restrict incoming payments for subscriptions to banks in Poland. A comparison can be drawn with the model in Italy where the key for meeting AML requirements is to have a reliable AML distributor model in place.

Intermediary testing (CSSF 20-05 Art. 3)

It is apparent that while a number of third-party TAs plan to, or have implemented various forms of testing, the WG consensus is this exercise provides no real value. Members advised they document the review of the Wolfsberg Questionnaire to evidence the review of the responses provided.  It was noted that some third-party TAs ask intermediaries to provide details of any underlying investor who owns 25%+ of the account managed by the intermediary, which is not required as this is already covered in the Funds application form.

Members shared that they have not been challenged to date on the absence of a process to test their intermediaries.

NSCC relationships

A question was raised on requirements towards the names of individual names appearing on NSCC accounts, and noted the question in the CSSF survey asking where your clients are located. Members responded that in their experience this underlying data is often not reliable, especially the field showing their location/country, and their focus and reporting is on their distributor network instead. Some do not receive the next level down containing this data on their NSCC accounts.

French Centralising Agent/Euroclear France model – AML compliance

A question was raised on how others are managing AML due diligence requirements for business introduced through the local paying agent and Euroclear France. Although paying agents may have provided an AML comfort letter in the past, they effectively do not perform AML on all investors and have stopped. Euroclear France can provide a presentation on their AML process but will not provide a letter.

Some third-party TAs perform an annual onsite review of Euroclear and Clearstream and provide a report to the ManCo, however it is not clear if this specifically covers Euroclear France.

A suggestion was made to perform an onsite visit to the paying agent to review the documentation they obtain from Euroclear France, centralisation legal agreement permitting.

January 2024 Update 

Transaction monitoring obligation and process for ManCo’s with a delegated Transfer Agency

• Most TPA’s perform transaction monitoring as part of their standard service offering. Where they may say they only do it to meet their own regulatory obligations, the ManCo can nevertheless include it in its oversight process and place reliance on the TPA process. In any case the TPA has an obligation to escalate any red flag to the ManCo, irrespective of its trigger or activity performed by the TPA.
• It was recognised that TPAs follow their own inhouse standard transaction service with no customisation. This includes the fact that they bulk all transactions for their ManCo clients together and cannot therefore provide a bespoke process and reporting. Despite this, members confirmed they do rely on the TPA transaction monitoring process.
• It was pointed out that various exceptions can apply to the transaction monitoring scope; that distributors are excluded by the TPA as they come under the ManCo’s direct supervision; that omnibus or pooled accounts can also be excluded from the process where they are managed by correspondent relationships with no look-through obligation to the underlying investor.

Ongoing distribution (directly or through sub-distributors) through intermediaries in High Risk Third Countries blacklisted by FATF/EU

• A question was raised to ask if members continue to managed distributors in countries appearing on the EU red list or FATF grey list.
• Some members responded to say they continue to allow investments from such relationships and those in other high risk countries. They confirmed they perform enhanced due diligence through onsite visits and underlying investor sample reviews.

CSSF AML Conference key takeaways

• The CSSF confirmed that AML will remain a key priority and focus for the CSSF in 2024 and beyond notwithstanding the recent FATF report on the country.
• Blocked accounts: Following the FATF report on Luxembourg which highlighted the high volume of client accounts blocked for AML reasons, it is important that the industry correctly classifies and reports blocked accounts for AML reasons. Only those accounts blocked for sanctions or true red flag activity, e.g. leading to a SAR, should be reported as having an AML block in the future. Accounts blocked for failed ODD should not have an AML reason block applied for example.
• Proliferation of arms: The industry should maintain vigilance on the screening of dual-use companies and any adverse media.
• The annual AML (‘RC’) report will need to be completed on e-desk in future, following the CSSF format.
• RBE register: A reminder to ensure entries in the RBE register are maintained up-to-date.

 CSSF requirements for onsite visits (Distributors, Branches, assets etc)

• Some members conduct onsite visits to their high-risk distributors.
• Some perform an AML onsite visit to each of their branches, while others do this on a risk-based approach or where the branch performs AML activities. This can also depend on the type of licence held by the branch.

October 2023 Update

• KYD ODD survey resulted in even split between 1,2,3 and 1,3,5. Feedback is CSSF didn’t challenge 1-3-5 during inspections.
• FATF Report
  • High level of compliance
  • overall framework for terrorist financing (TF) and proliferation financing (PF) TFS had some significant deficiencies, including gaps in the scope of freezing obligations, and lack of obligations to freeze without delay and without prior notification.
  • bolster its resources further to improve its ability to detect, investigate, and prosecute intricate money laundering cases.
• ALFI to simplify its Guidelines on Funds Assets. E.g. all UCITS are low risk; no need to perform a risk rating within UCITS according to geography etc.

June 2023 Update

• Fund assets risk scoring – Members discussed whether they were risk rating individual assets.  Most reported risk scoring at the asset class level, i.e. per risk categorisation of assets, as they do not have the ability to score individual assets; Some have a different process for UCITS than private assets.  It was suggested that firm should be risk assessing on a quarterly/semi-annual/annual basis.
• AML risk assessments – It was proposed that the WG draft a guidance paper on best practice to produce risk assessments. Sub-group to be established to work on this.
• Lux SMO regulations: ID / Verification and parent entity Following a recent question from a member around whether a subsidiary of a listed entity could be treated in the same as that of the listed entity itself, members discussed different approaches taken.  Some members will allow for the exemption to identify the beneficial owner where the customer is a direct subsidiary of the listed parent. Others will only permit if the customer is the listed entity.

• Definition of Persons Purporting to Act where it includes authorised signers including authorised signers of a regulated financial institutionA member raised a query around whether all firms were verifying the identity of authorised signers as persons purporting to act (PPTA) where those persons were employees of a regulated financial institution.  Some members confirmed they took a pragmatic approach and only requested the information where a screening alert was received.  Others source key demographic information upfront as they do not obtain ID documents – consideration as to whether we want to discuss with ALFI and/or CSSF.

• Russia: Distributor relationships, holdings and forced redemptions –  Discussion around whether any firms had taken any specific action around these relationships. E.g., compulsory redemptionSome members confirmed that they sourced the name of underlying client if there is a redemption via an intermediated relationship and screen themselves

• CSSF reviews on blocked accounts (update) – This is a known key focus for the CSSF with specific emphasis on distinguishing between accounts blocked where KYC documentation was incomplete/missing as against accounts blocked for other reasons e.g., dormant, sanctions, originals etc, Members discussed whether FATCA/CRS forms would be considered missing KYC.  In respect of dormant accounts, members discussed the importance of the TA distinguishing between dormant and inactive per the law of 2022.

• Onsite AML visits: Distributors and Branches – Members discussed current practice by firms around onsite visits.Branches – Monthly/quarterly meetings undertaken by most firms. External Auditors confirmed to a member that branches should be visited annually. Irrespective of whether a branch performs any KYC it was understood that the CSSF expects AML oversight.  Members discussed what that looked like e.g., access to AML P&P, anti-fraud controls etc. Distributors – Members discussed taking a risk-based approach to distributor onsite visits with some firms revisiting their practice post pandemic. Onsite visits appear to be limited and to high risk regions only.

• CSSF requirement to apply a 4-eyes principle when investigating false positive sanctions screening alerts The ILA notification was referred to.  This subject was also raised at an ALCO event end of last year.  Some firms have global models in place and are assessing 4 eyes review.  Some firms use a service provider and also review the alerts received

• France – Centralising TA Agent –  Members discussed the French centralising agent role and the challenges experienced in maintaining a Correspondent Relationship with the French centralising agent; Previously the TA obtained an AML letter; however, this is now being challenged as the centralising agent will no longer provide as a) it would breach French privacy rules and b) they could not guarantee that docs would be provided as they must request of securities clearing house.

• UBO declaration – Members discussed the circumstances where a beneficial ownership declaration is required with some members requesting for all clients and distributors; some do not request where there is no natural person, and the UBO/SMO information is provided via other documents.  Most firms do not require for counterparties.

• Luxembourg RBE (UBO register) – Members discussed the success rate in accessing RBE with mixed results.

• December 2022 Update – Much discussion on risk assessment requirements, framework, risk factors, and how to link in with risk appetite and resulting KPIs (for the Asset / Portfolio investments). Agreement to create a sub-group to hold workshops and draft an industry guidance paper in 2023.•It was noted that the CSSF expect all securities to be screened against PEP and adverse media lists, in addition to sanctions (although not stated in regulations or ALFI Guidance).•Recent CSSF publication on the results of thematic reviews it had conducted in 2021 focused on tax fraud, and the need to update the AML policy and work with the Tax team to create a joint risk assessment.
• September ’22 Update  If a PEP (acting as intermediary Board Member or UBO) doesn’t own the investment into the Fund or act on the account then the intermediary does not need to be considered a PEP account. However, some WG members will apply PEP status to the intermediary if a majority of the Board Members are PEPs. It was noted that that the CSSF expects full EDD applied to all individual and corporate PEPs even where the PEP risk is considered low or historical, i.e. the individual left their position of authority more than 12 months ago.
• Little regulatory guidance on transaction monitoring requirements. The Wolfsberg Group recently issued a Guidance which does not cover monitoring scenarios or thresholds but provides an extensive list of questions to be applied in the investigation process. The Guidance is aimed at correspondent banking but is also relevant for other payments-based relationships. Wolfsberg RFI Best Practice Guidance document_ Clean (wolfsberg-principles.com). The WG agreed the key is to have appropriate scenarios and thresholds and there is a risk if the net is too wide, and you have too many potential cases to effectively investigate and close out. The rules/thresholds should be tested by Audit for effectiveness.
• UBO register: The WG agreed this can be limited to EU countries, as per the fact the law is referenced according to articles of the EU directives.
• Signatory lists: It was concluded that only those who act on the account need to be screened.
• CSSF allows reliance on low risk regulated entities who screen their employees for screening. (Ref. CSSF 12-02/Art 33 ongoing screening concerning the client entity and UBO/SMO).
• EDD high risk countries: One should verify any relation to a high risk country; whether it be source of funds, UBO or other associated individuals and their level of ownership or control over the client, and assess the level of the associated risk on the client account. The TA may escalate any high-risk flags to the Mano.

• Please see below our comprehensive report in respect of the challenges facing Asset Managers in Luxembourg:-·

Download File