All persons, individuals or entities (“Professionals”) in scope of anti-money laundering (AML) are usually aware of the importance of complying with regulatory principles.
This awareness is the result of a very significant evolution of texts and regulatory practice since the implementation of AMLD4. Notwithstanding the maturity increase of all stakeholders in the prevention of financial crime, Professionals must anticipate that changes will continue in the coming years, particularly with the upcoming European AML Pack.
This brief article aims, to highlight, without claiming to be exhaustive, some structural changes to which Professionals had to adapt in recent years in order to comply with the AML regulatory framework (including counter-terrorist and proliferation financing), and to outline the next developments they should expect in the short or medium term.
Over the last years, we have seen a substantial evolution of the AML internal control in the financial sector with the implementation of the Luxembourg concept of RR (responsible person at the level of the executive management for the AML compliance) the AML and RC (responsible person for the control of the AML compliance). These individuals have both to be appointed in replacement of the former MLRO which mission in the AML organisation was not as precise as the today’s RR and RC duties and responsibilities.
We have also experienced the increased impact of restrictive measures in financial matters with a dedicated law in December 2020. In the last years, the Ministry of Finance and the CSSF played a key role for the education and training of the financial sector on how to handle the duties under this law and implement the multiple sanctions published in the international war context we are unfortunately facing.
The CSSF increased its AML remote controls and on-site inspections, with more and more fines published, and the AED AML mission significantly developed in parallel for non-financial entities and certain financial entities such as RAIFs and AIFs that are not in scope of the CSSF supervision. The AED issued several guidance documents for the non-financial sector and the non-regulated financial sector (RAIFs and AIFs), and more resources are now allocated to the AED controls.
CDD (Customer Due Diligence) requirements have become very prescriptive, and, among others, following the setting-up of national Registers of Beneficial Owners (RBOs) under the AMLD4, it is today mandatory to cross check RBOs information with KYC documentation, analyse and report actual discrepancies to the Luxembourg FIU.
AML controls must be performed on transactions and on assets according to pre-defined risk based processes and the conclusions of such controls must be clearly formalised. The effectiveness of such controls has become highly dependent on precise parameterizations of technical systems, which are defined according to regulations, the activities context and risk/benefit criteria.
Last but not least in this summarised enumeration, we observe the rise of AI to handle the huge volume of data gathered through the screening processes relating to KYC, monitoring of transactions and control on assets. This rise of AI in AML is the natural consequence of digitalised data development and of technical tools sophistication for controls and reporting to authorities.
These observations being set, what are the next challenges, and how to prepare for them?
On the regulatory side, the main topic will be the implementation of the AML EU regulation by 2027. The EU harmonised and uniform CDD rules of the AMLR will, for all EU member states, replace the AMLD4 (as amended) national transposition laws. As a consequence, the Luxembourg law of 12 November 2004 will be superseded by the AMLR, and several Grand Ducal and CSSF regulations will have to be re-drafted. Hopefully, this is not expected to result in a revolution for the Luxembourg financial sector, as the majority of the AMLR rules are built from existing provisions. The main amendments are already identified and are likely to focus on the enhanced due diligence to be performed on high-net worth individuals (as defined by the AMLR) and on cash transactions above certain thresholds, or the extended controls on RBOs information to be used for CDD. Nevertheless, any new regulation or law requires to perform a documented gap analysis, to identify the relevant changes and to implement an action plan for being compliant with the applicable amendments and Professionals will have to go through their gap analysis and implementation process in order to ensure their AML procedures are up-to-date.
Despite the creation of the EU AML Authority provided by the EU AML Pack, the powers of the local supervision authorities are likely not to decrease. In particular, the AED said they will continue growing, extend the scope and content of the current regulatory reporting and questionnaires to be filed by Professionals placed under its supervision, in particular all non-regulated AIFs. The AED said they will chase AIFs for more granular information on their AML risks.
Given all requirements related to AML, the multiplicity of control tasks and the limited availability of qualified resources for an affordable cost, the current trend of outsourcing certain AML processes outside the country of Luxembourg and the use AI tools and technical systems hosted in the cloud will continue. Outsourcing is without doubt a valid option to consider. Nevertheless, financial entities subject to the CSSF supervision should not underestimate the requirements relating to business process outsourcing outside Luxembourg and cloud outsourcing provided by the CSSF circular 22/806. The externalisation of CDD processes is assessed as the outsourcing of a critical and important function, and the application file to be submitted to the CSSF for seeking its authorisation is relatively heavy and complex. We can also anticipate that the CSSF will focus inspections on financial entities that have outsourced AML processes.
Finally, using all information gathered through their multiple controls performed in-house or with the assistance of external service providers, Professionals must continue making decisions before their client on-boarding, before transaction or payment execution, and timely report to their relevant authorities.
All the above, past requirements and forthcoming developments, largely explain the continued increase of the weight allocated to the prevention of financial crime in organizations. Professionals must have a strong understanding of the regulation and of their own risks in this respect, mitigate such risks and perform internal controls to ensure their AML framework remains adequate and effective to safely continue developing their business in our evolving environment.
Pascale Renaud is an experienced Compliance Officer with a strong legal background. She is active is Luxembourg financial sector for more than 30 years and is a recognised expert in the regulatory environment of the Luxembourg fund industry and assets services.
Before launching her own consultancy company, ID Compliance, she used to work in several well-known multi-jurisdiction groups such as Citco, Pictet, BNP Paribas Securities Services and CACEIS (formerly RBCIS), leading teams in charge of AML and regulatory compliance, in-house legal matters, fund legal engineering and corporate governance. She also used to be authorized by the CSSF as AML Compliance Officer (RC) for a bank and for several specialized PFS.
With ID Compliance, Pascale specializes in AML and regulatory assistance to investment funds, professionals of the financial sector, banks, and management companies.
Pascale holds a Master in Business Law, and a Master in Business Management, the CFA Investment Foundations certificate and the CAMS certificate.