Risk assessment – due diligence, organisation and cooperation – measures to be implemented
Anti-money laundering and countering the financing of terrorism (AML/CTF) originally concerned the banking and then the financial sector.
However, it is sufficient to refer to the description of the money laundering mechanism (read more here) to reach the conclusion that the risk of being involved in a money laundering operation is not limited to the sectors above mentioned.
Many professionals may be confronted with money laundering and/or terrorist financing operations during the course of their activities.
From a theoretical point of view, any economic transaction can be linked to a money laundering operation.
The Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the « Law »), lists in its Article 2 the activities under its scope (the list being very broad, a reference to the Law seems more appropriate: text of the law is available here).
It should nevertheless be noted that professionals subject to the Law are notably:
- professionals of the financial sector;
- the insurance sector;
- lawyers and notaries;
- accountant, auditors, etc.;
- virtual asset service providers;
- corporate and trust service providers;
- Business centres;
- Real estate agents;
- Property dealers (e.g. car sales, art, jewellery).
I. Risk assessment : the cornerstone of the fight against money laundering
Professionals are fully involved in the process of preventing money laundering. The legislator requires them to actively contribute, alongside the authorities, to the detection of suspicious transactions.
The fight against money laundering and terrorist financing is based on a risk assessment approach.
This principle is reflected in Article 2.2 of the Law, which states that “professionals shall take appropriate measures to identify, evaluate and understand the money laundering and terrorist financing risks to which they are exposed“. To do so, they shall notably assess the risk factors related to their clients, countries or geographical areas, products, services, transactions or distribution channels.
Professionals shall therefore:
- assess the risks to which they are exposed due to their activity;
- take appropriate measures to manage and mitigate these risks;
- cooperate with the authorities and report their suspicions where necessary.
In the event of an audit, it is up to the professional to demonstrate that obligations have been fulfilled (based on documentary evidence). It is therefore imperative to document and retain each element that has been subject to internal control.
The methodology to be applied is based on the following three pillars: the customer due diligence, the implementation of an internal organisation and the obligation of cooperation.
II. Customer due diligence
The customer due diligence requires the professional to take a number of steps. Depending on the case, these will have to be more or less thorough.
A. Identifying the customer and verifying his identity (and, where applicable, the economic beneficiary)
Vigilance shall be constant, in the sense that it applies before the business relationship is entered into but also during that relationship. It is necessary to ensure that transactions are consistent with the professional’s knowledge of his client throughout the relationship.
In the case of natural persons, this step will in most of the cases be carried out by providing an identity document.
The information to be collected includes at least the person’s civil status, address and contact details.
In addition, if the individual is a national of a third country, it is preferable to obtain a copy of the client’s passport.
For clients who are legal persons, the professional shall identify and take reasonable steps to verify the identity of the beneficial owners.
He shall identify the natural person by obtaining the following information :
- the name;
- the legal form;
- the address of the registered office;
- identification of the controlling bodies.
From an operational point of view, it will be necessary to obtain, notably, the articles of association, an extract from the commercial register, the register of shareholders, the list of authorised signatories and proof of their appointment. The documentation required will need to be adapted to the circumstances of the case (i.e. for some more complex legal structures additional documentation will be required).
The identification should be carried out prior to entering into a business relationship (except in exceptional circumstances).
Depending on whether the business relationship is entered into in face-to-face or remotely, specific rules will apply. (e.g. certification of the identity document by a public authority if the relationship is established remotely, in face-to-face situation the professional can do so).
B. Understanding the purpose and nature of the business relationship
In practice, this point is often the most delicate to address. Indeed, as each activity has its own particularities, it is not possible to transpose a risk analysis procedure from one activity to another.
Moreover, the analysis of each commercial relationship requires a different treatment. This point is often underestimated, as professionals limit themselves to systematising the process. In other words, each situation shall be individualised.
Each professional shall use its own methodology to identify the risks and classify the clients to which it is exposed, provided that this methodology is consistent with its activity, reasonable and documented.
Annexes III and IV of the Law present non-exhaustive lists of potentially higher or lower risk factors.
These include, notably, geographical areas, services involved and types of transaction.
Once the criteria have been applied, the client shall be classified in a higher or lower risk category (making it possible to justify the legitimacy of the business relationship or, if necessary, the triggering of additional checks or even a suspicious transaction report).
the Law provides, under certain conditions, for simplified due diligence obligations as well as enhanced due diligence obligations.
Indeed, if the client is a listed company or a public entity, the due diligence requirements will be assessed less severely than in case of a company domiciled in a country considered to be at risk and for which it would be difficult to identify the economic beneficiary or beneficiaries.
The classification of a client in one or other of these categories can only be applied once the identification of the client and the risk assessment has been carried out.
In addition, it is necessary to justify the choices made. Indeed, if a transaction is considered to represent a limited risk, the reasons shall be stated in writing.
C. Keeping documents and monitoring vigilance
Professionals shall keep documents, data and information collected for anti-money laundering purposes for a period of 5 years (starting from the end of the business relationship).
When business relationships are spread out over time, the professional shall ensure that the documentation relating to the identification and verification of the identity of clients and beneficial owners is up to date, as well as the work relating to the adequate knowledge of the client, the business activities, the risk profile and the purpose and nature of the business relationship.
This update is recommended on a regular basis or when the professional becomes aware of significant change(s). The extent of the update depends on the risk-based approach as defined by the professional in its procedure and on the level of risk represented by the client.
III. Internal organisation obligation
The Law requires the professional to implement policies, controls and procedures to effectively mitigate and manage AML/CTF risks effectively.
These measures shall be proportionate to the nature, particularities and size of the professionals.
A. Internal procedure
Each professional shall introduce a handbook detailing the procedures implemented to assess and prevent money laundering risks.
The aim is to identify the risk factors, evaluate them and adapt the monitoring to the risk category represented by each client.
In general, the internal procedure shall describe notably :
- risk assessment, identification, understanding of activities and monitoring of clients;
- customer due diligence measures (acceptance of customers, detection of atypical or suspicious transactions);
- record keeping;
- cooperation with the supervisory authorities;
- the procedure for hiring employees and the measures taken for their training (initial and ongoing);
- internal monitoring of compliance.
B. Appointing a compliance officer
Depending on the size of the company, either (i) a senior manager or (ii) a KYC officer should be appointed to be in charge for compliance with professional AML/CTF obligations.
Whichever person is in charge, she or he shall have a high level of management, independence and necessary means to carry out this task.
C. Training staff
The professional shall ensure that employees are aware of the professional AML/CTF requirements.
In practice, employees have to participate in ongoing training programmes and to be kept informed of new developments, including information on money laundering and terrorist financing techniques, methods and trends.
IV. Duty to cooperate
The Law lays down the principle according to which professionals, their managers and employees shall cooperate fully with (i) the supervisory and self-regulatory bodies and (ii) the Cellule de Renseignement Financer (Financial Intelligence Unit or FIU).
A. Supervisory and self-regulatory authorities
Depending on the categories of professionals concerned, a supervisory or self-regulatory authority is competent to ensure effective monitoring professionals’ compliance with the applicable AML/CTF rules.
To this end, the law recognises certain prerogatives of the different structures:
- the Commission de surveillance du secteur financier (CSSF) is competent for the financial sector;
- the Administration of Registration and Domains (AED) is competent for real estate agents and promoters, accountants, economic and tax advisors, business centres, property dealers and service providers not covered by another specific authority;
- the Insurance Commission (CAA) is competent for the insurance sector;
- The relevant professional orders regulating the profession of lawyers, notaries, accountants, auditors and bailiffs.
Supervision depends on the relevant body.
The Law vests the bodies described above with supervisory powers, including:
- to have access to any document in any form and to receive or take copies of it (including any electronic communications, data, etc.);
- to request information from any person, and if necessary, to summon any person subject to their supervisory powers and to hear them in order to obtain information;
- to carry out on-site inspections or investigations, including the seizure of any document, electronic file or other thing that appears useful for the determination of the truth;
- to request the freezing or sequestration of assets from the President of the District Court of and in Luxembourg ruling on a request;
Obviously, failure to cooperate with a supervisory or self-regulatory authority exposes the offender to heavy sanctions (read more here).
According to Article 5-1 of the Law, supervisory and self-regulatory authorities are required to inform the FIU without delay when they suspect AML/CTF offences.
B. The FIU
The FIU’s tasks include receiving and analysing suspicious transaction reports in relation to AML/CTF.
It also has the task of referring cases to the State Prosecutor following the discovery of facts suspected of being AML/CTF offences. It is then the State Prosecutor who is competent to initiate criminal proceedings.
In addition, the FIU also has extensive supervisory powers.
- Reporting of suspicious transactions
According to Article 5 (§1 point a) of the Law, each professional shall inform the FIU without delay and on his own initiative of any fact or operation which could be indicative of money laundering or terrorist financing.
This report is made by means of a suspicious transaction report on the GoAML portal. Registration on the GoAML portal is not mandatory per se, however the validation of the registration takes some time.
It is therefore strongly recommended to complete the necessary registration steps before to face with a situation where a report is required (this will allow the report to be made without delay as required by law).
Registration for the GoAML portal is done via the Ministry of Justice website (registration access here).
Professionals and their officers and employees may not disclose to the client concerned or to third parties that information “is, will be or has been communicated or provided”.
It is emphasised that any suspicious transaction report made by a professional is confidential. In addition, the Law also provides for a protection regime for individuals (including employees and staff representatives) for reporting a suspicion in relation to AML/CTF.
- Requests for information from the FIU
According to Article 5 (§1 point b) of the Law, each professional is bounded to provide without delay to the FIU, at its request, all information required. This obligation includes notably the transmission of the documents on which the information is based.
- Refrain from executing the transaction
Professionals are required to refrain from executing any transaction that they know, suspect or have reasonable grounds to suspect is related to money laundering, an associated predicate offence, or terrorist financing before informing the FIU.
The FIU may give instructions not to carry out operations in relation to the transaction or to the customer. When it is not possible to refrain from executing a transaction or when this is likely to hamper efforts to pursue the beneficiaries of a suspicious transaction, the professionals concerned shall then inform the FIU without delay.
Moreover, professional secrecy is not enforceable against the FIU, and failure to cooperate with the FIU exposes the offender to severe sanctions.
The Law clearly emphasises on the obligation of professionals to implement measures to meet the above obligations. The supervisory authorities consider that these objectives shall be fully met.
If you would like more information on any of the above, or have any other questions, please do not hesitate to contact us.
During a legal consultation, all the elements of your case can be considered and the exchange from client to lawyer will take place in order to analyse your legal situation in a concrete and confidential manner.
You may also be interested in one of the following publications: