16/02/24

CSSF publishes updated money-laundering/terrorist financing risk assessment for the private banking sector

On 7 February 2024, the Luxembourg supervisory authority for the financial sector (Commission de Surveillance du Secteur Financier, “CSSF”) released the updated Private Banking Sub-Sector money laundering/terrorist financing (“ML/TF”) Risk Assessment (the “2023 PBSSRA”).

The 2023 PBSSRA pertains to all supervised entities carrying out private banking activities, and in particular to (i) private banks when carrying out asset management services (i.e. custody of financial assets and investment services) and ancillary services (i.e. current account banking, credit solutions, wealth structuring and insurance solutions), and (ii) investment firms when providing services comparable to private banks, including portfolio management, investment advisory services and some ancillary services (the “In-Scope Entities”).

The 2023 PBSSRA analyses the exposure of the private banking sector to ML/TF inherent risks through a threat assessment (such as tax crimes, fraud, corruption and bribery and TF). It also carries out a vulnerability assessment based on risk factors (such as clients and geography, intermediaries, market structure, the nature of the products and services provided, or external advisors). To mitigate these risks, In-Scope Entities can use several measures such as customer due diligence, individual risk assessment, cooperation with the competent authorities as well as internal organisation, governance, suitability, and training. The CSSF also mitigates the ML/TF risks via maintaining and fine-tuning its understanding of the sector’s ML/TF exposure/risk, monitoring new market entries in Luxembourg, supervising existing entities on the Luxembourg market, and rules enforcement (e.g. sanctions). Considering the mitigation measures in place, the 2023 PBSSRA concludes that the private banking sector’s ML/TF risk is reduced from high to medium-high.

The 2023 PBSSRA identifies emerging and increasing areas of risk and reminds In-Scope Entities of requirements they should apply in respect of each risk, namely:

  1. ever expanding list of financial sanctions: increasing financial sanctions introduced in response to Russia’s war against Ukraine have put the sanctions risk into focus. The banking sector as a whole is at risk due to its international clientele and business relationships,
  2. outsourcing of AML/CFT tasks: In-Scope Entities are reminded that they retain full responsibility for the performance of outsourced services and for assessing potential risks prior to any outsourcing, as well as monitoring and ensuring that all processes work and that the level of quality of the service remains appropriate thereafter,
  3. new technologies: In-Scope Entities can be indirectly or directly exposed to risks arising from new technologies (e.g. via their clients or because they use themselves such technologies). The CSSF reminds In-Scope Entities that they must apply the “New Product Approval Process” and the obligations set out under the amended law of 12 November 2004 on the fight against ML/TF, as amended. They are thus required to assess the risk of any new product, service, system, market or client segment prior to its introduction, and the need to involve the compliance function for assessing the ML/TF risk,
  4. virtual assets: in light of the risks linked to virtual assets (significant decline in value, crashes and hackings), the CSSF reminds In-Scope Entities that the virtual asset service provider activity in Luxembourg remains subject to a registration (until the application of Market in Crypto Asset Regulation, “MiCAR”),
  5. standalone ML/professional ML: it has been observed that professional money launderers act as intermediaries on behalf of criminals, and could appear as acting as a legitimate private banking client, with assets held with the In-Scope Entities over a certain duration. In-Scope Entities must be aware of some characteristics of such professional ML activities, such as, for instance, frequent transactions of low amounts (generally not exceeding EUR 10,000 between unrelated parties), unknown or poorly documented origin of funds, an involvement in different corporate structures incorporated in Luxembourg and in offshore jurisdictions, etc.

Finally, the 2023 PBSSRA sets out 13 recommendations for the private sector and examples of good practice in this respect, among which:

  1. implementing a clear AML/CFT risk appetite and strategy, in line with the principle of sound and prudent management and aligned with the In-Scope Entities’ means in terms of AML/CFT prevention,
  2. ensuring robust processes are in place to reliably identify beneficial ownership and critically appraise the origins of funds/source of wealth,
  3. ensuring clients are reviewed regularly in particular clients classified as high risk,
  4. for foreign-based groups, ensuring that the Luxembourg branch or subsidiary implements the Luxembourg requirements as well as the policies and procedures of the group, respectively the more stringent of the two,
  5. when outsourcing AML/CFT related tasks in full compliance with existing regulatory requirements, ensuring that the In-Scope Entity retains sufficient substance and control resources to carry out proper monitoring of outsourced tasks and the service provider’s compliance with Luxembourg AML/CFT requirements. Responsibility for outsourced tasks will always remain with the In-Scope Entities,
  6. reporting promptly and with adequate detail suspicious activities and transactions to the Financial Intelligence Unit (Cellule de Renseignement Financier).

In-Scope Entities may consult the CSSF’s tables on red flag indicators for three categories of predicate offences particularly relevant for the private banking sector: tax crimes (fiscal offences), corruption and bribery, and fraud.

The CSSF expects all supervised entities engaging in private banking activities to integrate the findings, conclusions and recommendations resulting from the 2023 PBSSRA into their AML/CFT frameworks to ensure they remain appropriate to effectively mitigate ML/FT risks.

dotted_texture