Professional Documents
Culture Documents
Compliance –
Implementation of the
Regulatory Framework
1
1 – Definitions
2
What is Money Laundering?
knowingly facilitating by any means the false justification of the source of the property constituting the object or the direct or
indirect proceeds, or constituting a patrimonial benefit of any nature whatsoever from one or several of the designated
predicate offences;
knowingly assisting in a placement, dissimulation or conversion transaction of property constituting the object or the direct or
indirect proceeds, or constituting a patrimonial benefit of any nature whatsoever from one or several of the predicate
offences;
having acquired, held or used the property constituting the object or the direct or indirect proceeds, or a patrimonial benefit
of any nature whatsoever from one or several of the predicate offences, knowing, at the time they received them, that they
originated from one of the designated offences or from the participation in one or several of these offences;
3
The 4th AML Directive extended the scope of money laundering offences to tax crimes
Luxembourg Law of 23 December 2016 on the 2017 Tax Reform has amended article 506-1 of the criminal code adding
3 categories of predicate offences of money laundering:
- Aggravated tax fraud and tax swindle related to direct taxes
- Aggravated tax fraud and tax swindle related to value added taxes
- Aggravated tax fraud and tax swindle related to registration and inheritance duties
Further reading :
- CSSF Circular 17/650
- CSSF Circular 20/744
illegal funds or assets are brought into illegal funds or assets are moved away, funds or assets (successfully cleared)
the financial and/or commercial spread across and/or disguised to are reintroduced in the legal economic
system in a way that aims at avoiding conceal their origin (multiple system / in the financial system, by
the creation of certain records and transactions, complex structures, making them available for
reports required by law various asset types). investments, saving or expenditure (in
(smurfing/structuring, camouflage, real estate, securities, commercial
complicity, bank deposits in a specific business).
pattern)
4
What is Terrorism Financing?
Terrorist organizations need money to recruit and sustain, acquire, influence, build the support base, carry out terrorist activities.
■ Terrorism: Unlawful use or threatened use of violence against individuals or properties to intimidate or coerce, especially for political
purposes, religious or ideological objectives.
■ Financing of terrorism: Involves the solicitation, collection or provision of funds with the intention that they may be used to support
terrorist acts or organizations.
Terrorism Financing: The DESTINATION of funds/assets is ILLICIT where terrorist organizations obtain money from a number
of legitimate and illegitimate sources (wealthy sponsors, charitable and religious institutions, commercial enterprises, state
sponsors, illegal activities, smuggling, etc.). The purpose of the funds is often disguised.
5
2 – Regulatory environment
● International Level
(Treaties, UN Resolution, FATF reco)
● Regional Level
(European Regulation / Directives)
● Local Level
(Luxembourg Law, Grand Ducal and CSSF regulations,
National Risk Assessment)
6
Regulations covering the prevention of money laundering date back to the early 1970s. Regulations concerning
prevention of terrorism financing have been introduced later (early 2000’s).
● United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances, 1988
European Regulation
• 1991 - 1AMLD
• 2001 - 2AMLD
• 2005 - 3AMLD
• 2015 - 4AMLD
• 2018 - 5AMLD
• 2018 - 6AMLD
The EU regulation is accelerating from an every 10 years rhythm to an every 3 years one…
7
● In 1989: creation of the Financial Action Task Force on Money Laundering (FATF/GAFI) Inter-
governmental policy making body, based in Paris
● Objectives:
• Sets international standards to combat money laundering and terrorist financing.
• Assesses and monitors compliance with the FATF standards at country level.
• Conducts typologies studies of money laundering and terrorist financing methods, trends and techniques.
• Responds to new and emerging threats, such as proliferation financing.
● History:
• 1990: 40 recommendations
• 2001: +7 special recommendations related to FT
• 2003: +2 special recommendations related to FT
• Revised in February 2012 to cover new threats such as the financing of proliferation of weapons of mass
destruction, and to be clearer on transparency and tougher on corruption = a new set of 40 recommendations
• New priority areas such as tax crimes
• February 2013, FATF revised its Risk Assessment Methodology
Further reading : October 2018 – Guidance for RBA on securities sector
October 2019 – Best pratices on Beneficial ownership in legal person
The 40
recommendations
8
The Mutual Evaluation Process
9
● EU Directive (EU) 2015/849 - published 5 June 2015 (the 4th AML Directive)
replaces Directives 2005/60/EC and 2006/70/EC.
● Regulation (EU) 2015/847 on information accompanying transfer of funds
replaces Regulation (EC) No 1781/2006.
Main features
● tax crimes = predicate offences of money laundering
● focus on the risk assessment and a corresponding risk based approach
● lighter CDD for certain e-money products
● gambling sector in scope
● creation of beneficial owners' national central registers
● “domestic” or national PEP in scope
● enhancement of sanctioning powers of the competent authorities and publication of the sanctions
● information about payer AND payee
Effective since 26 June 2017
10
Luxembourg legislation and rules non exhaustive lists
Law of 5 April 1993 on the Financial Sector
Law of 12 November 2004 on AML/CTF, as amended
Law of 23 December 2016 on tax reform (tax swindle + aggravated tax fraud)
Law of 13 January 2019 (RBE)
Grand-Ducal Regulation of 1 February 2010, providing details on the AML law of 2004
Law of 27 October 2010, enhancing AML/CTF legal framework, organizing the controls of physical transport of cash entering,
transiting through or leaving the Grand-Duchy of Luxembourg, implementing UN and EU resolutions concerning prohibitions
and restrictive measures in financial matters in respect of certain persons, entities and groups in the context of the CTF
Grand-Ducal Regulation of 29 October 2010, enforcing the law of 27 October 2010
CSSF Regulation No.20-05 (former 12-02), on AML/CTF
Ministerial regulations, implementing UN and EU restrictions
FIU/CRF Circular 22/10
11
Public Access To National Registers of Beneficial Owners
UBO register to be established for companies and trust or other legal arrangement.
Public Authorities To Access Client data of all institutions
In Luxembourg the choice has been made that all banks will send to the CSSF all the data of their clients (name, balance…).
All the data of our clients will be shared DAILY with the CSSF (Circular 20/747)
DATA COLLECTION
& PROCESSING
12
Main professional obligations:
13
o Art. 3(3) of the Law of 2004: “Professionals are required to perform an analysis of the risks inherent to their business activities. They must set
down in writing the findings of this analysis.” (since 27-Oct-2010)
o Risk analysis regarding the fight against money laundering
and terrorist financing (AML/CFT)
• CSSF Circular 11/519 For credit institutions. Risk analysis CSSF 11/519 CSSF 11/529
• CSSF Circular 11/529 For all other professionals
subject to CSSF supervision and to whom the law 1. Identification of ML/TF risks yes yes
of 12 November 2004 applies.
2. Mitigation measures yes yes
o Identification of ML/TF risks is mainly based on:
3. Questionnaire yes no
• Country / Geography
• Customers
• Products / Services / Transactions
• Distribution channels (ESA – Risk factors Guidelines – 26 June 2017)
• Assets (CSSF Circular 18/698)
The evaluation must be updated annually and must include new products and new commercial practices, including new
mechanisms for providing services and the development and use of new technologies for new products and for those that
already exist.
The evaluation must result in a global risk score, which can vary between Low, Medium Low, Medium High and High.
Inherent risks are assessed and the mitigators are identified through an inventory and evaluation of the controls in place
14
To perform this assessment the professional shall also consider :
The National Risk Assessment of ML and TF made for Luxembourg
(highlighting the most relevant risks in Luxembourg)
https://mfin.gouvernement.lu/en/publications/Divers/NRA/NRA.html
The CSSF Sub Sector Risk Assessment : three have been prepared, on
the private banking sector, specialised PSF (trust & company service
provider) and another one on the securities services
15
o In accordance with the article 2-2 of the Law of 12 November 2004 on the fight against money laundering and terrorist financing
transposing as amended “the professionals shall take appropriate steps to identify, assess and understand” the risks of money laundering and
terrorist financing that they face, taking into account risk factors including those relating to their customers, countries or geographic areas,
products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the professionals.
o The professionals shall consider all relevant risk factors before determining the overall risk level and the level and type of appropriate
measures to apply in order to manage and mitigate these risks. Moreover, the professionals shall ensure that the information on the risks
included in the national and supranational risk assessment or communicated by the supervisory authorities, self-regulatory bodies or the
European Supervisory Authorities is incorporated in their risk assessment. The professionals shall document, keep up-to-date and make the
risk assessments available to the supervisory authorities and self-regulatory bodies.
o In accordance with the article 4 (1) of the CSSF Regulation 12-02 (as amended by the CSSF Regulation 20-05), the identification, assessment
and understanding of risks by the professional, as provided for in Article 2-2 of the Law, shall allow it to determine which due diligence
measures shall be applied to the business relationship based on the materiality of the risk. To this end, the professional shall incorporate
different sources in its risk management procedures, including:
- supranational report of the European Commission on the risks of money laundering and terrorist financing (“Supranational Risk Assessment”);
- national assessment of the risks of money laundering and terrorist financing (“National Risk Assessment”);
- sub-sectoral ML/TF risk assessments (“Sub-Sector Risk Assessments”);
- joint guidelines issued by the three European Supervisory Authorities (ESMA, EBA and EIOPA) (hereinafter referred to as the “European
Supervisory Authorities”) on money laundering and terrorist financing risk factors (“Risk Factor Joint Guidelines”);
- the relating CSSF publications.
Each customer type has a different set of AML/CTF risks and is subject to different
identification and verification requirements Country risk provides useful information as potential ML/FT
• Higher risk customers generally include business relationships involving Politically Exposed Persons • The ESAs Joint Guidelines require that certain factors are taken into account to assess the risk level of a
(“PEP”), non-profit organizations (“NPO”) and complex layers of intermediaries, in particular involving particular country
unregulated intermediaries,
• FATF provides catogories of customers indicating higher risk
Country / Geo
area
Investor /
Distribution
Client data
Channel
base AML/CFT risk profile of the parties involved in the distribution channel
AML/CTF risks of asset provided prior any acquisition as well as on a
defined ongoing basis to ensure that any change in circumstances is
RISK
• Level of AML/CFT controls it applies as well as the level of supervision it is subject,
adequately FACTORS country, domicile or activity, the transparency of the distribution…
Product,
Asset Service &
Transaction
Other risk
factors
Other AML/CTF Risk factors should be considered, like : AML/CTF risks of the products, services and transactions provided prior to any new launch
• The organization of the entity, any material delegation or outsourcing arrangements, Sanction, bad
as well as on a defined ongoing basis to ensure that any change in circumstances is
press, case-by-case high risk cases… adequately
• The following elements at a minimum : the level of transparency or opaqueness, the product, service or
transactions, the complexity of the product, service or transactions, and the value or size of the product,
service or transactions.
• The ESA Guidelines & FATF Guidelines require that certain factors are taken into account to assess the
risk level
Mitigation factors are all the elements in place that contribute to combat ML/FT. Mitigation may factors include the Governance
& Oversight / Controls & Testing / Training and Awarness (
16
In the sub-sector assessment, the CSSF also inventoried the most frequent findings from the CSSF onsite inspection
Incomplete documentation
Insufficiency on the diligence to understand ownership and control structure of the client
ML / TF classification
ML / TF linked to clients and risk country
Lack of Critical analysis
Insufficient involvement of the compliance function
ML / TF suspicion not reported (or reported late) to the FIU
Regulatory requirement introduced by the CSSF circular 18/702 (for private banking) also reflected in the 20-
05 regulation and is also an ECB requirement; each professional shall prepare an AML Risk Appetite. To be
put in place by authorised management and approved by the board of directors,
There are no prescription on how this should be formalised. However some examples of the elements that
should be considered:
• Prohibition to do business in countries or to offer certain products,
• Number of countries in which the professional should be limited,
• A clear business strategy clearly stating what the professional want to do and how in terms of AML (type of
industry of clients, channel of distribution…),
• Products offering
• …
17
4 – Customer Due Diligence (CDD)
18
Identify and verify client’s identity (including proxies and legal representatives)
• Based on documents, data, information obtained from a reliable and independent source
Identify the beneficial owner, when applicable, and taking reasonable measures to verify his identity
• Definition of beneficial owner
• Including, where applicable, understanding of the ownership and control structure of the client
Obtain information on the purpose and intended nature of the business relationship
Obtain information on the client’s tax situation
Conduct on going monitoring on the business relationship and the transactions
Screen client and all relevant parties against sanctions lists
Identification
• Before account opening
• Clients
• Proxies, Mandates, Legal representatives
• Ultimate Beneficial Owners (UBOs)
Verification of information
• Having supporting documents evidencing the identification
• Documents from a reliable and independent source
Key questions
• Who is your client, its beneficial owner, purpose of activity, source of wealth, source of fund?
• KYC documentation may vary according to the client type and on a risk-based approach
19
Art. 1(7) of the Law 12 November 2004 as amended
Any natural person who ultimately owns or controls the client through a direct or indirect ownership of a sufficient percentage*
of the shares or voting rights or ownership interest in that entity; or
Any natural person on whose behalf a transaction or activity is being conducted; or
Any natural person who otherwise exercises control or decisive influence over the management of a legal entity/arrangement.
if, after having exhausted all possible means and provided there are no grounds for suspicion, no one corresponding to a person
listed above is identified, or if there is any doubt that the person identified is the beneficial owner, any natural person who holds
the position of senior Manager could be identified as beneficial owner;
FATF Recommendations : also includes the person who exercises ultimate effective control over the legal person/arrangement.
* A shareholding of 25% + 1 share (“threshold”) is only an INDICATION of ownership. An individual can be UBO even if the thresholds of the
ownership or control of the AML Law of 12 November 2004 as amended are not met (CSSF regulation 12-02 and CSSF Circular 19/732).
20
Threefold procedure to determine UBO to materialize. The respective steps mentioned hereafter have to be followed until
all ultimate beneficial owners have been correctly identified:
1. Identify the natural person(s) who directly or indirectly holds or controls a sufficient percentage, namely 25% plus one, of the
shares, voting rights or ownership in an entity;
2. Where no natural person can be identified under any of the scenarios under (i), identify any person who controls the legal
entity via other means (meaning having the power to exercise or actually exercise dominant influence or control by any means to
over the investor/client. Understanding the management and governance structure of the investor/client will assist to establish those
natural person(s) with effective control over the customer + see factors in the circular); and
3. After having exhausted all possible means and provided that there are no grounds for suspicion, where no person under point
i) and ii) is identified, or if there is any doubt that the person(s) identified is/are the beneficial owner(s), identify any person
who holds the position of senior managing official (dirigeant principal).
It is fundamental to stress that measures (i) and (ii) are not alternative options but cascading measures and formalized.
Assessments under (i) and (ii) have thus each to be fully completed and formalized before resorting to measure (iii) which
constitutes an express fall-back option only applicable when all possible measures to identify the ultimate beneficial owner under
(i) and (ii) have been exhausted and came to no result. Professional should keep records of all actions taken to identify the UBO
under the abovementioned points.
When identifying the ultimate beneficial owner(s) of their customers, collect proof of registration or an excerpt of the RBE
register or similar registers abroad. Professional may not exclusively rely on beneficial ownership information contained in such a
central register to fulfil their customer due diligence obligations.
in case no ultimate beneficial owner is identified as required by the laws and regulations, the business relationship cannot be
established.
21
For legal arrangements (trust, fiducies) UBO are:
Trust and fiducies can be used to increase anonymity. In a trust, a settlor transfers legal ownership including right to control
the property to a trustee and the right to benefits to beneficiaries.
Where a legal entity is owned by a trust, the rules on identification of UBO of legal entities and trust shall apply
simultaneously.
According to the AML/CFT law, the concept of beneficial ownership shall include:
The Settlor if any
The Fiduciaire or Trustee
The protector if any
The Beneficiaries (when determined) or the class of persons in whose main interest the legal arrangement is set up or
operates
Any other person having influence in the arrangement.
New registry introduced by the 4th AML directive and implemented by the Law 13 January 2019
4th AMLD: The member states will have to hold information on the beneficial owners of all corporate and other legal
entities incorporated within their territory in a national central register. Competent authorities and entities subject to
the Directive will have access to the register, as well as any person demonstrating "a legitimate interest“.
• Corporate entities: any member of the general public is now required to be granted access (foreseen by the law of 13
January 2019).
• Trusts: access to beneficial ownership information is extended beyond regulators, FIUs and regulated entities
conducting due diligence to any person that can demonstrate a legitimate interest.
22
Register of Beneficial Owners (RBE)
Under the RBE law was published on 15 January 2019, Luxembourg domiciled companies must:
• Transmit to the RBE at the Luxembourg Trade and companies register, information on their BO 6 months after the publication
of the law
Obligations when onboarding a Luxembourgish companies as a client:
• Professionals must consult the RBE, take a printout and verify the information in the register with the information provided by
the prospect or client
• In case of discrepancies the professional shall inform the RBE
• For other EU domiciled companies, similar controls must be set in place when the register exist and is available.
Fine from 1 250 EUR to 1 250 000 EUR if the BO
Information have not been uploaded.
23
Obtaining information on the purpose and the intended nature of the business relationship (BR), i.e.:
Why does the client need an account / reason for entering into a business relationship ?
What are the expected transactions or flows of cash? (amount, frequency, purpose, origin and destination,
countries, documentation, …)
24
Activities requiring particular attention
• Any activity which seems, by its nature, to be related to ML / TF and in particular complex or unusually large transactions
and all unusual patterns of transactions which have no apparent economic or visible lawful purpose.
• The transactions and persons detected should be documented in writing including the criteria that led to their detection
when the result is positive.
Keeping up-to-date information
• The on-going monitoring obligation requires the professionals to verify and update the documents and information
collected according to the client risk category and within an appropriate timeframe.
! novelty introduced by the 4th and 5th AML directives !
For payment instruments charged with electronic money: possibility to waive most of customer due diligence requirements. This
measure is however limited to low value e-money products (< € 150) and subject to risk-mitigation conditions such as sufficient
transaction monitoring.
25
Define the risk level associated with the client / business relationship
Acceptance / Validation
Apply appropriate due diligence measures (when establishing the business relationship or when carrying out an
occasional transaction), based on your risk assessment (to be documented)
• Low-risk situation: Simplified due diligence may be applied
• High-risk situation: Enhanced due diligence must be applied (RR/RC) – see art 9 of the 12-2 Regulation
The above examples are High risk factors: Circular 17/650, Circular 17/661, appendix 4 of the Law 12 Nov. 2004 as
amended… (non-exhaustive list)
26
TYPE EXPLANATIONS
CLIENT STRUCTURE Client is a legal person or arrangement setup in a jurisdiction that is not subject to AEOI/CRS/FATCA reporting and
AND LOCATION the entity has no economic, asset or other reality*
Client is a company or use companies in which a multitude of statutory changes (unexpected and short term
changes) have taken place (changing managers, moving the registration office…)
Client uses companies or legal structures located in a jurisdiction other than the tax residence or place of regular
economic or professional interests of the beneficial owners
Client uses a complex set-up a complex set-up without clear economic or patrimonial justification which appears
designed to conceal information (ie trusts with no requirement to disclose beneficiaries…)
Classification of a company or legal structure as “Active Non Financial Entity” based on CRS regulation and without
the change being justified by the development of the company or legal structure
OTHER CLIENT Client has moved tax residence to a jurisdiction that is not subject to AEOI/CRS/FATCA reporting to a jurisdiction
CARACTERISTICS that is subject to such reporting without notifying the professional, in order potentially to escape reporting
TYPE EXPLANATIONS
CLIENT INTERACTION No face-to-face interaction with the client when opening the account
AND BEHAVIOUR
Requests for assistance of provision of services whose purpose could be to foster circumvention of the customer’s
tax obligation
Lack of professional tax advice to support any tax implication of complex structures
27
TYPE EXPLANATIONS
Findings of anomalies in documentation justifying transactions and notably atypical or unusual transactions (no
VAT, no invoice…)
Client refuses to provide tax compliance documentation or information needed for tax reporting on the presence of
indication raising suspicion
Client cannot confirm that the source of funds has been declared to a tax authority
Documentation on tax compliance leaving room for doubt was issued by a person close to the final customer and
there being a potential conflict of interests
Client’s organisation structure is not consistent with the documentation recorded on file
TYPE EXPLANATIONS
HOLD MAIL
Request to have hardcopy documents retained for a short time only or personal collection with long time spans in between
Hold mail not collected and the client or their beneficial owners have not visited Luxembourg for an extended period
Unjustified refusal of any contact or unjustified request of hold mail and more particularly if the customer is domiciled in a
jurisdiction not subject to AEOI/CRS/FATCA reporting
28
TYPE EXPLANATIONS
Client transfers funds from a country considered risky from the point of view of tax transparency or resides in a country
SUSPICIOUS which is not subject to AEOI/CRS/FATCA reporting
ACTIVITIES &
TRANSACTIONS Substantial increase of movement on banking account which was until then not very active with no justification
Frequent & substantial wire transfers from or to geographies without a commercial purpose or which are considered
risky from a tax transparency perspective
Receipt of commissions or payments to foreign companies without commercial activity or without substance
29
Timeline for carrying out CDD measures
1. Professionals must review and update the information on the customer at a frequency and to an extent
consistent with the risk assessment
2. Annually for high risk relatioships
3. Evat the least
Possibility to apply simplified customer due diligence measures where the professionals identify a lower risk of ML/TF
1. Customer risk factors: listed public companies, public administrations or enterprises from countries having low level of
corruption, customers resident in areas of lower geographical risk factors
2. Product, service, transaction or delivery channel risk factors: some insurance policies (life-pension), some financial
product and services (electronic money)
3. Geographical risk factors: Member states, third countries with effective AML/CTF systems and low level of corruption,
third countries (see FATF recommendations)
Monitoring of the business relationship at all times to ensure all conditions continue to be met (article 3.1 CSSF Law 12
November 2004).
30
In any situations that present a higher risk of ML / TF
• Natural persons or legal entities established in 3rd countries which do not or insufficiently apply AML/CTF measures
• Cross-border correspondent banking or similar relationship with correspondent institutions in third countries, or in
member states that present a higher risk
• Transactions or Business relationships with PEP (Need authorization from Senior Management)
The “national” (or “domestic”) PEP’s are back in scope. Any PEP is in now in scope, without regard to his country of residency
or where he works.
31
Due diligence performed by third parties
Third-party introducer – Forbidden if third party is located in a high risk jurisdiction
Outsourcing
Ultimate responsibility stays with:
• the professional relying on the third party (for 3rd party introduction)
• the outsourcer (in case of outsourcing)
Further reading:
• ESA Guidelines (2017) points 112, 219 and 222
• FATF Guidelines (2018) points 101, 107 and 110
Law of 12 November 2004 / Luxembourg Company law / GDPR - general public interest
• Keep documentation and information (maybe used for AML/TF investigation by the authorities)
− For Customer Due Diligence: copy of the documents required, for 5 years after the end of the business
relationship.
− For business relationships & transactions: supporting evidence and records, consisting of the original
documents or certified copies for 5 years after carrying-out of the transactions or 10 years starting at the
end of the financial year to which they relate.
32
GD Regulation of Feb. 2010 – Article 1(5)
• Maintain records of the identification data, account files and of the business correspondence for at least 5
years following the termination of an account or business relationship
• Transaction records shall be able to trace back individual transactions
• It should contain in particular:
− customer's name, beneficiary's name, address or other identifying information normally recorded by the
intermediary
− nature and date of the transaction
− type and amount of currency involved
− type and identifying number of any account involved in the transaction
● Type of customers
● Regulatory Framework
● Outsourcing
33
At Management Company level
perform initial and on-going due diligence on its clients, investment funds initiators, investment funds and where relevant on the portfolio managers and advisers as well as
implementing appropriate and proportionate AML/CTF policies and procedures on behalf of the UCI, including the supervision of delegated and outsourced functions, but not limited
to the central administration function and the distribution network.
when delegating the investment management function, must verify that relevant procedures and policies addressing AML/CTF risks relating to portfolio transactions are in place at
delegate level – such obligation is in particular relevant in case of alternative investments and illiquid asset classes. In compliance with the article 3 of the CSSF Regulation 12-02 the
UCI or its ManCo shall ensure enhanced due-diligence measures on intermediaries who are investing on behalf of their clients are implemented.
At Transfer Agent level
maintain the share / unit register of the UCI and to perform the AML / CTF controls on behalf of the UCI under the supervision of the Management Company when one is appointed.
even if the TA must comply with its own legal obligations and may decline to process an investor onboarding if it’s prevented by its own policies, it still has the obligation to operate
under the ultimate responsibility of the Fund or the ManCo if one is appointed (notwithstanding its own responsibility).
At the Investment Manager level
is granted a mandate by the fund promoter to invest into assets on behalf of the relevant Fund within a scope as defined by applicable laws and its constitutive documents (e.g.
prospectus or private placement memorandum).
must ensure accordingly that the financial crime risks associated with those securities invested into by the relevant UCI are appropriately mitigated (this being in particular applicable
in the alternative investment universe).
At Compliance level
main role of the Compliance Officer at the ManCo and TA level from an AML/CTF risk perspective, is the determination of key measures and processes allowing to manage
appropriately and proportionately such AML/CTF risks with a view to operate efficiently and ensure a smooth day-to-day operational framework.
As part of the measures allowing the Compliance Function at the level of the TA and the ManCo to identify, assess, monitor and manage their exposure to financial crime risks, it is
required to perform a self-assessment of such AML/CTF risks in accordance with the type, size and nature of the activities and business model, the types of products and services
offered, the transactions types, the delivery channels and the geographical areas.
Challenges
For whom ? Omnibus vs segregated What does in mean and in At intermediary level ? Define the role and
In which context ? account which context At underlying level ? responsibilities between the
What does it mean in practice ? Understanding of the Define therisk appetite and Until the end-UBO ? stakeholders
intermediary customer base risk based-approach
34
Intermediary:
1. Art 3-2 (3) of the Law of 2004 regarding cross-border correspondent and other similar relationships with respondent institutions in third countries, defining the Enhanced
Due Diligence obligations professionals have to fulfill prior entering into relationship with such client
2. Article 3 of CSSF regulation 12-02, where the units or shares of a Fund are subscribed through an intermediary acting on behalf of its customers, the customer due
diligence measures to be put in place for this intermediary should be applied pursuant to the terms of Art. 3-2(3) of the Law of 2004
3. Art.29 of the CSSF regulation No.12-02, also states that relationships established for securities transactions and fund transfers by a professional acting on behalf of its
customers should be considered as a “similar relationship” to a cross-border corresponding banking relationship as defined in Art.3-2(3)
4. Art 305 of CSSF circular 18/698, “the IFM must follow the Guidance for the Securities Sector issued by the FATF”
Art 310 of CSSF circular 18/698, “the UCI, its IFM or where appropriate the respective proxies of these professionals must put in place EDD measures on intermediaries
subscribing units of behalf of its clients
5. EBA/ESM/EIOPA guidelines, Art 219 b “a firm that, as part of its economic activity, directly purchases units of or shares in its own name and exercises control over the
investment for the ultimate benefit of one or more third parties who do not control the investment or investment decisions”
6. Art 219 c “a firm, for example a financial intermediary, that acts in its own name and is the registered owner of the shares or units but acts on the account of, and pursuant
to specific instructions from, one or more third parties (e.g. because the financial intermediary is a nominee, broker, multi-client pooled account/omnibus type account
operator or operator of a similar passive-type arrangement)”
Art 222 “intermediary will provide CDD information and documents on the underlying investors immediately upon request (contract and/or sample testing)
7. FATF guidance for securities sector: Art 99 “When determining the type and extent of CDD to apply, a securities provider should be clear as to whether its customer is
acting on its own behalf or as an intermediary on behalf of its underlying customers”
8. Art 101 stipulating that securities providers should obtain and the intermediary should provide information about the intermediary’s AML/CFT controls, including
information regarding the intermediary‘s risk assessment of its underlying customer base and its implementation of risk mitigation measures
Art 106 to 113 stipulating that for correspondent banking and other similar cross-border relationships, financial institutions should apply criteria (a) to (e) of article 3-2 (3) of
the Law of 2004
35
Know Your Intermediary concept versus Know Your Client
Context: Art 312 of the CSSF circular 18/698 stipulates that where the exercise of some AML/CFT tasks is delegated to a third party, notably the
transfer agent, the IFM is not exempt from its AML/CFT responsibility. This is also applicable to intermediaries
Establish Written agreement Perform initial & periodic review Ensure Ongoing Monitoring
• Clearly defining role and responsibilities of each • DD on intermediaries as laid down in article 328 • Implement control arrangements / mechanisms,
party at the TA level of the CSSF Circular 18/698 (Know Your define KPI and KRI, which allow the IFM
• Clearly defining role and responsibilities of each Intermediary : type of intermediary, info to to access the data documenting the activities
party regarding the marketing intermediaries understand the nature of the intermediary, exercised by the distributor / transfer agent
(including sub-delegation) documentation, distribution channel, country to monitor the activities of the delegate such
• IFM should ensure that proper distribution risk) as having for example a good overview and
agreement is in place with reliable AML/CTF clause, • Assessment whether the intermediary ensures at understanding of the type of customers
including but not limited to the access without all times the compliance with the subscribed investing in the fund and the controls
delay and upon request to the relevant commitments, notably the respect to the performed by delegate
identification data of clients for intermediaries communication, without delay and upon • Be involved in decision-making concerning new
which ensure the marketing and act on behalf of request, of relevant identification data of clients countries of registration, regular Financial target
clients • Written critical analysis and assessment of the sanction screening, monitoring of the
AML Control framework based on reports such compliance with their AML/CFT obligations
as ISAE report at the TA level, LFR at the funds’
level or Management letters or AML
Questionnaires (i.e. detailed Wolfsberg
Questionnaire, own AML questionnaire) or AML
Policies & Procedures including on-site visits
What factors do professionals have to keep in mind regarding cross-border intermediaries? What has to be done
• Key risk area in Luxembourg is cross-border distribution from EU and non-EU countries, with high volumes of • At the intermediary level: perform adequate
transactions and rapid flows due diligence measures and request KYC
• Investment sector considered as high risk (supra national risk assessment + national risk assessment) high market documentation on the intermediary based
fragmentation in terms of number of providers and intermediaries, the international nature of business and also on the level of risk assigned
the high volume of retail and institutional investors • At the relationship level with the
intermediary (EDD measures): request
Determine level of risk of your financial intermediary (use of key risk factors and variables) sufficient information to your intermediary
• Who is your intermediary (type, geographical location,…) to assess the AML framework.
• Is the intermediary investing inside or outside the EU? • The concept of pure reliance (on AML
• Consider the type of fund (UCITS versus NON UCITS) letters) does not exist anymore
• Is it investing on own or third party behalf (discretionary portfolio management versus order transmission/ • Assess AML framework
respondent relationship versus third party introducer)? • Have an understanding who the underlying
• What are the volumes/AUM (high volume = high risk indicator)? investors are? Depending on the level of
• Does the structure favor anonymity (high risk indicator)? risk, have a look through on the underlying
• Is there a limited number of investors (high risk indicator) ? investors
• Additional searches (internet) to better inform the intermediary risk profile • All information provided has to be assessed
• Carrying out additional searches focused on financial crime risk indicator (negative news screening) to better assess • Depending on the way the customer is
the investor risk profile registered under the shares/unitholders
register, if the name of the underlying
investor is mentioned, it has to be screened
Even when CDD is the responsibility of the intermediary, an understanding of
• Review on a regular basis your intermediary
the intermediary’s customer base can often be useful element in determining
relationship
the risk associated with the intermediary itself – the level of understanding
obtained should be tailored to the perceived risk level of the intermediary
36
Requirements How mitigate the risk ? Examples
Intermediary itself Adequate Due Diligence Measures Due Diligence measures on a RBA on the intermediary itself
2 levels of Due Diligence
EDD / AML Control Making a request for information on Obtaining a break down per investor type, jurisdiction, residual risk rating, level of DD performed, PEP,
framework any particular transaction, possibly SOW/SOF…
leading to more information being Requesting additional information of the transaction, number of investor being the transaction…
requested on the underlying customers Requesting specific wording in the AML letter in order to have information upon request on the underlying
of the intermediary on a risk sensitive customer/end-UBO
basis Requesting the methodology of the country risk rating
AML Letter / Questionnaire Reviewing the AML framework of the intermediary and reviewing the underling customer file
AML Policies & Procedures Requesting additional information on the underlying customer
On-site visits Evidence the application of EDD measures on cross border intermediaries at the level of the IFM or of the
Sample testing delegate for instance through a summary sheet detailing the documents collected and the conclusion of the
analysis
Risk Based-Approach Design a risk based approach & a risk Reliance / Look through / Prohibited
& Risk Appetite appetite dedicated to intermediary Limit the number/% of certain intermediary’ type
Limit/refuse the omnibus account
UE, FATF country
Governance Formalize the approval from senior Assessment should be documented, regularly updated and communicated to the relevant senior management
management for EDD. through an escalation process for information and/or validation
37
Outsourcing
• This outsourced entity conducts CD on behalf of the professional, in accordance with the procedures of the
professional and under its instruction
• Professional may also outsource ongoing monitoring and transaction monitoring (agreement with roles and
responsibilities)
• Ultimate responsibility for CDD and/or ongoing monitoring remains with the professional and cannot delegate
responsibility
No contact
Tax evasion services
The Client refuses contacts (especially when
Request for services connected with tax evasion he is resident in a country not subject to
CRS/FATCA)
38
Transactions
Tax transparency – High risk jurisdiction Mixing personal and Professional accounts
Funds received from high risk countries Numerous transaction mixing personal and
Service without economic reality professional accounts
Commission received or paid to
foreign entities without substance
or commercial activity
39
Collective Investment Activities (“C,I,A”)
Complex investment structuring
One or more legal investment structures interposed
Investor tax reporting between the client and the ultimate target
Changes without econoAbsence of tax reporting investment, located in different jurisdictions with
provided by UCI in countries of distribution for which some of them not complying with international
such investor tax reporting is required transparency standards
40
AML/CTF policies and procedures
Controls in place
Professionals are to establish adequate and appropriate policies and procedures (Art. 4 of the law of 12
November 2004 as amended and CSSF Regulation 12-02):
Establish customer due diligence, reporting, record keeping, internal control, risk assessment, risk management,
compliance management and communication.
Communicate and implement the relevant policies and procedures (where applicable) to branches and
subsidiaries.
Take appropriate measures to train and raise the awareness of employees, to assist them in recognizing
transactions linked to AML/CFT and how to proceed in such instances.
Have systems in place enabling them to respond fully and rapidly to enquiries from the Luxembourg
authorities.
41
Board of Directors
Employees
Everyone is responsible!
In accordance with Article 4(1) of the Law of 12 November 2004 as amended, above-mentioned professionals
must appoint:
a member from their management body, responsible for compliance with professional obligations in the fight
against money laundering and terrorist financing (responsable du respect des obligations, hereafter referred to as
RR), and
if the size and nature of the activity so requires, a compliance officer at appropriate hierarchical level
(responsable du contrôle du respect des obligations, hereafter referred to as RC).
Investment Funds and Investment Fund Managers are legally required to appoint both a RR and a RC
42
Performed by 1st and 2d line of defense and supported by adequate systems
Internal Audit
• Annual report to Authorized Management and Board of Directors (or to specialized committee) on AML/CTF
assessment and compliance
Recruitment
• Know-Your-Employee (e.g. extract of criminal record)
• Specific checks on certain persons (Compliance, Authorized Management)
Training
• For all employees, when they start and on-going
• Tailor-made to employees facing higher ML/TF risk operations / clients
• Case study in line with the risk assessment
• Track record
Awareness
• Keep employees aware of new trends and ML/TF techniques (regular meetings, documentation, newsletters,
real cases…)
• Program up-to-date with legislation
• Point of Contact
43
6 – Cooperation with the Authorities
Professionals, their directors and employees have the obligation to cooperate fully with the Luxembourg
authorities responsible for combating money laundering and terrorist financing without prejudice to the
obligations to which they are subject towards the CSSF (if applicable)
(Art. 5 of the law of 12 November 2004 as amended and the FIU Circular 22/10).
What does it mean?
1. Inform the Financial Intelligence Unit (active cooperation)
• with no delay
• on their own initiative,
• when they know, suspect or have reasonable reasons to suspect that money laundering or financing of terrorism
is being or has been committed or attempted, be it by reason of the person involved, its evolution, the origin of
funds, the nature, the objective or the modalities of the transaction
44
2. Declare suspicions : Professionals have neither an obligation to actively investigate such facts nor to verify
whether such facts are sufficiently conclusive to be used as the basis for an investigation, nor to qualify the
criminality of their suspicions nor to prove their exactitude. In case of AML/CTF suspicion a Suspicious
Activity/Transaction Report (SAR/STR) must be filed (electronically through the tool “goAML”)
3. Provide all information required immediately upon request. (Passive cooperation)
4. Refrain from carrying out the suspicious transactions : in cases of AML/CTF suspicion, professionals have the
legal obligation to refrain from carrying out the related transaction(s) before having informed the Public Prosecutor.
The Public Prosecutor may block one or several suspicious transaction(s), although only for a maximum period of 6
months, or decide other types of “ad hoc” measures (report movements on the account(s), request client to
contact the Public Prosecutor’s office at next contact, etc.)
Implementation of the 5th AML directive: blocking period can be prolonged “until further notice”
45
Request for mutual assistance
● As a general rule, requests for mutual assistance and communications are made directly between judicial
authorities with territorial competence.
● Urgent requests may be made via Interpol or anybody competent under provisions introduced pursuant to the
Treaty on European Union.
● Spontaneous exchange of information (i.e. without prior request) may take place between Member States
regarding criminal offences and administrative infringements. The punishment or handling of which falls within
the competence of the receiving authority.
● “Commission Rogatoire Internationale”(Rogatory Letters): To be previously validated by Luxembourg authority
before executing. Used for legal or judicial assistance, sent by the central authority of one country to the central
authority of another country usually through the courts, when seeking evidence or judicial assistance from the
other jurisdiction. They can be used in money laundering cases.
46
What is a suspicion?
● Suspicion could be defined as an unfavorable opinion about someone, its behavior, based on indications,
impressions, intuitions without any tangible evidences.
● It could be considered as an appreciation or perception, which is highly subjective because it is built upon a
collection of impressions, the level of experience of the individual that will then, be subject to changes
depending on the individual ability to assess the elements brought to his/her attention.
● When a doubt arises or a question is left unanswered, it must cleared out. If there is no satisfactory outcome, it
becomes a suspicion.
47
● Unusual and suspicious transactions from an economic point of view, or with an illicit goal
● Countries, amounts, circuits…
● Complex transactions: understand the need for complexity
● Large amounts
● Illegitimate transactions compared to what we know about the customer
● Concomitant in/out transactions, that are not really plausible
● Customer proposing transactions outside the usual scope of activities of the institution
● Dormant accounts suddenly activated without plausible reasons (always ask past/present/future : why was it dormant, why woken up,
what are the intentions)
● Atypical customer behavior, failure to provide documentary evidence, non plausible explanation or false declaration about the origin of
the assets
● Sophisticated transactions/structures without economical justification
● Information on ongoing criminal investigations or judgment revealed by the press, information provided by some private database, in
rare cases after a reputation inquiry done by a private company
● High risk transactions (client’s country of origin, sophisticated patterns, etc.)
● Cashier’s desk transactions (multiple cash transactions within a short period of time, deposits done by different individuals on the same
account, etc.)
● Aggravated suspicions (multiple accounts closing and opening, request to use an internal bank account to perform a transaction, etc.)
• (1) The customer is a legal person or a legal arrangement set up in a jurisdiction that is not on CRS regulations and without the change being justified by the development of the
subject to AEOI/CRS/FATCA reporting10 and this “entity” has no economic, asset or other business of the company or legal structure.
reality • (12) Requests for assistance or provision of services whose purpose could be to foster
• (2) The customer is a company or uses companies in which a multitude of statutory circumvention of the customer’s tax obligations.
changes (unexpected and short-term changes) have taken place • (13) Use by the customer of complex structures without economic or asset purpose
• (3) The use of companies or legal structures located in a jurisdiction other than the tax • (14) Unjustified refusal of any contact or unjustified request of hold mail and more
residence or place of regular economic or professional interests of the beneficial owner particularly if the customer is domiciled in a jurisdiction that is not subject to
• (4) Completion of a commercial transaction at a price that is obviously under-estimated, AEOI/CRS/FATCA reporting
over-estimated or inconsistent. • (15) The transfer of funds from a country that according to the professional could be
• (5) Findings of anomalies in the documentation justifying the transactions, and notably considered as being risky from a tax transparency point of view.
atypical or unusual transactions • (16) Inconsistent information available to the professional concerning the tax residence of
• (6) The customer’s refusal to provide the tax compliance documentation or information the customer.
needed for tax reportings or the presence of indications raising suspicions regarding fiscal • (17) Use of so-called back-to-back loans, without valid justification.
• (7) Substantial increase, over a short period, of movements on banking account(s) which • (18) Move of the tax residence from a jurisdiction that is not subject to AEOI/CRS/FATCA
was (were) until then scarcely active or inactive, without this rise being justified, notably reporting to a jurisdiction that is subject to such reporting without notifying the
by a verified development of economic or business activities of the customer. professional, in order, potentially, to escape reporting.
• (8) Observation of inconsistencies between the business volume (e.g. based on company • (19) Financial transactions that are inconsistent with the usual activities of the customer or
accounts) and movements on bank accounts. with its profile or with the asset situation stated by the customer or suspect operations in
• (9) Substantial and/or irregular transactions linked to professional activities on sectors that are prone to VAT or other tax fraud, in a generally cross-border context.
personal/private accounts. • (20) Withdrawal or deposit of cash that is not justified by the level or nature of the
• (10) Payment or reception of fees to or from foreign companies without business commercial activity or known professional or asset situation.
activities or without substance or link between the counterparties and whose purpose • (21) Documentation on tax compliance leaving room for doubt as it was issued by a
seems to be economically unjustified re-invoicing. person close to the final customer and there being a potential conflict of interests.
• (11) Classification of a company or legal structure as “Active Non-Financial Entity” based
48
7 – Payer Payee
Obligation introduced by the Regulation (EU) 2015/847 on information accompanying transfers of funds
This regulation repeals Regulation (EC) No 1781/2006, which was related to the information about the payer
only. Entry into force with the 4th AML directive (June 2017) aiming at enhancing the traceability of transfers
(fight against terrorism financing).
For every transfer, the payment service provider must provide the name of the payee and the payee’s
payment account number (in addition to the payer data).
More detailed technical provisions regarding transfers of funds both within and outside the EU. Within the EU,
the transfer will have to be accompanied by at least the payment account number of both the payer and the
payee. Upon request by the service provider of the payee, the service provider of the payer will have to provide
further information for transfer of funds of more than EUR 1.000 (name, nationality and address of the payer).
49
8 – Cases studies
2 persons come to your bank to open an account for each of them. One month later, each of them asks for a
loan to buy a car.
In order to provide some guarantee on these loans, they provide a copy of their payslip and working contract.
The employer of both persons is a company based in Luxembourg.
As part of your due diligence controls, you cannot find the existence of such company and cannot reach anyone
at the number and address provided for the employer.
You call back your new clients who told you that the company has just been created but is not already registered
by the public trade register website.
However, during the next 3 months, the salary is still paid on a monthly basis on the client’s accounts.
Question : What do you think about this situation and what do you do?
50
One of your client has an account with your bank since 3 years. The customer service Department raise to you –
as a Compliance Officer – that the mailing of this client is returned to the bank since 2 months, even though
there is still some activity on the account.
Looking at the client profile, the client is a man, married and he has 3 children.
You receive an internal report from the head of cash desk explaining that one of your clients Mr. Zen (80 years
old) has an account open in your bank since more than 20 years.
He came to the bank together with a young man Mr. Joy and they have asked to withdraw € 50,000
The cashier has refused to give such an amount in cash because no valid explanation was provided. So Mr. Joy
has requested to have those funds transferred to his personal bank account (account held at the same bank but
opened 2 months before) and mentioned that Mr. Joy is indeed his grandson. The explanation given about the
purpose of the transfer is the purchase of a car.
He has asked to keep this transaction secret and to not mention it to Mr. Joy’s stepmother. She is co-account
holder and only 1 signature is required.
The transfer is executed as requested. Mr. Joy has also an account open in your bank.
One week later, Mr. Joy comes back (alone) to the bank and asks to withdraw € 10,000 in cash and to prepare
the same cash amount to be withdrawn next week.
Question : What do you do and/or recommend ?
51
One of your clients receive payments on a monthly basis on his personal account that are coming from various
companies, which are not his employer.
The team in charge of transactions monitoring finds out those companies are service providers in the same field
of activity than that of his employer.
52
Several private customers obtain consumer loans, by using fake documents
The monies have been transfered to the account of jihadist family members
The money was withdrawn in cash and shipped to Turkey, via a transfer operator
In Turkey, individuals mandated by the Islamic State are responsible for channeling the funds to the real
beneficiaries
Prepaid cards are bought in a foreign country via Internet to pay the various stakeholders
Q&A
53
05/05/2021
1
05/05/2021
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
2
05/05/2021
⏷ MiFID I: Directive 2004/39/EC on markets in financial instruments. Luxembourg Law of 13 July 2007
⏷ MiFID II aims to reinforce the rules on securities markets in various areas notably by:
• ensuring that organised trading takes place on regulated platforms
• introducing rules on algorithmic and high frequency trading
• improving the transparency and oversight of financial markets
• enhancing investor protection and improving conduct of business rules as well as conditions for competition in the
trading and clearing of financial instruments
• introducing a harmonised commodity position limits regime
• strengthening the protection of investors by introducing requirements on the organisation and conduct of actors in
these markets
Objective of MiFID II is to make European financial markets more transparent and to strengthen the investor
protection (weaknesses revealed by the 2008 financial crisis)
3
05/05/2021
Responsibility of Management
Inducements
Product Approval
⏷ 2 texts, 220 pages (level 1): a Directive and a Regulation
Suitability & Appropriateness
⏷ 5500+ pages when considering ESMA publications… Best Execution
Etc.
MiFID
• Adoption of a new regulation, known as "MiFIR“
II
‒ new regulation, focus on all matters where harmonization is critical, i.e. market organization and
transparency: rather technical, will be complemented by RTS*
‒ Part of a wider “rule book” with other regulations
‒ Includes also aspects of supervision
MiFiR ‒ direct effect without any need for local implementation
4
05/05/2021
(simplified view)
Governance
• Conflicts of interests • Complaints handling • Business continuity • Compliance, Internal Audit, Risk Management
• Senior Management • Personal transactions • Organization / Procedures • Outsourcing
• Records keeping
5
05/05/2021
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
6
05/05/2021
Opt-in/Opt-out
PROTECTION
Opt-in/Opt-out
More information to provide (e.g. financial instruments and risks, execution venues,
ELIGIBLE costs and charges etc.) (new)
COUNTERPARTY New reporting obligation (mutual agreement) (new)
No major change
Client profiling is based on the following criteria
• Knowledge and Experience
• Financial Situation
• Investment Objectives
• Risk tolerance / appetite (new)
Responsibility of the financial institution only
• Reassessment on an annual basis (at least)
Client signature required
7
05/05/2021
Knowledge
Financial
and Objectives Risk Tolerance
Situation
Experience
Retail client
Professional
To be
on request (Elective
assessed *
professional)
General principles
3 main provisions
Information about advisory
• Before advice : nature, type of service (independent versus non-independent + broad/more restricted analysis + periodic
assessment of the suitability
Information about instruments (slide 18)
• To clients or potential clients - before the provision of investment services or ancillary services - general description of
the nature and risks of financial instruments - client’s categorisation (retail client, professional client or ECP).
• To explain the nature of the specific type of instrument, its functioning and performance in different market conditions
(positive and negative conditions)
Information about costs
• All costs and charges + aggregated + regular basis (at least annual basis)
• Ex-ante : calculated figures / comprehensive form-standardized format
• Ex-post : personalized / annually and aggregated (in EUR and %), incl. inducements
• Prof + ECP: possibility to agree on a limited application
8
05/05/2021
As the client is no longer “master” of the investment decisions, rules are similar as for independent advice (ensure that
management is done solely in the investors’ interests):
• No retrocessions, or pass all to client (beware of management)
• Transparent strategies and asset allocations (to be known by clients before agreement)
Specify the scope and nature of such guarantee or capital protection. When the guarantee is provided by a third party, the information about
the guarantee shall include sufficient detail about the guarantor and the guarantee to enable the retail client or potential retail client
to make a fair assessment of the guarantee.
9
05/05/2021
Ex-ante
• Since ESMA updated its Q&A in March 2019: specific to client situation (ISIN, amount)
• Trade-by-trade simulation for execution only and advisory transactions
• Pre-contractual simulation before entering into advisory agreement or discretionary management, based on amount
to be invested, strategy, currency, etc. Simulation may be based on past costs & charges for similar portfolios
• With illustration or explanation of impact of costs on return
Ex-post
• Actual costs incurred
• At least annually
10
05/05/2021
Exemption Appropriateness
EXECUTION ONLY
(no test) (for retail clients)
Where bundled package of services or products, the overall bundled package must be suitable
11
05/05/2021
o Advisory services
Frequency : at least quarterly (more frequent on request)
At least annually ex-post cost sheet with an overview of all costs incurred by the client
Pre-trade suitability report for each advise provided
Pre-trade costs and charges simulation for each transaction
Execution report after each transaction (contract notes)
o Leveraged financial instruments
Loss : where the value of a position depreciates by 10% and at multiple of 10% (within 24 hours and immediately when
investments in derivatives)
Possible to agree with the client to calculate at portfolio level (i.e. if hedge on equities)
12
05/05/2021
Investment advice means the provision of personal recommendations to a client, either upon its request or at the initiative
of the investment firm, in respect of one or more transactions relating to financial instruments (Article 4(1)(4) MiFID II).
Provision of a general recommendation about a transaction in a financial instrument or a type of financial instrument
constitutes the provision of an ancillary service and its protections apply to the provision of that recommendation.
A recommendation is not a personal recommendation if it is issued exclusively through distribution channels or to the
public.
Independent Financial Adviser needs to:
• explain to clients clearly and concisely, how the service fulfils the independence criteria,
• provide details of the factors taken into consideration when making the recommendation, including:
the number and variety of products composing the universe of investable products
the quantity of “in-house” products
the selection process (risk-weighting, complexity)
the independence requirements
13
05/05/2021
The same Financial Institution can provide both (independent and non-independent advice) only if:
appropriate structure (an advisor as a natural person cannot be both / segregation of access - Chinese walls)
clients understands where he stands
Information on Advisory (before provision of service)
• Nature and type of advisory (independent / non-independent)
• Degree of open architecture, products picking approach, types and range of instruments considered…
• Provision of a periodic assessment of the suitability, or not
ESMA: Q&As on MiFID II and MiFIR investor protection and intermediaries topics
14
05/05/2021
Definition
Commissions or non monetary benefits paid or received from/to third parties in relation to an investment service to a client
and which are not seen as « proper » or « standard » fees (i.e. necessary for the delivery of the service)
Non monetary benefits
• No list defined by UE yet
• Information or documentation relating to a financial instrument or an investment service (generic in nature or
personalized to reflect the circumstances of an individual client)
• Written material from a third party that is commissioned and paid for by an corporate issuer or potential issuer to promote
a new issuance by the company
• Participation in conferences, seminars and other training events on the benefits and features of a specific financial
instrument or an investment service
• Hospitality of a reasonable de minimis value (e.g. food and drink during a business meeting or a conference, seminar or
other events)
to be clearly disclosed before providing services to clients
General principles
Banned where the client’s interests is compromised
Prohibited by nature
When providing independent advice
When providing portfolio management If received, must be fully returned
to the client
When providing Investment research
(if not paid by the bank’s own account or from a separate research account)
Tolerated cases
If designed to enhance the quality of the service to clients
Non-independent advisory If does not impair the obligation to act in the best interest
of the client Cumulative
Execution/ RTO
If disclosed to client prior to the provision of service
Business introducers If the amounts are reported on an annual basis
15
05/05/2021
Transparency requirements
16
05/05/2021
Art. 71 of the MiFID II Delegated Regulation allows for professional clients to be re-categorised as ECP only where they fall within one
of the following categories:
• Entities which are required to be authorised or regulated to operate in the financial markets,
• National and regional governments, Central Banks, and other international and supranational institutions (e.g. the World Bank).
This expressly excludes elective professional clients from requesting re-categorisation as ECP
• The firm must provide the client with a clear written warning of the consequences of the re-categorisation, including the protections
they may lose.
• The client must respond in writing to confirm his request (whether it is a general request, or only in respect of one or more
investment services or transactions) and his understanding of the consequences.
17
05/05/2021
18
05/05/2021
Provide a more detailed and more practically focused execution policy summary to clients, explaining clearly how
orders will be executed by the firm and how the selection is done:
List the factors used to select an execution venue for execution and the entity used for transmission or placing
orders and their relative importance (and consistency with monitoring approach).
How venue selection occurs, specific execution strategies used, the process used to analyze the execution quality,
how the firm monitors the achievement of the best possible result
List the venues / entities used for execution/transmission/placing clients orders in the policy, specifying which
venues / entities are used for each class of financial instrument
Clear, meaningful, to effectively understand how and where orders are executed
Distinguish between types of clients, instruments, orders
Explaining special situations (e.g. use of internal matching systems, a single venue, execution outside Regulated
Market/MTF/OTF)
Provide a more detailed and more practically focused execution policy summary to clients, explaining clearly how
orders will be executed by the firm and how the selection is done (continued):
Retail clients:
Summary of the policy focused on the total costs client will face
Information about any payment or benefits received from any party in the chain, without a breach of the inducement
rule (may also be disclosed in another document)
19
05/05/2021
Check the fairness of the price proposed to clients by gathering market data used for the price estimation/calculation and
by comparing with comparable products (when possible)
If executing party: need express consent (no change, like in MiFID I) before proceeding and in the form of general
agreement or in respect of individual transaction
If RTO: need to explain in the policy the main execution principles used by the other entities and provide appropriate
information about these entities upon client request
Clearly stated in the policy, with additional information on the risk of this execution route and the counterparty risk (seen
as “new” since bilateral). On request, more consequence in terms of counterparty risk
More details required in the Best Execution policy reflecting Client Order Handling arrangements, e.g.: handling of limit
orders (standard, large size, which venue what if, etc.)
Use of a single execution venue: must show how it satisfies the Best Ex requirements and the results must be at least as
good as with other entities => based on data and internal analysis
20
05/05/2021
Monitoring
To monitor the effectiveness of the execution arrangements, to assess on a regular basis whether the execution venues
still qualify to provide the best possible results, to inform the existing clients of material changes
To be able to demonstrate the compliance with the execution policy
To review the policy at least annually and in case of material change,
To organize the review on the same aspects as laid out in the policy
Additional disclosures
Make public on a annual basis, for each class of instrument:
the top 5 venues in terms of trading volumes where they have executed clients orders during the previous year
with information on the execution quality obtained for each one
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
21
05/05/2021
Definition:
Systematic internalisers (SIs) are investment firms which, on an organised, frequent, systematic and substantial basis, deal on
own account by executing client orders outside a regulated market, MTF or OTF without operating a multilateral system.
SI in MiFID II is a counterparty, not a trading venue: TV are facilities in which multiple third-party buying and selling interests
interact in the system. A SI operates a bilateral system and is not allowed to bring together third party buying and selling
interests in functionally the same way as TV.
Execution of client orders as an constituent element of the systematic internaliser’s definition.
SI as a risk-taking market actor is characterised by risk-facing transactions (impact the Profit & Loss account). By undertaking
such risk-facing transactions, SIs are a valuable source of liquidity to market participants.
Asset classes within the scope of the SI regime:
• equity-like instruments (depositary receipts, ETFs, certificates and other similar financial instruments), and
• non-equity instruments (derivatives, bonds, structured finance products and emission allowances).
Quantitative criteria
Specific rules for calculating systematic internaliser thresholds:
• Transactions that are not contributing to the price formation process and/or are not reportable
• Primary market transactions, creation and redemption of ETFs (not included in the calculation)
• Off order book trades that are reported to a regulated market, MTF or OTF under its rules (do not count)
• Calculations granularity
• Calculations' level for structured finance products (SFPs)
Limits to fall into the systematic internaliser categorY
22
05/05/2021
The Investment Firm may easily cross the thresholds in case of illiquid product
actually, the Investment Firm does not necessarily choose to be SI
23
05/05/2021
24
05/05/2021
Notification
• Person providing direct electronic access must notify its NCA (where applicable, notify its trading venue).
• To promptly inform the NCA of any material breaches of its physical and electronic security measures. To provide an incident
report to the NCA.
Scope Requirements
. Use of trading member’s trading code to . Suitability of clients must be assessed
transmit orders directly to trading venue (intended trading strategies of clients)
. Trading to be monitored
. Clients must not exceed trading and credit
thresholds
- Direct Market Access (i.e. use of trading Ensure clients comply with MiFID and
venue member’s infrastructure) trading venue’s rules
25
05/05/2021
o MiFID II introduces the concept of algorithmic trading and, as a subset of that, high-frequency algorithmic trading (article
4(1)(39) of MiFID II).
o All high-frequency algorithmic trading investment firms must be authorised as investment firms.
o Definition: Algorithmic trading means trading in financial instruments where computer algorithm automatically determines
individual parameters of orders such as whether to initiate the order, the timing, price or quantity of the order or how to
manage the order after its submission.
o It does not include any system that is only used for the purpose of routing orders to one or more trading venues or for the
processing of orders involving no determination of any trading parameters or for the confirmation of orders or the post-
trade processing of executed transactions”.
o AT should refer not only to the automatic generation of orders but also to the optimisation of order-execution process by
automated means.
o AT include smart order routers where such devices use algorithms for optimization for order execution processes (parameters
of the order).
o AT do not cover automated order routers where, although using algorithms, such devices only determine the trading venue.
o High-frequency AT is a trading technique being a form of AT where the trading system analyses the data from the market at
high speed and send or update large number of orders within a short time frame.
• Infrastructure intended to minimise network
• System-determination of order initiation, generation, routing or execution without human intervention
• High message intraday rates which constitute orders, quotes or cancellations.
• high-frequency AT trader needs to be authorised investment firm.
26
05/05/2021
o Algorithmic trading policy with approval process and assigned owners (3LOD model).
o Systems and controls requirements
• To have in place effective and resilient systems and appropriate risk controls.
• To ensure that these systems are tested and to have in place business continuity arrangements.
• To be appropriate order limits to prevent erroneous orders and orders that could create a disorderly market.
• To have controls which automatically cancel (kill-switch procedure) any orders not permitted to exceed the firm risk
thresholds.
• To develop and test methodologies, algorithms, systems and strategies (separate testing environment).
• Pre-defined limits on algorithms (number of financial instruments traded, price, quantity, trading strategies, number of
trading venues).
• Any material change to be approved by the Senior Management’ designated person.
• To monitor trading activity and detect market manipulation.
• Pre-trade controls, real time alerts, post trade controls.
• Arrangements for physical and IT security (segregation of access and duties, reporting lines).
o To notify its NCA.
o Record keeping (to be provided to NCA on request)
27
05/05/2021
Clear definition of reported transactions and fields (RTS 22 Annex 1 – Com. Del. Reg. 2017/590), with common European
standards and format (i.e. XML template in accordance with the ISO 20022 methodology)
Information going further than just trade related: includes i.e. the identification of any applicable waiver, of a short sale, of a
risk effect for commodity derivatives, the identification of the clients and the trader / the person responsible for the execution
of the client order, the computer algorithm responsible for the decision, etc.
Obligation for RTO (all entities in the chain) to pass on the complete information when sending an order to another firm or to
report themselves after execution (issue: client confidentiality, data protection, professional secrecy)
SUPERVISION SANCTIONS
• Additional power to NCA, e.g. (require information Member States to decide on sanctions, following EU
about the size and purpose of a position or an exposure guiding principles:
entered into via a derivative, and any assets or liabilities • Public statement, indicating the person / entity and the
in the underlying market nature of the breach
• Order to cease the conduct
• Clearly provides with minimum set of remedies in • Withdrawal or suspension of the authorization (incl. for
case of issues, like requirement of the cessation of any reporting entities)
practice, freezing or sequestration of assets, suspension • Temporary or permanent ban against persons in the
or removal of/from trading, etc. management body
• Temporary ban of a F.I. as member of a market venue •
• Power to ESMA or NCA or EBA to temporarily prohibit Legal person: pecuniary sanctions of up to 10% of annual
or restrict (incl. on precautionary basis): • The turnover
marketing, distribution or sales of particular financial • Physical person: up to EUR 5 M, or up to twice the
instruments or types of instruments • A type of amount of the benefit derived from the breach
financial activity or practice (ex: binary options for retail • Sanctions and measures applied should be published
clients) (with related details, e.g. type, persons, etc.)
• Appropriate mechanisms to encourage reporting of
breaches within investment firms
28
05/05/2021
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
Strengthen the governance of entities, with more scrutiny on the role, functioning and
composition of the management body (Board of Directors)
. Convergence with the principles set out for CRD IV (EC 2013/36 – art.88 and 91)
. New concept: governing body of an IF, a market operator or a data services provider, which set out
Senior
the strategy and implement the appropriate governance, and which includes persons who direct the
Management
business
. Strong emphasis on Market operators, with specific obligations
. Ensure that the IF/Operator is managed in a sound and prudent way, for the entity, the clients and
the integrity of the markets
Role . Define, approve and oversee the strategy, the internal organization, a remuneration policy for sales
staff, the services, activities, products and operations offered to clients, in accordance with the risk
tolerance of the firm and the nature of clients
. Monitor and assess periodically the effectiveness of all policies
29
05/05/2021
30
05/05/2021
Source: EY analysis
Product
Governance
Distribution
Strategy . Type of clients (investment services)
. Characteristics of Investment Product
. Type of investment services provided
31
05/05/2021
32
05/05/2021
More details on the disclosure of potential conflicts to clients (also for non-retail clients)
In a durable medium
Before the provision of service
With a specific description of the conflict, incl. enough detail for the client to take an informed decision
(nature, source of conflict, risks, mitigation measures)
Clearly stating that the current arrangements have not been sufficient to prevent the risk
33
05/05/2021
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
34
05/05/2021
A grandmother (80 years) and her grandson (25 years) request to open an account together.
When establishing their risk profile, the outcome for the grandmother is “conservative” and that of
the grandson is “aggressive”.
They want to have an advisory mandate, where they can both take investment decisions.
The grandmother wants to help her grandson with his “financial education”.
The grandson wants to be very active and therefore suggest to opt for an aggressive strategy.
An existing client of your bank - a very busy real estate developer - has an account on which he
normally receives advice.
He has a “medium” strategy and always has a “buy and hold” approach.
He recently added his sister as a proxy on the account.
She holds a degree in economics and works for an insurance company.
She wants to be more active on the account and starts passing at least 2 orders on a weekly basis.
Furthermore, she plans to invest part of the portfolio in options and in commodities, as she wants
to boost its performance.
35
05/05/2021
You work for the Green Frog bank, a subsidiary of the Green Frog Group. The group is listed on the
Euronext stock exchange.
Your client is interested in reinvesting dividends recently paid on his account, in shares.
There is a market consensus between analysts that the Green Frog Group has interesting
perspectives and will probably have a dividend yield well above market average.
Your client, with a moderate risk profile, has about 5% of cash available on his account.
While preparing his next visit, you observe that according to his current asset allocation, this cash can
be invested in shares.
Based on the researches made by your credit institution, you recommend to invest in a new
European telecom company, which has a very strong potential.
The client is very enthusiastic and wants to sell his money market funds, which represent 20% of his
portfolio, in order to invest a total of 25% in these shares.
36
05/05/2021
Your client has given an order to sell his position in shares 123.
Immediately after entering the sell order in the system, your dealing room calls you to warn you
that the order represents 60% of the average daily volume.
Questions?
37
1
Through this section about Market integrity, you should be able to:
understand what market integrity means and why it is important to pursue it
explain what Market Abuse is about and to detail & identify the constitutive elements of it
make the difference between insider dealing trading and market manipulation
find your way through the regulatory framework
analyze practical cases, identify the risks and the measures that should be taken to mitigate them
organize and increase awareness & monitoring among your colleagues
know how to react and report in front of report suspicious orders and transactions
understand the main obligations under the EMIR rules
2
Market abuse is a circumstance where financial investors are disadvantaged, directly or indirectly, by others who:
use information which is not publicly available or
disseminate false or misleading information or
try to distort the price-setting mechanism of financial instruments
Market abuse is any unlawful behavior in the financial markets. Therefore, Authorities prohibit following types of
misconduct:
insider dealing/trading
market manipulation
3
Nowadays, most economists believe that market abuse
• hampers the integrity of the markets
• increases the cost of capital
• is detrimental to the general economic growth
Although the fight against market abuse is rather recent, it is perceived as illicit behavior against market
transparency; it is now strictly regulated with legal obligations and sanctions in place has become much more strict
This unfair practice is now considered as a criminal offence in almost all countries
MAD :
stands for Market Abuse Directive 2003/06/EC, adopted together with the related directives 2003/125/EC
(investment recommendations) and 2004/72/EC (accepted market practices)
introduced and implemented dissuasive measures and sanctions to fight insider dealing, unlawful disclosure of
inside information and market manipulation
transposed into Luxembourg law on 9 May 2006 (giving increased powers to CSSF)
Repealed by the Market Abuse Regulation 596/2014.
4
MAD II = MAR + CSMAD
MAR : the Market Abuse Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16
April 2014 on market became applicable as from July 2016.
CSMAD: the Criminal Sanctions Market Abuse Directive 2014/57/EU of the European Parliament and of the
Council of 16 April 2014 on criminal sanctions for market abuse (market abuse directive). It repeals Directive
2003/06/EC and related ones.
In addition, on March 23rd 2018, ESMA (European Securities and Markets Authority) updated its questions and
answers on the common operation of the MAD issues Regulatory Technical Standards, Implementing Technical
Standards, Technical Advice, Guidelines and Questions & Answers
5
Key changes introduced by Market Abuse Law
The CSSF is granted comprehensive investigation and supervisory power;
Cooperation of the CSSF with the ESMA and other competent authorities;
CSSF can impose administrative measures and has sanctioning powers (such as temporary ban of a person discharging
managerial responsibilities, administrative fines…);
Procedure for reporting infringements: guidelines are provided, supervised entities should have a framework in place alike
AML reporting of suspicious orders and transactions;
Publication of decisions by the CSSF (“name and blame”);
Criminal sanctions for committing or recommending or inducing another person to commit insider dealing, unlawful
disclosure of inside information and market manipulation:
• Natural persons: imprisonment 8 days – 4 years / fines € 251- € 5 mln
• Legal entities: fines from € 500 up to € 15 mln
Technical Standards
MAR empowers ESMA to develop regulatory technical standards (RTS) and implementing technical standards (ITS). ESMA
delivered a first set of technical standards on 28 September 2015, on the following items:
6
ESMA received 2 mandates from the European Commission to assist on the content of the delegated acts required
by some provisions of the MAR.
The 1st mandate was about further specifications related to the
indicators of market manipulation;
minimum threshold of CO2 equivalent and a minimum threshold of rated thermal input for the purposes of exemption, re: the
public disclosure of inside information;
Competent authority for the notification of delays in the public disclosure of inside information; and
characteristics of a manager’s transaction which trigger the notification duty, and specification of the circumstances under
which trading during a closed period may be permitted by the issuer.
The 2nd mandate refers to the specification of actual or potential infringements of MAR.
ESMA Guidelines
ESMA issues guidelines on:
inside information for commodity derivatives markets or spot markets;
the factors for persons receiving market soundings to assess
1. whether the information amounts to inside information,
2. the steps to take if inside information has been disclosed to them in order to comply with MAR provisions on inside
information and
3. the records to maintain in order to demonstrate such compliance, or delays in disclosure of inside information; and
delays in the disclosure of inside information.
7
The ESMA issues in addition the document “Questions & Answers” on the Market Abuse Regulation;
The purpose of this document is to promote common supervisory approaches and practices in the application of MAR and its
implementing measures. It does this by providing responses to questions posed by the general public and competent
authorities in relation to the practical application of the MAR framework;
The document is consequently regularly updated (latest version as of 2020: March 29th 2019).
Some behaviours are forbidden: insider dealing, unlawful disclosure of inside information, market manipulation
Some specific obligations apply:
• To issuers of listed financial instruments
• To their management, board members and relatives
• To persons issuing public recommendations (market analysts)
• To financial institutions (Banks, Financial Service Providers, UCITS…)
General obligations related to the organisation
• set up a specific internal function (in charge of STOR)
• train entire implied staff, including information on risks & sanctions
• ensure monitoring framework of transactions, orders & behaviours
8
Principles
Obligation of a general vigilance by the implied staff: staff awareness;
Use of tools for detecting market abuse suspicions (monitoring systems)
In case of suspicious behaviour, orders or transaction, a due investigation is required
After analysis, the financial professional the PFS evaluates and the case being, decides to declare suspicions
Reporting of a suspicious behaviour, order or transaction is done towards the CSSF and the FIU
No tipping off obligation applies
Keep records
Insider dealing
• carrying out transactions on financial instruments (directly or indirectly e.g. power of attorney, inducing another person…);
• listed on a regulated market (stock exchange) or MTF, OTF or linked thereto;
• using inside/privileged information (even if the transactions takes place outside of a regulated market);
• unlawful disclosure or misuse of inside information.
e.g. a person has information on a take-over bid, on a claim, on doubtful debts…
that is not yet available to the public and
uses it, although he knows/should have known it was inside information
Inside (‘privileged’) information is information fulfilling 4 criteria :
• not (yet) been made public
• relating to one or several issuers of financial instruments or one or several financial instruments
• precise
• likely to have a significant impact on market price of financial instruments or related financial instruments, if it were made
public.
9
Prompt and fair disclosure of information to the public enhances market integrity, whereas selective disclosure by issuers can
lead to a loss of investor confidence in the integrity of financial markets
• If all investors receive same information at same time, no insider dealing possible;
• The release is to be coordinated (employees, investors, web-site, mailings, press agencies…);
• Press releases are usually issued when the (main) markets are closed.
Insiders need to refrain using the information and need to act transparently
N.B. There are two types of “insiders”:
Primary insiders
• Those who receive inside information further to their status, mandate or profession
• Eg. Shareholders, management, employees & external contributors in the course of their professional activities (external
auditors, lawyers, advisors…), authors of criminal activities
Secondary insiders
• All others who obtain information from primary insiders that they know or should have known to be inside information
10
It is forbidden to use insider information
sale or purchase for own account or for the account of somebody else, directly or indirectly. E.g. by buying the securities in
order to realise a gain or selling them in order to minimize a loss
communicate / disclose inside information to a non-authorised party (unless necessary in a normal professional context)
recommend a third party to buy or sell a financial instrument, on the basis inside information (that you don’t disclose)
Related to an issuer
• Bad/good news about financial results to be disclosed soon;
• Capital increase/decrease;
• Information about a merger or an acquisition;
• Sale/purchase of shares after (non public) board discussions on dividends to be distributed;
• Information on a significant litigation;
• Information that conception errors of a product might be the cause of significant client claims;
• Bad loans, insolvency of a major client/supplier;
• …
Related to a financial instrument:
• Claims or litigation
• Alleged weaknesses in the prospectus, the listing or other formal or documentary aspects
• ...
11
Behaviours raising questions
• Sudden change in client's behaviour (e.g. client never invested in shares and suddenly wants to buy a specific security at
own initiative and for an significant amount);
• A client who wants to pass a purchase order as quickly as possible without questioning the price, he agrees to take a loss by
selling another position;
• A client who passes an order and calls several times to make sure it has been executed timely, giving the impression to be
nervous;
• A client known as being an insider, who passes an order just before the publication of her/his company's results or relevant
corporate change;
• A client admitting she/he knows important information that is not yet public
→ => an analysis might be required
Create and keep updated a list of insiders within an issuer (permanent insiders’ list within issuers) and/or, when applicable, a
temporary/occasional insiders’ list).
Train employees and implement procedures, enhance awareness
Flag sensitive securities
Flag clients & employees who are at risk and need closer monitoring of their transactions, further to their sensitive positions or
environment (including secondary insiders)
Monitor transactions & implement a detection programme (clients + employees)
Introduce ‘window trading’ to sensitive staff
Organise & implement “Chinese walls”
12
Obligation related to the organisation
• Inform Compliance about mandates / relations with listed companies
• Know & respect the personal transactions notification procedure and applicable restrictions
Specific obligations when you are Board Member within a listed group of companies:
• Know & respect the dealing code (especially blocking periods, windows)
• Notify your transactions to authorities (and to the listed company)
• Confidentiality
In any case it is forbidden to
• Disclose or use inside information, unless in well defined situations
• Buy or sell when influenced by inside information
Market soundings are interactions between a seller of financial instruments (DMP = Disclosing Market
Participants) and one or more potential investors (MSP = Market Sounding Participants), prior to the
announcement of a transaction, in order to gauge the interest of potential investors in a possible transaction
and its pricing, size and structuring;
Prior to and during any market sounding, the DMP shall specifically consider whether the market sounding will
involve the disclosure of inside information and document its conclusions for purposes of regulatory inspection;
ESMA has provided further guidance on technical standards for the corresponding arrangements, systems and
procedures (Commission Delegated Regulation (EU) 2016/960);
In addition, CSSF Circular 17/648 implements ESMA guidelines on the factors, steps and records that persons
receiving market soundings must consider and implement.
13
Knowingly trying to
• mislead other investors and/or the markets
• influence the price or volume of a financial instrument
by carrying out transactions, giving instructions, or by giving out false or misleading information on (an issuer of) a financial
instrument
aiming at giving, or are likely to give, false or misleading indications regarding the supply, demand or price, characteristics,
weaknesses of a financial instrument
which modify, through the action of one or several individuals acting in a concerted manner, the price of one or several
financial instruments at an abnormal or artificial level
unless there are legitimate reasons to do so or that such practice is commonly accepted by the regulated market (ESMA
publishes AMP: Accepted Market Practises)
14
Possible indications of a market manipulation
Persons professionally arranging/executing transactions must have systems in place to detect and report suspicious
transactions and orders (i.e. market abuse and attempted market abuse)
Where?
In the reception & transmission of orders
in the execution of transactions in financial instruments
What?
Arrangements, systems and procedures able to detect suspicious transactions and orders (“each and every order,
including quotes”)
Appropriate and proportionate to the “scale, size and nature of business activity”
Automated systems + “human factor” (ongoing vigilance by staff)
Based on internal, own information and on public disclosure of other trades
Group context: delegation possible
Training of staff
N.B. Sanctions apply if non-compliance
Any doubt of market abuse is to be reported internally, without delays, to the person/body responsible within the
institution (in principle someone within the Compliance Department, e.g. the Compliance Officer or MLRO)
If, after internal analysis, the doubt becomes a suspicion, it is to be reported to the CSSF (Lu)
Market Abuse being a primary Money Laundering offence, the report MUST also be sent to the local FIU
Be careful : the “NO TIPPING OFF principle” applies in this field as well !
15
Enhance awareness on a regular basis
Companies issuing listed financial instruments (including bonds) need a specific “Dealing Code” (defining blocking periods,
stop list, windows…)
Specific rules of conduct for the exposed employees (might refer to external model codes, such as the Model Code
International Code of Conduct of the Financial Markets Association - freely available, the FX Global Code)
Depending on the activities of the financial professional PFS, manual monitoring or monitoring via automated tools: queries
on securities, on insiders, on behaviours, abnormal (market) prices or evolutions, volumes…
• Does his/her activity exposes him/her to inside information and/or market manipulation?
Keep in mind directors of listed companies need to disclose any sale/purchase of the securities issued by the company
(info available on the authorities website)
16
For market desk, order desk, dealing room teams, you might refer to the Model Code
International Code of Conduct
of the Financial Markets Association or the FX Global Code.
The Model Code (freely available through www.acifma.com) includes guidelines & best
practices which span the whole of
• Fixed Income, Currency and Commodity markets best practices. It is used by a lot of
institutions. It covers a broad range of conduct issues, from the detailed processes of the
back office right through to the functions of the electronic platforms used by the front office.
The FX Global Code is a set of global principles of good practice in the foreign exchange
market. It contains 55 principles that provide a common set of guidelines to promote the
integrity and effective functioning of the wholesale foreign exchange market.
17
Client / Proprietary Trading Stock Exchange
Scenario based
Trade behaviour analysis
Market event Rule Engine Data Dashboard
Base
Spoofing (market manipulation)
Front running
18
Market Abuse - monitoring (2/2):
Front running
Placing an order or executing a transaction before a significant order is placed or a large transaction is executed in the
market.
Marking the close:
Transactions in a financial instrument executed at a specific time period prior to the close of trading or a fixing at an
execution venue. Either many small transactions or high-volume transactions are executed, depending on the market
conditions.
Price driver
Activities that aim at influencing the market price of an instrument during a trading day i.e. placement of orders with
price limits that deviate significantly from the current market price.
Wash trades
Wash Trades are transactions that do not result in any change of the economic owner i.e. the buyer and the seller are
the same individual (directly or as beneficial owner) or legal entity (or companies that belong to a corporate group).
19
Physical persons: Fines & imprisonment
Offences referred to in
Article 3 (Insider dealing, recommending or inducing another person to engage in insider dealing) and 5 (Market Manipulation)
are punishable by a maximum term of imprisonment of at least 4 years
Article 4 (illegal disclosure of insider information) is punishable by a maximum term of imprisonment of at least 2 years.
Legal entities (corporate bodies)
Fines (criminal & non criminal) + other sanctions such as:
exclusion from entitlement to public benefits or aid;
temporary or permanent disqualification from the practice of commercial activities;
placing under judicial supervision;
judicial winding-up;
temporary or permanent closure of establishments used for committing the offence [cf. art 8.CSMAD]
Company X is a video game producer listed since 1996. In 2012, the company announced at the E3 conference
(Electronic Entertainment Expo – trade event for video games industry show) that they will launch a new game in
2013 and showed some preliminary screenshot of the video games. Following this announcement, the stock went
up for the next sessions.
On 15th October, company X, at the closure of financial markets, disclosed that the game will be delayed and not
sold before 2014/2015. This delay further imply a reduction in terms of turnover and a total loss from – 70 / - 40
Millions Eur instead of a projected profit of 110/125 Million Eur.
Following the announcement, big increase of volumes and the stock went down
26 % on one day. This triggered an investigation from the AMF which established:
50 employees of the company sold stocks before the announcement,
They were sold either directly or through the bank which was managing the stock option plan of the company ,
and through an investment fund managed by an asset manager
20
Company C has been created in 1986 and is specialised in building and selling fake weapons for video games fan,
sport shooter and others. The company is listed on Euronext Paris and since January 2014 accessible from Euronext
growth MTF. Company starts to have financial difficulties in 2011, and faced a bankruptcy plan agreed by the court.
Some assets were being sold and Mr AdB enters directly in the shareholding of the company.
Financial situation of Company C got worse and in March 2014 some false financial information is provided. In July
2014 financial information is being updated showing growing difficulties.
Between March 2014 and July 2014, Mr AdB sold some securities of C. And another company he is the owner of
bought some debt of company C in July.
In September 2014, the CEO of MP telephoned Mr. X and told him MP was intending to raise new capital via a
share placement. The CEO subsequently emailed Mr. X asking whether he would be interested in subscribing for
shares at what he was told would likely be a substantial discount to the company’s current share price. Attached to
the CEO’s email to Mr. X was a presentation setting out the company’s plans for the funds raised through the
placing which included a clear statement that the information it contained was likely to be considered inside
information. When the placement was disclosed, the share price of MP lost 60,5% in the first hour of post-
announcement trading.
Prior to the placing, the CEO emailed Mr X a second time, asking if he would provide a significant level of funding in
order to prevent the share placing proceeding at a considerable discount to the share price at the time. Very shortly
after receiving this email, Mr X instructed his broker to sell his entire shareholding in MP ‘at any price’.
21
A consultant, specialised in mergers and acquisitions, is currently assisting company ABC, listed on the Euronext
stock exchange, in preparing a takeover of company XYZ, listed on the Luxembourg stock exchange
When working late at the office, the cleaning lady overhears him on the telephone, discussing the takeover
The next day, she (he) suggests her (his) son to purchase the shares of XYZ
He (she) seems to have a very good “eye” for picking out stocks that go up
22
You are the Compliance Officer of a listed company
This morning, when arriving at work, you receive an e-mail from one of your friends, asking whether it is true that
your company is about to announce the sale of one of its core activities, as there are rumours circulating on the
internet
23
You work for Blue Sky Bank Luxembourg, a 100% subsidiary of the Blue Sky Group, listed on the Euronext stock
exchange
Your client is interested in reinvesting the dividend recently paid on his account, in financial shares
There is a market consensus between analysts that BSB has interesting perspectives and will probably have a
dividend yield well above market average
24
1. What is EMIR ?
1.1 Definition and objectives
○ 1.1.1 Derivatives markets definition
○ 1.1.2 EMIR definition & objectives
1.2 Scope Of EMIR
○ 1.2.1 EU Entities
○ 1.2.2 Non EU Entities
2. Obligations under EMIR
2.1 Reporting
2.2 Clearing
2.3 Risk Mitigating measures for OTC non cleared centrally
3. The role of the Compliance Officer
Before defining EMIR it is useful to define the derivatives markets. A derivative is a contract that derives its value from the
performance of another underlying product. The underlying product can be an asset, index, or interest rate for example.
ETD are traded on regulated exchanges (Euronext LIFFE, Chicago Mercantile Exchanges…). ETD products are standardized, liquid
and eliminate counterpart default risks.
OTC derivatives are not traded on an exchange but from counterpart to counterpart.
25
DERIVATIVES
MARKETS
Forward
Futures Securities Swaps
Rate
Exchanges Exchanges
Exchanges
Options, Warrants,
Futures structured
products
Futures Futures are financial contracts obligating the buyer to purchase an asset or the seller to sell an asset, such as a physical
commodity or a financial instrument, at a predetermined future date and price. Contracts are standardized to facilitate
trading on a futures exchange.
Options Options are a financial derivative sold by an option writer to an option buyer. The contract offers the buyer the right, but
not the obligation, to buy (call option) or sell (put option) the underlying asset at an agreed-upon price during a certain
period of time or on a specific date.
Warrant Warrants are a derivative that give the right, but not the obligation, to buy or sell a security - most commonly an equity -
at a certain price before expiration. The price at which the underlying security can be bought or sold is referred to as the
exercise price or strike price.
Structured A Structured product is a pre-packaged investment strategy based on derivatives such as a single security, a basket of
products security, options, indices… Structured products are designed to facilitate highly customized risk-return objectives.
Forward A forward contract is a customized contract between two parties to buy or sell an asset at a specified price on a future
date. A forward contract can be used for hedging or speculation, although its non-standardized nature makes it
particularly apt for hedging.
Swaps A swap is a derivative contract through which two parties exchange the cash flows or liabilities from two different
financial instruments. Most swaps involve cash flows based on a notional principal amount such as a loan or bond,
although the instrument can be almost anything.
26
Forward A forward contract is a customized contract between two parties to buy or sell an asset at a specified price on a future
date. A forward contract can be used for hedging or speculation, although its non-standardized nature makes it
particularly apt for hedging.
Swaps A swap is a derivative contract through which two parties exchange the cash flows or liabilities from two different financial
instruments. Most swaps involve cash flows based on a notional principal amount such as a loan or bond, although the
instrument can be almost anything.
European Market Infrastructure Regulation (EMIR) is a European regulation, its “full name” is
Regulation (EU) N°648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC
Derivatives, central counterparties and trade repositories.
Similar to the DODD-Franck Act, the regulation as established to increase transparency and
reduce the credit risks that led to the 2008 financial crisis. The original mandate for this
regulation came from the G20 summit in 2009.
EMIR is designed to regulate the Over The Counter (OTC) derivatives market and meet three objectives:
• Increase transparency
• Reduce counterparty risks
• Reduce operational risks
27
On June 2019 the EMIR Refit (Regulation (EU) 2019/834) entered into force.
The purpose of the EMIR Refit is to amend and simplify the European Markets Infrastructure Regulation (EMIR) “to address
disproportionate compliance costs, transparency issues and insufficient access to clearing for certain counterparties.”
Amendments relate to areas including the definition of financial counterparty, restrictions on application of the clearing
obligation, changes to the clearing threshold calculation for non-financial counterparties and responsibility for trade reporting.
EMIR affects all entities “established” in the EU that enter into derivatives, whether they do so for:
• Trading purposes
Certain EMIR obligations (clearing and risk mitigation) may also affect non EU entities.
28
EMIR applies to any legal or natural person established in the EU that is a legal counterparty to a
derivative contract, including interest rate, foreign exchange, equity, credit and commodity derivatives.
29
Central clearing of certain Risk Mitigating Measures
Over-The-Counter (OTC) apply to OTC derivatives
derivative transactions not cleared via a CCP
Depending on the financial institution, the role of Compliance might be limited or extended.
the 3 duties (clearing, reporting, mitigation of risk) are taken care of;
responsible staff members are were appointed to be in charge of each of these duties;
In case of delegation or outsourcing of certain duties (eg reporting to trade repository) to ensure that conditions for outsourcing
are respected (ongoing monitoring, due diligence…)
30
Q&A
31
1
1995 – Data protection Directive 2016 - General Data Protection Regulation
Data authorities depending on specific country needs Grants enforcement powers and includes DPO
2
What is personal data?
Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification
number or to one or more factors specific to him / her.
The data collected must be proportional to the purposes of the data processing. Special categories of personal data (ex “sensitive
data”) processing is strictly regulated.
Biometric data Racial or ethnic origin Medical data Identification data Sexual life Criminal Offense
The processing of ‘special categories of personal data” is strictly regulated /limited (Art. 9 - GDPR)
3
Data Subject
Any individual about whom personal data is processed
Natural person Personal data EU Resident or Citizen Activities of processing in EU or in relation with EU residents
GDPR applies to EU citizens (regardless of their location), EU residents, data controllers / processors established in the EU, data
controllers / processors established in the EU when they process personal data in relation with data subjects that are EU
residents.
Examples: Chinese online shop with website in English delivering goods to EU customers, American social network, …
Processing
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Making accessible Erasing data Collecting data Archiving data Transferring data Having access
Controller or Processor : natural or legal person, public authority, agency or any other body (school, prison, hospital, supermarket,
bank, social network, telecommunication operator, energy provider, …)
Controller
• Determines the purposes and means of the processing of personal data
• If more than one person is controller, they will be joint controllers
Processor
Processes personal data on behalf of the controller, following his instructions
4
Date Protection rules applicability test:
YES
Establishment or presence in EEA GDPR rules apply
processing PD
NO
YES
Offering goods and/or services in GDPR rules apply
the EEA
NO
YES
Monitors behaviour of data GDPR rules apply
subjects in the EEA
NO
YES
Making accessible GDPR rules apply
NO
Out of GDPR scope
5
DPA (in Lux: CNPD*) powers and duties
• Power of investigation
The DPA is allowed to access the data being processed. It has direct access to the premises, unless they are residential
premises, where the data is processed and to the processed data, and carries out the necessary checks
• Power of sanction
The DPA can impose administrative and disciplinary sanctions (alert, admonish controllers, block, delete, destroy data,
impose temporary or definitive ban on a processing, order publication of the prohibition decision)
The DPA has the task to produce guidelines and to cooperate with other DPAs
Objective: to give citizens the control over their personal data and to simplify the regulatory environment for business
6
DIRECTIVE: increased exchange of data between police and judicial authorities
• The Directive applies to the cross-border processing of personal data, as well as to the processing of personal data by police
and judicial authorities at strictly national level. Accordingly, police and judicial authorities should no longer apply different
rules according to the origin of the personal data
• Transferring personal data from competent authorities to private entities is made possible under specific conditions. This
allows police authorities to take swift action in cases of a terrorist attack or other emergencies
• Police authorities are now allowed to limit both the information held on the data and the access to the processed data. The
framework allows for police authorities to neither confirm nor deny whether they are in possession of personal data in order to
avoid compromising ongoing investigations.
REGULATION: increased protection of natural person with regard to the processing of personal data and on the
free movement of such data
• New data subject rights : i) data portability ii) right to be forgotten iii) right to object iv) right to object to automated-decision
and profiling
• New data controller obligations : i) data repository / register creation, ii) data privacy impact assessment implementation
• Further responsibilities of Data Processors e.g. Assistance, reporting to Controller, submission to instructions
• Large increase in financial and administrative sanctions e.g. Suspending or interrupting processing
7
DATA CONTROLLER
A person who (either alone or jointly with other persons) determines the purposes for which and the manner in which personal data are to
be processed.
Lawfulness and Purpose of processing personal data
• The controller must have legitimate reasons for carrying out the planned processing of data (ground for lawfulness to
identify among the 6 options available in GDPR art.6)
• Purpose has to be determined before the processing begins, has to be specified and explicit and legitimate
• Data retention: only for the period of time necessary for the purpose of the processing. Once the purpose fulfilled, the data
should be removed (except if data is “anonymous” as it is not personal data anymore)
Respect of the data subjects' rights (information about processing, having access on request, right to object, …)
Data security and confidentiality measures (processing, sub-contractor, protection of data by appropriate technical and
organizational measures)
DATA PROCESSOR
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Execution of
instructions (responsibility for executions and assistance).
8
Reference document: the Register of Processing Activities
Every personal data processing has to be recorded in a register, kept up to date and available to the CNPD on simple request
Processing activity: any (group of) operation(s) in link with personal data: collection, archiving, access, transfer, consultation,
deletion, transformation, …
Chief Information Senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure
Security Officer information assets and technologies are adequately protected
Respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the
establishment and implementation of policies and procedures
9
Right of access
Right of rectification
Right to be forgotten
Right to object
Right of access
Obtain from the controller confirmation as to whether or not personal data concerning a data subject is being processed, and,
where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in
third countries or international organizations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to
determine that data retention period; (
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of
personal data concerning the data subject or to object to such processing (limited right);
where the personal data are not collected from the data subject, any available information as to the data source;
when applicable, the existence of automated decision-making, including profiling.
The right of access may be limited by other regulations (e.g. Suspicious activity/transaction reporting)
10
Right of rectification
Obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.
The right of rectification should be read in coordination with the principles of i) accuracy of data, ii) Relevance (completeness) and
iii) obligation of keeping data up-to-date.
Right to be forgotten
Obtain from the controller the erasure of personal data concerning the data subject without undue delay where one of the
following grounds applies:
the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the
processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject
objects to the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the
controller is subject;
the personal data have been collected in relation to the offer of information society services.
RETENTION PERIOD
11
Right to restriction of processing
Obtain from the controller restriction of processing where one of the following applies
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of
the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their
use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data
subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pending the verification whether the legitimate grounds of the controller
override those of the data subject.
12
Right to object
Object, on grounds relating to the data subject particular situation, at any time to processing of personal data concerning the data
subject :
• Whenever such data is eligible to be erased
• Whenever such date has being obtained via a lawfulness compatible with such right
• Whenever the data is to be transferred out of the EU
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the
processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of
legal claims (e.g. statutory retention periods, cooperation with authorities…
13
Before addressing a request, the controller shall:
The controller shall provide information on action taken on a request to the data subject without undue delay
and in any event within one month of receipt of the request (that period may be extended by two further
months where necessary, taking into account the complexity and number of the requests)
Clear distinction between countries which are equivalent or not with regards to data protection ( EU Data
Adequacy decision): Andorra, Argentine, Canada, Israel, Japan, New Zealand, Suisse, Uruguay, …
Forbidden to non equivalent countries except if very strict measures are in place:
PLUS
Standard contractual clauses (adopted by the UE or by the DPA’s)
OR
Binding Corporate Rules (BCR
14
Circular or guidelines from the National Competent Authority (NCA)
• The data protection shall be guaranteed at all times
• Pay attention to data protection provisions in case of outsourcing of services including client or employee data
• Check which counterparts including sub-contractors or service providers are involved and in which jurisdiction
• The outsourcing does not relieve the institution of its legal and regulatory obligations or its responsibilities to its customers. A
data protection agreement may be necessary between Controller and Processor
• The outsourcing shall not result in any delegation of the institution’ responsibility to the subcontractor/ data processor
15
Many employees working on professional devices have access to internet and email. Many employers tolerate personal use of
email / internet as long as reasonable and not in constraint with the professional duties. Employees have right to privacy at work
(secrecy of correspondence). Employer needs to protect his goods and assets (confidentiality of data,…)
To this end, employers should inform the employees on:
the use of information tools (private use? surfing on internet? creation of personal files?);
the record keeping rules;
restrictions (blocking of internet sites, threshold on size of files, …);
the modalities of controls (controls should be gradual for example sample without employees’ names towards more precise
controls if needed).
Recommendations for internet use
Internet access is normally given for professional use, employer should inform employees on the conditions and modalities
for private use of internet;
Monitoring of internet use should be proportionate and define first a global and non personal scope and this for a defined
period of time; if internet use might indicate a harm to the company over a period, then a more personalized surveillance is
appropriate;
Preventive use of virus scanners;
Prohibitions or restrictions to download tools from internet or to connect to discussion platforms (chats, blogs).
Private emails should be made distinctive from professional emails – private emails can not
be accessed by the employers (even if use of private emails is not permitted);
End of service: leaving employee to transfer all professional emails to another person (fe
line manager), to delete or to transfer private emails onto a private support, and inform
senders to the “old email” to use another email address;
Staff should be made aware and trained on the risks of email use like fraud, phishing, theft of
email address, virus…
16
How can you implement these recommendations?
Internal control policies and procedures;
IT charter;
Code of ethics;
Employees handbook;
Working instructions
USB key encryption
Clean desk policy including rules regarding screen saver, lock down rules
Risk awareness on phishing attempt
Privacy policy
Cookie policy
17
The GDPR imposes fines on data controllers and processors for non-compliance
Under GDPR, the processing of personal data without observing the required formalities provided by law is punished by :
(elements taken into account: nature of infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification,
certification, other…)
Belgium: In the UK, the average cost of a data breach has US Equifax agreed to pay a minimum of $575
Until recently, most decisions of the Belgian Data grown to nearly £2.7 million, according to IBM million for its 2017 breach. Uber’s poor handling
Protection Authority (Belgian DPA) research, and the reputational harm can be of its 2016 breach cost it close to $150 million.
concerned national companies or individuals. incalculable. Weakly protected and heavily regulated health
However, on 14 July 2020, the Belgian DPA Virgin Media data cost medical facilities big that year, too,
imposed a fine of EUR600,000 on Google Almost a million Virgin Media customers were resulting in the US Department of Health and
Belgium SA/NV (Google Belgium) for not believed to be impacted by a massive data Human Services collecting increasingly large
respecting a Belgian resident’s right to be breach in March 2020 which saw the personal fines. Overall, hacks and data thefts have cost the
forgotten. details of 900,000 people accessed after a following companies a total of nearly $1.23
This is the highest fine ever imposed by the marketing database was left open for 10 months. billion and counting.
Belgian DPA.
In its decision, the Belgian DPA stresses the
importance of its decision by calling it a
“landmark decision” (“décision de principe”) in
which it decides on certain “fundamental EU data protection authorities will continue to put pressure on regulated entities and the
aspects” linked to de-referencing (on the basis of number of fines will continue to increase. As the CNPD has now a clear framework to conduct
CJEU case-law), as well as on the demarcation of investigations, firms need to prepare themselves for active investigations. On January 22,
its powers to act. 2020 the CNPD adopted its regulation which governs the procedure for investigations.
Luxembourg’s data protection authority now has a clear framework within which to conduct
investigations. For regulated entities, these procedures are similar to on-site investigations
carried out by other regulators and supervised entities should update their regulatory
investigations policies.
18
● A client complains because he has received marketing advertisements on his personal email
● You are the Data Protection Officer
19
● Your Bank has different branches worldwide, based in EU, USA and Asia
● Each branch has its own HR software
● In order to improve the HR processes, the Bank wants to change its HR software and to set up an unique
solution which will be hosted in India and managed in Luxembourg
● You are the Data Protection Officer
20
● Your are DPO of a pension fund
● An IT security issue has allowed your PSF in charge of the payroll and administrative tasks to access data about
the names of the affiliated companies as well as to the names of the beneficiaries of the pensions paid.
21
Thank you for you attention
The knowledge provided by this document is purely informative. Although the House of Training
makes its utmost to ensure that this information is correct and up to date, it declines any
responsibility as to possible damages, losses, losses of earnings, direct or indirect induced by its use.
The contents are subject to the laws of copyright, all rights reserved.
22
05/05/2021
Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance,
enterprise risk management and compliance with regulations Corporate governance is a broader concept which
may be described as the set of relationships between an institution, its board of directors, its authorised
management, its shareholders and other stakeholders.
When corporate failures strike, meaning that risk has not been managed carefully, there is most often a corporate
governance breakdown behind the crash.
How to implement a sound GRC?
CSSF circular 12/552 as amended – similar rules in CSSF 18/69
An internal governance which is consistent with the three-lines-of-defence model.
A sound and prudent business management, including the risks inherent in them.
….
1
05/05/2021
Boards are required to maintain sound risk management and internal control systems and have to confirm in their annual report
that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its
business model, future performance, solvency or liquidity.
Reminder – A SOUND CORPORATE GOVERNANCE
The first line of defence consists of the business units that take or acquire risks under a predefined policy and limits and carry out
day to day controls.
The internal control procedures shall provide that the operating staff control, on a day-to-day basis, the transactions they carry
out in order to identify as soon as possible the errors and omissions that occurred during the processing of the current
transactions.
Examples of these controls are: daily screening, transaction monitoring, reconciliation of cash flows, settlement of transactions,
The second line is formed by the support functions, including the financial and accounting function as well as the IT function, and
the compliance and risk control functions which contribute to the independent risk control.
The third line consists of the internal audit function which, provides an independent, objective and critical review of the first two
lines of defence.
The professionals shall consider all relevant risk factors before determining the overall risk level and the level and type of
appropriate measures to apply in order to manage and mitigate these risks.
The professionals shall ensure that the information on the risks included in the national and supranational risk assessment or
communicated by the supervisory authorities, self regulatory bodies or the European Supervisory Authorities is incorporated in
their risk assessment.
The professionals shall document, keep up-to-date and make the risk assessments available to the supervisory authorities and
self regulatory bodies. The supervisory authorities and self-regulatory bodies may decide that individual documented risk
assessments are not required where the specific risks inherent in the sector are clear and understood.
2
05/05/2021
The ownership and responsibility for completion of the Risk Controls Self Assessment (« RCSA »)
The role of Compliance and Risk Management is to support and to challenge the business by providing advice on the risk
management framework and RCSA requirements;
The RCSA is also used
• to plan the annual compliance monitoring programme (« CMP »);
• To allocate the Compliance resources in an optimum manner
• To determine the needs for tool enhancements and project development
All inputs and outputs to the RCSA belong to the business and should be agreed by senior management and wherever
appropriate approved by the management board
Integrated in the Governance process with the approval of the Authorized Management
3
05/05/2021
Risk Mapping
Per service lines or per processes
Inherent risk assessment
Control environment
Residual risk assessment
4
05/05/2021
Objectives that relates to the entity conducting and conforming itself in line with applicable laws, regulations and its own
(Group) policies concerning conduct and integrity.
Monitoring and oversight will provide assurance or show weaknesses.
There must be proactive action for regulatory and ethical change.
The outcome is to minimise the risk occurrence on regulatory censure, supervisory remediation, unlawful practice,
reputational damage and loss of business.
Inherent risks are the risk for not complying with the provisions of the laws or the regulations applicable to the industry. Risks
must be valuated according to the impact on the business, should the risk not properly monitored.
• Likelihood of the risk to happen
• Impact on the firm, should an incident happen
Inherent risks consider the possibility of unplanned or unintended causes which could have an impact on compliance risks
Examples
• Category of risks: AML & CFT
• Regulatory framework: consolidated Luxembourg law dated 12 Novembre 2004 on AML & CFT
• Sub-category of risks:
• on-boarding without local acceptance committee approval
• acceptance of a transaction without agreement duly signed
• Error of booking a name in the client database
• Risk that the clients and/or services have been attributed an incorrect risk rating.
• Inadequacy of the training materials
• ….
List other inherent risks
5
05/05/2021
Inherent risks consider the possibility of unplanned or unintended causes which could have an impact on compliance risks
Examples
• Category of risks: Conflict of interest
• Regulatory framework: CSSF circular 12/552 on corporate governance as amended; CSSF circular 04/155 on the compliance
function. CSSF circular 18/698 applicable to management companies and transfer agent
• Sub-category of risks:
• Risk that the staff does not sign off the internal rules regarding personal transactions transactions
• Risk that the Bank does not correctly and completely assess all relevant fees, commissions or non monetary benefits
paid or received.
• Risk that the Bank does not adequately inform its clients on conflict of interest
• Risk that the Bank does not keep an updated inventory of occurred conflict of interests
List other inherent risks
Inherent risks consider the possibility of unplanned or unintended causes which could have an impact on compliance risks
Take the time to make the Compliance Risk Assessment on other compliance risks
On which category of risks do you have a compliance risk exposure?
In summary
6
05/05/2021
Impacted areas
Impact Civil, criminal and Impact
Impact Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref regulatory fines or Financial /
fallout / brand damage impact
penalties materiality
Risk that all clients and/or services
have not been risk rated for ML/TF
risks. The absence of risk based
Art 3(2a) of Law of 12 Directive AML Group
approach and would lead to
Client AML November 2004 Local AML Policy
AML/CFT improper levels of KYC and 3 4 2 3
risk rating Art 5 of RCSSF 12-02 Compliance Working
frequency of files review. It can also
CSSF Circular 11/519 Memorandum
mislead Compliance as regards the
necessity to flag certain clients for
the transaction monitoring
Impacted areas
Complexity of
Global
Theme Generic Risk Detailed Risk Legal ref Internal ref Valume of activity process / laws / Degree of change Staff
impact
regulations
Risk that all clients and/or
services have not been risk rated
for ML/TF risks. The absence of Directive AML
risk based approach and would Art 3(2a) of Law of 12 Group
Client AML lead to improper levels of KYC November 2004 Local AML Policy
AML/CFT 4 3 3 3 3.25
risk rating and frequency of files review. It Art 5 of RCSSF 12-02 Compliance
can also mislead Compliance as CSSF Circular 11/519 Working
regards the necessity to flag Memorandum
certain clients for the transaction
monitoring
Impacted areas
Theme Generic Risk Detailed Risk Legal ref Internal ref Gross Risk Score
Risk that all clients and/or services have not been risk
rated for ML/TF risks. The absence of risk based Art 3(2a) of Law of 12 November Directive AML Group
approach and would lead to improper levels of KYC 2004 Local AML Policy
AML/CFT Client AML risk rating 3
and frequency of files review. It can also mislead Art 5 of RCSSF 12-02 Compliance Working
Compliance as regards the necessity to flag certain CSSF Circular 11/519 Memorandum
clients for the transaction monitoring
7
05/05/2021
Impacted areas
Impact
Impact Civil, criminal Impact
Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref and regulatory fines or Financial /
fallout / brand impact
penalties materiality
damage
Risk that the Bank does not Directive 2014/65/UE Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 3 2 3 2,67
protection classification
his MIFID classification Law of 30 May 2018 procedure
Likelihood factors
Risk that the Bank does not Directive 2014/65/UE MFID II Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 3 2 3 2,67 2,00
protection classification
his MIFID classification Law of 30 May 2018 procedure
Theme Generic Risk Detailed Risk Legal ref Internal ref Gross Risk Score
Risk that the Bank does not Directive 2014/65/UE MFID II Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 5,33
protection classification
his MIFID classification Law of 30 May 2018 procedure
Impacted areas
Impact
Impact Civil, criminal Impact
Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref and regulatory fines or Financial /
fallout / brand impact
penalties materiality
damage
Market Risk that the Bank EU Regulation 596/2014 Market Abuse Policy
Market
abuse & performs market Law of 23 December 2016 Conflict of interest policy 3 3 2 2,67
manipulation
integrity manipulation CSSF 06/257 – Sect.3 Conflict of interest procedure
Likelihood factors
Theme Generic Risk Detailed Risk Legal ref Internal ref Gross Risk Score
8
05/05/2021
Delivery Delivery
Measure of impact Financial EBITDA Regulatory Reputational
continuity process
Negligible effect
Reportable effect
Significant material effect
Catastrophic effect
Each impact effect type can be mutually exclusive * a group of related effects could be a greater magnitude
9
05/05/2021
Consider the controls your company has in place. Take into account both the 1LoD and the 2LoD
For each area of risks, understand and describe the control environment, explaining preventative controls and reactive measures
to those risks as may be relevant
Example: there is a management 4 eyes and segregated senior sign off required by the local procedures. This process is
(partially) automated but …. . Measures are in place to note exceptions and report those to management, …
For each area of risks, assess the overall effectiveness of the controls (are they being lived or ignored). You must considerwhat
indicators would validate your rating of control effectiveness if asked and challenged.
Potential gaps in the adequacy of controls and measures which safeguard risks can be perceived as a weakness or could be
considered as an opportunity to instigate change to address effectiveness and efficiency.
Consider any causes or triggers that might still lead to the possibility of the occurrence of an event despite existing
preventative controls and safeguards to lower the likelihood
Should an event occur, consider what the effect or determined consequences would be despite any existing reactive controls
that should mitigate and or soften the impact
Assess and rate the likelihood and impact of the residual risk
Consider any remaining risk that might not be sufficiently managed or perhaps unable to be managed, based upon the detail
provided.
10
05/05/2021
Man-day budget in the CMP as well as frequency of controls will be a direct consequence of the CRA
The following is an example plan of those residual risks which, after conducting the Compliance Risk Assessment, shall be
subject to monitoring. Various forms of CMP exist.
Sanction screening Daily Client database The plan should focus on the most material risks and
should be achievable zith the resources available
AML – file review Monthly Transfer Agent The frequency of testing a particular topic or theme
Market abuse – personal Quarterly Human Resources should be aligned to the risk posed
transactions The rational as to why a particular topic has or has not
been included within the CMP must be clearly
Training Yearly Human Resources documented within the RCSA with supporting
evidence where necessary.
The CMP is a living document to allow flexibility
where required.
11
05/05/2021
12