Training Materials - Compliance-Implem. of The Reg. Fram. - 20AB02

Compliance –

Implementation of the

Regulatory Framework

1
1 – Definitions
2
What is Money Laundering?
 knowingly facilitating by any means the false justification of the source of the property constituting the object or the direct or
indirect proceeds, or constituting a patrimonial benefit of any nature whatsoever from one or several of the designated
predicate offences;
 knowingly assisting in a placement, dissimulation or conversion transaction of property constituting the object or the direct or
indirect proceeds, or constituting a patrimonial benefit of any nature whatsoever from one or several of the predicate
offences;
 having acquired, held or used the property constituting the object or the direct or indirect proceeds, or a patrimonial benefit
of any nature whatsoever from one or several of the predicate offences, knowing, at the time they received them, that they
originated from one of the designated offences or from the participation in one or several of these offences;
 attempting to commit one of the above offences.
Predicate offences for ML:

A list of predicate offences is set forth in art. 506-1 par. 1 of the “Penal Code”, covering a wide variety of serious crimes, with a final
residual category being all crimes punished by an imprisonment of a minimum in excess of 6 months.
Examples of Predicate Offences of Money Laundering:
(extract from Annual Report 2019 of Luxembourg FIU)
• Tax offences • Terrorism and terrorism financing

• Fraud • Human trafficking and illicit trafficking of immigrants
• Corruption • Sexual exploitation
• Forgery • Kidnapping, illegal detention and taking of hostages
• Insider dealing and market manipulation • Theft, smuggling, extortion
• Involvement with an organized criminal group • Counterfeiting, product piracy
• Illicit trafficking in stolen goods
3
The 4th AML Directive extended the scope of money laundering offences to tax crimes
Luxembourg Law of 23 December 2016 on the 2017 Tax Reform has amended article 506-1 of the criminal code adding
3 categories of predicate offences of money laundering:
- Aggravated tax fraud and tax swindle related to direct taxes
- Aggravated tax fraud and tax swindle related to value added taxes
- Aggravated tax fraud and tax swindle related to registration and inheritance duties
Further reading :
- CSSF Circular 17/650
- CSSF Circular 20/744
Money Laundering occurs in 3 stages :
1. Placement 2. Layering 3. Integration
illegal funds or assets are brought into illegal funds or assets are moved away, funds or assets (successfully cleared)
the financial and/or commercial spread across and/or disguised to are reintroduced in the legal economic
system in a way that aims at avoiding conceal their origin (multiple system / in the financial system, by
the creation of certain records and transactions, complex structures, making them available for
reports required by law various asset types). investments, saving or expenditure (in
(smurfing/structuring, camouflage, real estate, securities, commercial
complicity, bank deposits in a specific business).
pattern)
4
What is Terrorism Financing?
 Terrorist organizations need money to recruit and sustain, acquire, influence, build the support base, carry out terrorist activities.
■ Terrorism: Unlawful use or threatened use of violence against individuals or properties to intimidate or coerce, especially for political
purposes, religious or ideological objectives.
■ Financing of terrorism: Involves the solicitation, collection or provision of funds with the intention that they may be used to support
terrorist acts or organizations.
 Any act as defined by the art. 135-5 of Penal code.
Differences between Money Laundering and Terrorism Financing
 Money Laundering: The ORIGIN of money, funds, assets is ILLICIT
 Terrorism Financing: The DESTINATION of funds/assets is ILLICIT where terrorist organizations obtain money from a number
of legitimate and illegitimate sources (wealthy sponsors, charitable and religious institutions, commercial enterprises, state
sponsors, illegal activities, smuggling, etc.). The purpose of the funds is often disguised.
 In some cases, terrorism is financed by money launderers
5
2 – Regulatory environment
● International Level
(Treaties, UN Resolution, FATF reco)
● Regional Level
(European Regulation / Directives)
● Local Level
(Luxembourg Law, Grand Ducal and CSSF regulations,
National Risk Assessment)
6
Regulations covering the prevention of money laundering date back to the early 1970s. Regulations concerning
prevention of terrorism financing have been introduced later (early 2000’s).
● United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances, 1988
● United Nations Convention against Transnational Organized Crime, 2000
● United Nations Convention against Corruption, 2003
European Regulation
• 1991 - 1AMLD
• 2001 - 2AMLD
• 2005 - 3AMLD
• 2015 - 4AMLD
• 2018 - 5AMLD
• 2018 - 6AMLD
The EU regulation is accelerating from an every 10 years rhythm to an every 3 years one…
7
● In 1989: creation of the Financial Action Task Force on Money Laundering (FATF/GAFI) Inter-
governmental policy making body, based in Paris
● Objectives:
• Sets international standards to combat money laundering and terrorist financing.
• Assesses and monitors compliance with the FATF standards at country level.
• Conducts typologies studies of money laundering and terrorist financing methods, trends and techniques.
• Responds to new and emerging threats, such as proliferation financing.
● History:
• 1990: 40 recommendations
• 2001: +7 special recommendations related to FT
• 2003: +2 special recommendations related to FT
• Revised in February 2012 to cover new threats such as the financing of proliferation of weapons of mass
destruction, and to be clearer on transparency and tougher on corruption = a new set of 40 recommendations
• New priority areas such as tax crimes
• February 2013, FATF revised its Risk Assessment Methodology
Further reading : October 2018 – Guidance for RBA on securities sector
October 2019 – Best pratices on Beneficial ownership in legal person
The 40
recommendations
8
The Mutual Evaluation Process
FATF conducts on a regular basis

evaluation of its members toward the
framework it established.
It is a rigorous and complex process.
Luxembourg being an FATF member
is subject to FATF visits.
Wolfsberg Group is an association of global bank

Objective? Their objective is to develop financial services industry standards, and related products, for Know Your Customer, Anti-
Money Laundering and Counter Terrorist Financing policies.
Wolfsberg Group members: Banco Santander, Bank of America, Barclays, Citigroup, Crédit Suisse, Deutsche Bank, Goldman
Sachs, HSBC, J.P. Morgan Chase, MUFG Bank, Société Générale, Standard Chartered Bank, UBS
Further reading:
Wolfsberg Group Guidance on Sanctions Screening 2019
Wolfsberg Group Guidance on Customer Tax evasion 2019
Wolfsberg Group PEP Guidance May 2017
Wolfsberg Private Banking Principles 2012
Wolfsberg Group, Notification for Correspondent Bank Customers – April 2007
…
9
● EU Directive (EU) 2015/849 - published 5 June 2015 (the 4th AML Directive)
 replaces Directives 2005/60/EC and 2006/70/EC.
● Regulation (EU) 2015/847 on information accompanying transfer of funds
 replaces Regulation (EC) No 1781/2006.
Main features
● tax crimes = predicate offences of money laundering
● focus on the risk assessment and a corresponding risk based approach
● lighter CDD for certain e-money products
● gambling sector in scope
● creation of beneficial owners' national central registers
● “domestic” or national PEP in scope
● enhancement of sanctioning powers of the competent authorities and publication of the sanctions
● information about payer AND payee
Effective since 26 June 2017
● (EU) 2018/843 – published 19 June 2018 (the 5th AML Directive)

 Replaces Directives 2015/849, 2009/138/EC and 2013/36/EC.
Notable features:
 Extended scope:
 Providers of exchange services between virtual currencies and fiat currencies as well as custodian wallet providers.
 Persons trading or acting as intermediaries in the trade of works of art, including when this is carried out by art galleries and auction houses,
where the value of the transaction or a series of linked transactions amounts to EUR 10.000 or more.
 Persons storing, trading or acting as intermediaries in the trade of works of art when this is carried out by free ports, where the value of the
transaction or a series of linked transactions amounts to EUR 10 000 or more.
 Estate agents including when acting as intermediaries in the letting of immovable property, but only in relation to transactions for which the
monthly rent amounts to EUR 10 000 or more.
 Access to beneficial ownership information
 Central national registries for bank and payment accounts
 Prepaid cards/instruments
 Local list of PEP functions
 FIUs are granted completely unfettered access to information from any obliged entity
 Details regarding Enhanced Due Diligence measures for high risk countries
● Directive (EU) 2018/1673 – published 12 November 2018
 Complement to the criminal law aspects of the 5th AML directive
10
Luxembourg legislation and rules non exhaustive lists
 Law of 5 April 1993 on the Financial Sector
 Law of 12 November 2004 on AML/CTF, as amended
 Law of 23 December 2016 on tax reform (tax swindle + aggravated tax fraud)
 Law of 13 January 2019 (RBE)
 Grand-Ducal Regulation of 1 February 2010, providing details on the AML law of 2004
 Law of 27 October 2010, enhancing AML/CTF legal framework, organizing the controls of physical transport of cash entering,
transiting through or leaving the Grand-Duchy of Luxembourg, implementing UN and EU resolutions concerning prohibitions
and restrictive measures in financial matters in respect of certain persons, entities and groups in the context of the CTF
 Grand-Ducal Regulation of 29 October 2010, enforcing the law of 27 October 2010
 CSSF Regulation No.20-05 (former 12-02), on AML/CTF
 Ministerial regulations, implementing UN and EU restrictions
 FIU/CRF Circular 22/10
Luxembourg legislation and rules non exhaustive lists

CSSF Circulars:
 FATF statements
 Circular CSSF 13/556 (Regulation 12-02 and repeal of CSSF Circular 08/387 and 10/476)
 Circular CSSF 11/519 and 11/529 (AML/CTF risk analysis)
 Circular CSSF 17/650 and 20/744 (providing details related to predicate tax offences)
 Circular CSSF 17/661 (adoption of the joint guidelines issued by the 3 ESAs on ML and TF risk factors)
 Circular CSSF 18/698 (authorization and organization of investment fund managers, incl. specific provisions on AML)
 Circular CSSF 18/702 (developments regarding AML in the private banking sector)
 Circular CSSF 19/732 (Clarifications on the identification/verification of the UBO)
11
 Public Access To National Registers of Beneficial Owners
UBO register to be established for companies and trust or other legal arrangement.
Public Authorities To Access Client data of all institutions
In Luxembourg the choice has been made that all banks will send to the CSSF all the data of their clients (name, balance…).
All the data of our clients will be shared DAILY with the CSSF (Circular 20/747)
DATA COLLECTION
& PROCESSING
EDD Measures for transactions involving High Risk Countries

 Transaction Monitoring
Specification of “complex & usual” transaction :
• Complex transaction
• Unusually High
• Unusual manner
RISK ASSESSMENT • Does not have an apparent economic / legal purpose
& MITIGATION
In addition the law provides a lot of tools for competent authorities:
- to prohibit supervised banks to establish business in High Risk Countries,
- to require additional supervision in High Risk Branch
- to request banks to terminate correspondent banking relationship with institutions based in High Risk Countries…
 Identification & Verification of the identity of beneficial owner of legal entities

Clarification on the methodology to be followed, and on how this should be documented (including collection of registrar of
beneficial owner extract).
 Beneficiaries Of Life Insurance
Requirement to identify & verify the identity of the beneficiary only where the contract was negotiated by the bank acting as
CUSTOMER intermediary, this should take place at the time of the pay-out.
DUE
DILIGENCE
 Extended Scope of Professionals subject to AML CTF Obligations

New : intermediaries in Art, real estate agent, real estate developer transaction > 10 000 EUR
The new in scope person below must be registered with the CSSF:
Virtual asset service providers, any person providing material advice or assistance from a tax perspective, custody and
administration service providers
SCOPE
 Acceptance of electronic identification means as set out in Regulation (EU) No 910/2014

Identifying the customer and verifying the customer’s identity on the basis of documents, data or
information obtained from a reliable and independent source, including, where available, electronic
identification means, relevant trust services or any other secure, remote or electronic identification
process regulated, recognized, approved or accepted by the relevant national authorities.
12
Main professional obligations:
 AML/CTF Risk assessment / AML Risk Appetite
 Customer Due Diligence (CDD)
 Adequate Internal Organization
 Cooperation with the authorities
3 – AML Risk Assessment
13
o Art. 3(3) of the Law of 2004: “Professionals are required to perform an analysis of the risks inherent to their business activities. They must set
down in writing the findings of this analysis.” (since 27-Oct-2010)
o Risk analysis regarding the fight against money laundering
and terrorist financing (AML/CFT)
• CSSF Circular 11/519  For credit institutions. Risk analysis CSSF 11/519 CSSF 11/529
• CSSF Circular 11/529  For all other professionals
subject to CSSF supervision and to whom the law 1. Identification of ML/TF risks yes yes
of 12 November 2004 applies.
2. Mitigation measures yes yes
o Identification of ML/TF risks is mainly based on:
3. Questionnaire yes no
• Country / Geography
• Customers
• Products / Services / Transactions
• Distribution channels (ESA – Risk factors Guidelines – 26 June 2017)
• Assets (CSSF Circular 18/698)
 The evaluation must be updated annually and must include new products and new commercial practices, including new
mechanisms for providing services and the development and use of new technologies for new products and for those that
already exist.
 The evaluation must result in a global risk score, which can vary between Low, Medium Low, Medium High and High.
 The main objectives of this risk assessment are:
 To identify the ML / TF risks for which the professional is exposed
 To assess how those risks are mitigated
 Inherent risks are assessed and the mitigators are identified through an inventory and evaluation of the controls in place
14
To perform this assessment the professional shall also consider :
 The National Risk Assessment of ML and TF made for Luxembourg
(highlighting the most relevant risks in Luxembourg)
 https://mfin.gouvernement.lu/en/publications/Divers/NRA/NRA.html
 The CSSF Sub Sector Risk Assessment : three have been prepared, on
the private banking sector, specialised PSF (trust & company service
provider) and another one on the securities services
The NRA performed an assessment of the

exposure to ML / TF threats and also rated the
banking sector, considering Private Banking as
having a very high inherent risk.
15
o In accordance with the article 2-2 of the Law of 12 November 2004 on the fight against money laundering and terrorist financing
transposing as amended “the professionals shall take appropriate steps to identify, assess and understand” the risks of money laundering and
terrorist financing that they face, taking into account risk factors including those relating to their customers, countries or geographic areas,
products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the professionals.
o The professionals shall consider all relevant risk factors before determining the overall risk level and the level and type of appropriate
measures to apply in order to manage and mitigate these risks. Moreover, the professionals shall ensure that the information on the risks
included in the national and supranational risk assessment or communicated by the supervisory authorities, self-regulatory bodies or the
European Supervisory Authorities is incorporated in their risk assessment. The professionals shall document, keep up-to-date and make the
risk assessments available to the supervisory authorities and self-regulatory bodies.
o In accordance with the article 4 (1) of the CSSF Regulation 12-02 (as amended by the CSSF Regulation 20-05), the identification, assessment
and understanding of risks by the professional, as provided for in Article 2-2 of the Law, shall allow it to determine which due diligence
measures shall be applied to the business relationship based on the materiality of the risk. To this end, the professional shall incorporate
different sources in its risk management procedures, including:
- supranational report of the European Commission on the risks of money laundering and terrorist financing (“Supranational Risk Assessment”);
- national assessment of the risks of money laundering and terrorist financing (“National Risk Assessment”);
- sub-sectoral ML/TF risk assessments (“Sub-Sector Risk Assessments”);
- joint guidelines issued by the three European Supervisory Authorities (ESMA, EBA and EIOPA) (hereinafter referred to as the “European
Supervisory Authorities”) on money laundering and terrorist financing risk factors (“Risk Factor Joint Guidelines”);
- the relating CSSF publications.
RISK FACTORS - CATEGORIES
Each customer type has a different set of AML/CTF risks and is subject to different
identification and verification requirements Country risk provides useful information as potential ML/FT
• Higher risk customers generally include business relationships involving Politically Exposed Persons • The ESAs Joint Guidelines require that certain factors are taken into account to assess the risk level of a
(“PEP”), non-profit organizations (“NPO”) and complex layers of intermediaries, in particular involving particular country
unregulated intermediaries,
• FATF provides catogories of customers indicating higher risk
Country / Geo
area
Investor /
Distribution
Client data
Channel
base AML/CFT risk profile of the parties involved in the distribution channel
AML/CTF risks of asset provided prior any acquisition as well as on a
defined ongoing basis to ensure that any change in circumstances is
RISK
• Level of AML/CFT controls it applies as well as the level of supervision it is subject,
adequately FACTORS country, domicile or activity, the transparency of the distribution…
Product,
Asset Service &
Transaction
Other risk
factors
Other AML/CTF Risk factors should be considered, like : AML/CTF risks of the products, services and transactions provided prior to any new launch
• The organization of the entity, any material delegation or outsourcing arrangements, Sanction, bad
as well as on a defined ongoing basis to ensure that any change in circumstances is
press, case-by-case high risk cases… adequately
• The following elements at a minimum : the level of transparency or opaqueness, the product, service or
transactions, the complexity of the product, service or transactions, and the value or size of the product,
service or transactions.
• The ESA Guidelines & FATF Guidelines require that certain factors are taken into account to assess the
risk level
Mitigation factors are all the elements in place that contribute to combat ML/FT. Mitigation may factors include the Governance
& Oversight / Controls & Testing / Training and Awarness (
16
In the sub-sector assessment, the CSSF also inventoried the most frequent findings from the CSSF onsite inspection
 Incomplete documentation
 Insufficiency on the diligence to understand ownership and control structure of the client
 ML / TF classification
 ML / TF linked to clients and risk country
 Lack of Critical analysis
 Insufficient involvement of the compliance function
 ML / TF suspicion not reported (or reported late) to the FIU
Regulatory requirement introduced by the CSSF circular 18/702 (for private banking) also reflected in the 20-
05 regulation and is also an ECB requirement; each professional shall prepare an AML Risk Appetite. To be
put in place by authorised management and approved by the board of directors,
There are no prescription on how this should be formalised. However some examples of the elements that
should be considered:
• Prohibition to do business in countries or to offer certain products,
• Number of countries in which the professional should be limited,
• A clear business strategy clearly stating what the professional want to do and how in terms of AML (type of
industry of clients, channel of distribution…),
• Products offering
• …
17
4 – Customer Due Diligence (CDD)
1. Client Due Diligence obligations

2. Difference between Identification and Verification
3. Definition of beneficial owner
4. Purpose and nature of the business relationship
5. On-going monitoring
6. Concept of Risk-Based Approach (RBA)
7. Client Acceptance
8. Simplified due diligence measures
9. Enhanced due diligence measures
10. Due diligence performed by third parties
11. Record keeping
12. Tax Due Diligence
18
 Identify and verify client’s identity (including proxies and legal representatives)
• Based on documents, data, information obtained from a reliable and independent source
 Identify the beneficial owner, when applicable, and taking reasonable measures to verify his identity
• Definition of beneficial owner
• Including, where applicable, understanding of the ownership and control structure of the client
 Obtain information on the purpose and intended nature of the business relationship
 Obtain information on the client’s tax situation
 Conduct on going monitoring on the business relationship and the transactions
 Screen client and all relevant parties against sanctions lists
 Identification
• Before account opening
• Clients
• Proxies, Mandates, Legal representatives
• Ultimate Beneficial Owners (UBOs)
 Verification of information
• Having supporting documents evidencing the identification
• Documents from a reliable and independent source
 Key questions
• Who is your client, its beneficial owner, purpose of activity, source of wealth, source of fund?
• KYC documentation may vary according to the client type and on a risk-based approach
19
Art. 1(7) of the Law 12 November 2004 as amended
 Any natural person who ultimately owns or controls the client through a direct or indirect ownership of a sufficient percentage*
of the shares or voting rights or ownership interest in that entity; or
 Any natural person on whose behalf a transaction or activity is being conducted; or
 Any natural person who otherwise exercises control or decisive influence over the management of a legal entity/arrangement.
 if, after having exhausted all possible means and provided there are no grounds for suspicion, no one corresponding to a person
listed above is identified, or if there is any doubt that the person identified is the beneficial owner, any natural person who holds
the position of senior Manager could be identified as beneficial owner;
FATF Recommendations : also includes the person who exercises ultimate effective control over the legal person/arrangement.
* A shareholding of 25% + 1 share (“threshold”) is only an INDICATION of ownership. An individual can be UBO even if the thresholds of the
ownership or control of the AML Law of 12 November 2004 as amended are not met (CSSF regulation 12-02 and CSSF Circular 19/732).
Published on 20Th December 2019 Circular 19/732’s

purpose is to provide guidance in relation to the legal
requirements applicable for identification and verification of
beneficial owner. It also includes FATF guidance on
transparency, concealment of beneficial ownership and a
FATF report to G20 on Beneficial Ownership.
20
Threefold procedure to determine UBO to materialize. The respective steps mentioned hereafter have to be followed until
all ultimate beneficial owners have been correctly identified:
1. Identify the natural person(s) who directly or indirectly holds or controls a sufficient percentage, namely 25% plus one, of the
shares, voting rights or ownership in an entity;
2. Where no natural person can be identified under any of the scenarios under (i), identify any person who controls the legal
entity via other means (meaning having the power to exercise or actually exercise dominant influence or control by any means to
over the investor/client. Understanding the management and governance structure of the investor/client will assist to establish those
natural person(s) with effective control over the customer + see factors in the circular); and
3. After having exhausted all possible means and provided that there are no grounds for suspicion, where no person under point
i) and ii) is identified, or if there is any doubt that the person(s) identified is/are the beneficial owner(s), identify any person
who holds the position of senior managing official (dirigeant principal).
 It is fundamental to stress that measures (i) and (ii) are not alternative options but cascading measures and formalized.
Assessments under (i) and (ii) have thus each to be fully completed and formalized before resorting to measure (iii) which
constitutes an express fall-back option only applicable when all possible measures to identify the ultimate beneficial owner under
(i) and (ii) have been exhausted and came to no result. Professional should keep records of all actions taken to identify the UBO
under the abovementioned points.
 When identifying the ultimate beneficial owner(s) of their customers, collect proof of registration or an excerpt of the RBE
register or similar registers abroad. Professional may not exclusively rely on beneficial ownership information contained in such a
central register to fulfil their customer due diligence obligations.
 in case no ultimate beneficial owner is identified as required by the laws and regulations, the business relationship cannot be
established.
21
For legal arrangements (trust, fiducies) UBO are:
 Trust and fiducies can be used to increase anonymity. In a trust, a settlor transfers legal ownership including right to control
the property to a trustee and the right to benefits to beneficiaries.
 Where a legal entity is owned by a trust, the rules on identification of UBO of legal entities and trust shall apply
simultaneously.
According to the AML/CFT law, the concept of beneficial ownership shall include:
 The Settlor if any
 The Fiduciaire or Trustee
 The protector if any
 The Beneficiaries (when determined) or the class of persons in whose main interest the legal arrangement is set up or
operates
 Any other person having influence in the arrangement.
New registry introduced by the 4th AML directive and implemented by the Law 13 January 2019
 Creation of beneficial owners' national central registers
 4th AMLD: The member states will have to hold information on the beneficial owners of all corporate and other legal
entities incorporated within their territory in a national central register. Competent authorities and entities subject to
the Directive will have access to the register, as well as any person demonstrating "a legitimate interest“.
 5th AMLD broaden access to UBO information:
• Corporate entities: any member of the general public is now required to be granted access (foreseen by the law of 13
January 2019).
• Trusts: access to beneficial ownership information is extended beyond regulators, FIUs and regulated entities
conducting due diligence to any person that can demonstrate a legitimate interest.
22
Register of Beneficial Owners (RBE)
Under the RBE law was published on 15 January 2019, Luxembourg domiciled companies must:
• Transmit to the RBE at the Luxembourg Trade and companies register, information on their BO 6 months after the publication
of the law
Obligations when onboarding a Luxembourgish companies as a client:
• Professionals must consult the RBE, take a printout and verify the information in the register with the information provided by
the prospect or client
• In case of discrepancies the professional shall inform the RBE
• For other EU domiciled companies, similar controls must be set in place when the register exist and is available.
Fine from 1 250 EUR to 1 250 000 EUR if the BO
Information have not been uploaded.
Register of Trust & Fiducies

• Transmit to the RBE at the Luxembourg Trade and companies register, information on their BO 6 months after
the publication of the law
Obligations when
23
Obtaining information on the purpose and the intended nature of the business relationship (BR), i.e.:
 Why does the client need an account / reason for entering into a business relationship ?
 What are the expected transactions or flows of cash? (amount, frequency, purpose, origin and destination,
countries, documentation, …)
 Adapt the level of detail when client or beneficiary resides abroad
 Detect complex and unusual transactions/operations

• The importance of the money coming in and out and the volume (amount and frequency);
• The existence of discrepancies with regard to the nature, volume or frequency of the transactions;
• The existence of discrepancies with regard to the declarations made by the client at the beginning of the relationship
and what is actually done by the client;
• The origin and destination of the funds involved.
 Detect persons / entities subject to financial restrictive measures

• In case of the detection of a person, entity or group appearing on a sanction list, professional should apply the required
restrictive measures foreseen in art. 5 of the amended law of 12 November 2004 and immediately communicate the
information to the FIU, to the Ministry of Finance and to the CSSF;
• The controls have to be applied to all clients and their transactions, to the authorized representatives and UBOs
24
 Activities requiring particular attention
• Any activity which seems, by its nature, to be related to ML / TF and in particular complex or unusually large transactions
and all unusual patterns of transactions which have no apparent economic or visible lawful purpose.
• The transactions and persons detected should be documented in writing including the criteria that led to their detection
when the result is positive.
 Keeping up-to-date information
• The on-going monitoring obligation requires the professionals to verify and update the documents and information
collected according to the client risk category and within an appropriate timeframe.
! novelty introduced by the 4th and 5th AML directives !
For payment instruments charged with electronic money: possibility to waive most of customer due diligence requirements. This
measure is however limited to low value e-money products (< € 150) and subject to risk-mitigation conditions such as sufficient
transaction monitoring.
 Perform due diligence measures according to the identified risk level

 Risk assessment based on following risk factors:
• Geography
• Activity of the customer
• Type of business relationship: services, products, transactions
• Distribution channel (ESA Guidelines – CSSF Circular 17/661)
• Assets (CSSF Circular 18/698 – CSSF Regulation 20-05)
 Risk mitigation
• Apply appropriate due diligence as per the risk-level of the client
 Types of risk factors to be taken into consideration: customer, product, service, transaction, delivery channel,
geographical area
• Enhanced focus on the risk assessment and the associated risk based approach (4th and 5th AMLD and CSSF
Circular 17/661)
25
 Define the risk level associated with the client / business relationship
 Acceptance / Validation
 Apply appropriate due diligence measures (when establishing the business relationship or when carrying out an
occasional transaction), based on your risk assessment (to be documented)
• Low-risk situation: Simplified due diligence may be applied
• High-risk situation: Enhanced due diligence must be applied (RR/RC) – see art 9 of the 12-2 Regulation
 False or falsified information/documents given by the customer

 Negative information in the press, ongoing investigations, convictions,… concerning money laundering or
doubtful transactions (source: internet, media, rumours,…)
 Unclear justification given regarding the choice of the institution and/or the purpose of the business relationship
 Unclear information on the origin of funds / wealth
 Opening of accounts for several customers with the same contact details (address, telephone…)
 Indirect suspicion: customer introduced by a person / client / agent who happens to be suspicious (even if
discovered after several years)
 Customer pushing / eager to open an account without delay
The above examples are High risk factors: Circular 17/650, Circular 17/661, appendix 4 of the Law 12 Nov. 2004 as
amended… (non-exhaustive list)
26
TYPE EXPLANATIONS
CLIENT STRUCTURE Client is a legal person or arrangement setup in a jurisdiction that is not subject to AEOI/CRS/FATCA reporting and
AND LOCATION the entity has no economic, asset or other reality*
Client is a company or use companies in which a multitude of statutory changes (unexpected and short term
changes) have taken place (changing managers, moving the registration office…)
Client uses companies or legal structures located in a jurisdiction other than the tax residence or place of regular
economic or professional interests of the beneficial owners
Client uses a complex set-up a complex set-up without clear economic or patrimonial justification which appears
designed to conceal information (ie trusts with no requirement to disclose beneficiaries…)
Classification of a company or legal structure as “Active Non Financial Entity” based on CRS regulation and without
the change being justified by the development of the company or legal structure
OTHER CLIENT Client has moved tax residence to a jurisdiction that is not subject to AEOI/CRS/FATCA reporting to a jurisdiction
CARACTERISTICS that is subject to such reporting without notifying the professional, in order potentially to escape reporting
Client has been identified as non-tax compliant in Luxembourg or another jurisdiction
TYPE EXPLANATIONS
CLIENT INTERACTION No face-to-face interaction with the client when opening the account
AND BEHAVIOUR
Client refuses any form of contact or communication without a valid reason
Client is not interested in earning a return
Requests for assistance of provision of services whose purpose could be to foster circumvention of the customer’s
tax obligation
Lack of professional tax advice to support any tax implication of complex structures
27
TYPE EXPLANATIONS
DOCUMENTATION Client unwilling to disclose source of wealth or origin of funds

AND SOURCE OF
WEALTH Insufficient explanations regarding the source of large cash withdrawals or receipts
Findings of anomalies in documentation justifying transactions and notably atypical or unusual transactions (no
VAT, no invoice…)
Client refuses to provide tax compliance documentation or information needed for tax reporting on the presence of
indication raising suspicion
Client cannot confirm that the source of funds has been declared to a tax authority
Documentation on tax compliance leaving room for doubt was issued by a person close to the final customer and
there being a potential conflict of interests
Client’s organisation structure is not consistent with the documentation recorded on file
TYPE EXPLANATIONS
HOLD MAIL
Request to have hardcopy documents retained for a short time only or personal collection with long time spans in between
Hold mail not collected and the client or their beneficial owners have not visited Luxembourg for an extended period
Unjustified refusal of any contact or unjustified request of hold mail and more particularly if the customer is domiciled in a
jurisdiction not subject to AEOI/CRS/FATCA reporting
28
TYPE EXPLANATIONS
Client transfers funds from a country considered risky from the point of view of tax transparency or resides in a country
SUSPICIOUS which is not subject to AEOI/CRS/FATCA reporting
ACTIVITIES &
TRANSACTIONS Substantial increase of movement on banking account which was until then not very active with no justification
Inconsistency between transactions and business volume / nature
Frequent & substantial wire transfers from or to geographies without a commercial purpose or which are considered
risky from a tax transparency perspective
Commercial transaction at a price which is obviously under or over estimated or inconsistent
Use of back to back loans without valid justification
Receipt of commissions or payments to foreign companies without commercial activity or without substance
 Customer showing signs of agitation, nervousness

 Customer refusing to provide evidences to support its declarations
 Request to immediately get back originals of documents without authorising the institution to copy them
 Unacceptable pressure on employees : customer referring to close acquaintances with executives in the institution
 Customer requesting strict confidentiality to the employee vis-à-vis his/her reporting line
 Bank references difficult to check / obtain
 Little interest in the charges linked to the account
 Customer encouraging the employee during the visits / telephone conversations to disclose the signatory thresholds for
acceptance of cash transactions
The above examples are High risk factors: Circular 17/650, Circular 17/661, appendix 4 of the Law 12 Nov. 2004 as amended… (non-
exhaustive list)
29
 Timeline for carrying out CDD measures
1. Professionals must review and update the information on the customer at a frequency and to an extent
consistent with the risk assessment
2. Annually for high risk relatioships
3. Evat the least
 Possibility to apply simplified customer due diligence measures where the professionals identify a lower risk of ML/TF
 Obligation to perform a prior Risk Assessment relating to:
1. Customer risk factors: listed public companies, public administrations or enterprises from countries having low level of
corruption, customers resident in areas of lower geographical risk factors
2. Product, service, transaction or delivery channel risk factors: some insurance policies (life-pension), some financial
product and services (electronic money)
3. Geographical risk factors: Member states, third countries with effective AML/CTF systems and low level of corruption,
third countries (see FATF recommendations)
 Monitoring of the business relationship at all times to ensure all conditions continue to be met (article 3.1 CSSF Law 12
November 2004).
30
 In any situations that present a higher risk of ML / TF
 Mandatory at least in the following cases:
• Natural persons or legal entities established in 3rd countries which do not or insufficiently apply AML/CTF measures
• Cross-border correspondent banking or similar relationship with correspondent institutions in third countries, or in
member states that present a higher risk
• Transactions or Business relationships with PEP (Need authorization from Senior Management)
The “national” (or “domestic”) PEP’s are back in scope. Any PEP is in now in scope, without regard to his country of residency
or where he works.
EDD applies to business relationships carrying a higher risk

• obtaining additional information required and a more regular update of the identification data of the customer and of the
beneficial owner(s)
• obtaining additional information on the intended nature of the business relationship
• obtaining information on the reasons for the envisaged or completed transactions
• obtaining the approval of the authorized management to start or continue the business relationship
• the carrying out of the initial payment through an account opened in the name of the customer with another professional
subject to similar due diligence standards
• the verification undertaken with independent and reliable sources of additional information
• a visit to the customer/company or the establishment of contact with the company, notably by registered letter with
acknowledgement of receipt
• conducting enhanced monitoring of the business relationship via an increase in the number and frequency of the controls and
the selection of transaction patterns which require deeper scrutiny
31
Due diligence performed by third parties
 Third-party introducer – Forbidden if third party is located in a high risk jurisdiction
 Outsourcing
 Ultimate responsibility stays with:
• the professional relying on the third party (for 3rd party introduction)
• the outsourcer (in case of outsourcing)
Further reading:
• ESA Guidelines (2017) points 112, 219 and 222
• FATF Guidelines (2018) points 101, 107 and 110
Law of 12 November 2004 / Luxembourg Company law / GDPR - general public interest
• Keep documentation and information (maybe used for AML/TF investigation by the authorities)
• What should be kept?
− For Customer Due Diligence: copy of the documents required, for 5 years after the end of the business
relationship.
− For business relationships & transactions: supporting evidence and records, consisting of the original
documents or certified copies for 5 years after carrying-out of the transactions or 10 years starting at the
end of the financial year to which they relate.
32
GD Regulation of Feb. 2010 – Article 1(5)
• Maintain records of the identification data, account files and of the business correspondence for at least 5
years following the termination of an account or business relationship
• Transaction records shall be able to trace back individual transactions
• It should contain in particular:
− customer's name, beneficiary's name, address or other identifying information normally recorded by the
intermediary
− nature and date of the transaction
− type and amount of currency involved
− type and identifying number of any account involved in the transaction
● Roles & Responsibilities on AML / CTF Obligations
● Key concepts and challenges
● Type of customers
● Regulatory Framework
● Third Party Introducer
● Outsourcing
33
At Management Company level
 perform initial and on-going due diligence on its clients, investment funds initiators, investment funds and where relevant on the portfolio managers and advisers as well as
implementing appropriate and proportionate AML/CTF policies and procedures on behalf of the UCI, including the supervision of delegated and outsourced functions, but not limited
to the central administration function and the distribution network.
 when delegating the investment management function, must verify that relevant procedures and policies addressing AML/CTF risks relating to portfolio transactions are in place at
delegate level – such obligation is in particular relevant in case of alternative investments and illiquid asset classes. In compliance with the article 3 of the CSSF Regulation 12-02 the
UCI or its ManCo shall ensure enhanced due-diligence measures on intermediaries who are investing on behalf of their clients are implemented.
At Transfer Agent level
 maintain the share / unit register of the UCI and to perform the AML / CTF controls on behalf of the UCI under the supervision of the Management Company when one is appointed.
 even if the TA must comply with its own legal obligations and may decline to process an investor onboarding if it’s prevented by its own policies, it still has the obligation to operate
under the ultimate responsibility of the Fund or the ManCo if one is appointed (notwithstanding its own responsibility).
At the Investment Manager level
 is granted a mandate by the fund promoter to invest into assets on behalf of the relevant Fund within a scope as defined by applicable laws and its constitutive documents (e.g.
prospectus or private placement memorandum).
 must ensure accordingly that the financial crime risks associated with those securities invested into by the relevant UCI are appropriately mitigated (this being in particular applicable
in the alternative investment universe).
At Compliance level
 main role of the Compliance Officer at the ManCo and TA level from an AML/CTF risk perspective, is the determination of key measures and processes allowing to manage
appropriately and proportionately such AML/CTF risks with a view to operate efficiently and ensure a smooth day-to-day operational framework.
 As part of the measures allowing the Compliance Function at the level of the TA and the ManCo to identify, assess, monitor and manage their exposure to financial crime risks, it is
required to perform a self-assessment of such AML/CTF risks in accordance with the type, size and nature of the activities and business model, the types of products and services
offered, the transactions types, the delivery channels and the geographical areas.
Some Definitions Operational set-up for Intermediary

 Customer: any person acting as an investor, intermediary, distributor for  Intermediary can operate under an omnibus
the account to be opened or maintained. The customer is always the (Intermediary/123) or segregated account
one appearing as the registered owner in the share register of the fund. (Intermediary/underlying customer).
 Intermediary: Legal entity who acts on behalf of its customers, and is  Where an intermediary is not regulated but part of a financial
obliged by the law to perform AML/CTF controls on such customers and Group supervised (in low risk country), provided a parent
is supervised by a public supervisory authority. company representation letter is in file, the intermediary
 Distributor: Intermediary appointed for the distribution of shares or due-diligence is also applied on the parent company.
units of Investment Funds
Challenges
Enhanced Due Diligence Operational Reliance vs look-through Information upon Governance

set-up request
 For whom ?  Omnibus vs segregated  What does in mean and in  At intermediary level ?  Define the role and
 In which context ? account which context  At underlying level ? responsibilities between the
 What does it mean in practice ?  Understanding of the  Define therisk appetite and  Until the end-UBO ? stakeholders
intermediary customer base risk based-approach
34
Intermediary:
1. Art 3-2 (3) of the Law of 2004 regarding cross-border correspondent and other similar relationships with respondent institutions in third countries, defining the Enhanced
Due Diligence obligations professionals have to fulfill prior entering into relationship with such client
2. Article 3 of CSSF regulation 12-02, where the units or shares of a Fund are subscribed through an intermediary acting on behalf of its customers, the customer due
diligence measures to be put in place for this intermediary should be applied pursuant to the terms of Art. 3-2(3) of the Law of 2004
3. Art.29 of the CSSF regulation No.12-02, also states that relationships established for securities transactions and fund transfers by a professional acting on behalf of its
customers should be considered as a “similar relationship” to a cross-border corresponding banking relationship as defined in Art.3-2(3)
4. Art 305 of CSSF circular 18/698, “the IFM must follow the Guidance for the Securities Sector issued by the FATF”
Art 310 of CSSF circular 18/698, “the UCI, its IFM or where appropriate the respective proxies of these professionals must put in place EDD measures on intermediaries
subscribing units of behalf of its clients
5. EBA/ESM/EIOPA guidelines, Art 219 b “a firm that, as part of its economic activity, directly purchases units of or shares in its own name and exercises control over the
investment for the ultimate benefit of one or more third parties who do not control the investment or investment decisions”
6. Art 219 c “a firm, for example a financial intermediary, that acts in its own name and is the registered owner of the shares or units but acts on the account of, and pursuant
to specific instructions from, one or more third parties (e.g. because the financial intermediary is a nominee, broker, multi-client pooled account/omnibus type account
operator or operator of a similar passive-type arrangement)”
Art 222 “intermediary will provide CDD information and documents on the underlying investors immediately upon request (contract and/or sample testing)
7. FATF guidance for securities sector: Art 99 “When determining the type and extent of CDD to apply, a securities provider should be clear as to whether its customer is
acting on its own behalf or as an intermediary on behalf of its underlying customers”
8. Art 101 stipulating that securities providers should obtain and the intermediary should provide information about the intermediary’s AML/CFT controls, including
information regarding the intermediary‘s risk assessment of its underlying customer base and its implementation of risk mitigation measures
Art 106 to 113 stipulating that for correspondent banking and other similar cross-border relationships, financial institutions should apply criteria (a) to (e) of article 3-2 (3) of
the Law of 2004
• CDD measures will depend on how

the customer or the investor comes
Instruct to buy or sell
Financial Institutions/ to and is registered in the fund
shares/units
Intermediaries • Obligations applicable to the IFM
according to the manner in which
Have a discretionary the relationship with intermediaries
portfolio
management and the TA function is organized
(art 321 CSSF circular 18/698)
• Article 219 of the of the
UNDERTAKING FOR COLLECTIVE INVESTMENT
EBA/ESM/EIOPA guidelines
Buy or sell • Key question to ask: Is the customer
shares/units in direct
investing on own or third party
behalf ? (Art 17 of CSSF regulation
12-02)
UCI Register (registration of Transfer Agent level
share/unitholders)
35
Know Your Intermediary concept versus Know Your Client
Context: Art 312 of the CSSF circular 18/698 stipulates that where the exercise of some AML/CFT tasks is delegated to a third party, notably the
transfer agent, the IFM is not exempt from its AML/CFT responsibility. This is also applicable to intermediaries
Establish Written agreement Perform initial & periodic review Ensure Ongoing Monitoring
• Clearly defining role and responsibilities of each • DD on intermediaries as laid down in article 328 • Implement control arrangements / mechanisms,
party at the TA level of the CSSF Circular 18/698 (Know Your define KPI and KRI, which allow the IFM
• Clearly defining role and responsibilities of each Intermediary : type of intermediary, info to  to access the data documenting the activities
party regarding the marketing intermediaries understand the nature of the intermediary, exercised by the distributor / transfer agent
(including sub-delegation) documentation, distribution channel, country  to monitor the activities of the delegate such
• IFM should ensure that proper distribution risk) as having for example a good overview and
agreement is in place with reliable AML/CTF clause, • Assessment whether the intermediary ensures at understanding of the type of customers
including but not limited to the access without all times the compliance with the subscribed investing in the fund and the controls
delay and upon request to the relevant commitments, notably the respect to the performed by delegate
identification data of clients for intermediaries communication, without delay and upon • Be involved in decision-making concerning new
which ensure the marketing and act on behalf of request, of relevant identification data of clients countries of registration, regular Financial target
clients • Written critical analysis and assessment of the sanction screening, monitoring of the
AML Control framework based on reports such compliance with their AML/CFT obligations
as ISAE report at the TA level, LFR at the funds’
level or Management letters or AML
Questionnaires (i.e. detailed Wolfsberg
Questionnaire, own AML questionnaire) or AML
Policies & Procedures including on-site visits
What factors do professionals have to keep in mind regarding cross-border intermediaries? What has to be done
• Key risk area in Luxembourg is cross-border distribution from EU and non-EU countries, with high volumes of • At the intermediary level: perform adequate
transactions and rapid flows due diligence measures and request KYC
• Investment sector considered as high risk (supra national risk assessment + national risk assessment) high market documentation on the intermediary based
fragmentation in terms of number of providers and intermediaries, the international nature of business and also on the level of risk assigned
the high volume of retail and institutional investors • At the relationship level with the
intermediary (EDD measures): request
Determine level of risk of your financial intermediary (use of key risk factors and variables) sufficient information to your intermediary
• Who is your intermediary (type, geographical location,…) to assess the AML framework.
• Is the intermediary investing inside or outside the EU? • The concept of pure reliance (on AML
• Consider the type of fund (UCITS versus NON UCITS) letters) does not exist anymore
• Is it investing on own or third party behalf (discretionary portfolio management versus order transmission/ • Assess AML framework
respondent relationship versus third party introducer)? • Have an understanding who the underlying
• What are the volumes/AUM (high volume = high risk indicator)? investors are? Depending on the level of
• Does the structure favor anonymity (high risk indicator)? risk, have a look through on the underlying
• Is there a limited number of investors (high risk indicator) ? investors
• Additional searches (internet) to better inform the intermediary risk profile • All information provided has to be assessed
• Carrying out additional searches focused on financial crime risk indicator (negative news screening) to better assess • Depending on the way the customer is
the investor risk profile registered under the shares/unitholders
register, if the name of the underlying
investor is mentioned, it has to be screened
Even when CDD is the responsibility of the intermediary, an understanding of
• Review on a regular basis your intermediary
the intermediary’s customer base can often be useful element in determining
relationship
the risk associated with the intermediary itself – the level of understanding
obtained should be tailored to the perceived risk level of the intermediary
36
Requirements How mitigate the risk ? Examples
Intermediary itself  Adequate Due Diligence Measures  Due Diligence measures on a RBA on the intermediary itself
 2 levels of Due Diligence
EDD / AML Control  Making a request for information on  Obtaining a break down per investor type, jurisdiction, residual risk rating, level of DD performed, PEP,
framework any particular transaction, possibly SOW/SOF…
leading to more information being  Requesting additional information of the transaction, number of investor being the transaction…
requested on the underlying customers  Requesting specific wording in the AML letter in order to have information upon request on the underlying
of the intermediary on a risk sensitive customer/end-UBO
basis  Requesting the methodology of the country risk rating
 AML Letter / Questionnaire  Reviewing the AML framework of the intermediary and reviewing the underling customer file
 AML Policies & Procedures  Requesting additional information on the underlying customer
 On-site visits  Evidence the application of EDD measures on cross border intermediaries at the level of the IFM or of the
 Sample testing delegate for instance through a summary sheet detailing the documents collected and the conclusion of the
analysis
Risk Based-Approach Design a risk based approach & a risk  Reliance / Look through / Prohibited
& Risk Appetite appetite dedicated to intermediary  Limit the number/% of certain intermediary’ type
 Limit/refuse the omnibus account
 UE, FATF country
Governance  Formalize the approval from senior  Assessment should be documented, regularly updated and communicated to the relevant senior management
management for EDD. through an escalation process for information and/or validation
Third party introducer

• Acceptable provided that the third party:
- applies customer due diligence and record keeping requirements as laid down in this law or in Directive 2015/849
- is compliant with the requirements of this law or equivalent rules applicable to them, and supervised in accordance with Section 2
of Chapter VI of that Directive
- will provide immediately information and a copy of the identification and verification document as well as any other relevant
document upon request.
- Previous situation where credit and financial institutions were de facto considered as third party under the definition does no longer
apply
• Appropriate DD on the third party to determine whether reliance can be placed on the AML/CFT risk and control framework
• Prior to the introducer's intervention, verification that it complies with the above definition + regular review to ensure that the third
party still meets the requirements
• End of third country equivalence and implementation of new blacklist Delegated regulation (EU) 2016/1675
• Reliance on third party for performing some elements of initial CDD (identification of the customer, identifying and taking reasonable
measures to verify the identification of beneficial owner and understanding the purpose and intended nature of the business
relationship)
• However, it may not rely on such parties to perform ongoing monitoring, ongoing DD and scrutiny transactions
• A third party may not, under any circumstances, be established in a country which does not apply or insufficiently applies the
measures for the fight against money laundering and terrorist financing
• Ultimate responsibility remains with the professional who relies on the third party (delegate the task but not the responsibility)
37
Outsourcing
• This outsourced entity conducts CD on behalf of the professional, in accordance with the procedures of the
professional and under its instruction
• Professional may also outsource ongoing monitoring and transaction monitoring (agreement with roles and
responsibilities)
• Ultimate responsibility for CDD and/or ongoing monitoring remains with the professional and cannot delegate
responsibility
Residence – FATCA/CRS (“RFC”)
No contact
Tax evasion services
 The Client refuses contacts (especially when
 Request for services connected with tax evasion he is resident in a country not subject to
CRS/FATCA)
Nominee shareholder Entity without economic substance

 Use of intermediary nominee to dissimulate the RFC  Legal entity without economic substance
identity of the BO resident in a non FATCA/CRS jurisdiction
Geography & conflict of residence

 The file contains contradictions concerning Change of tax residence
client’s tax residence.
 Change for a non CRS/FATCA reporting
 Legal entity incorporated in a foreign Active NFE status country
jurisdiction (not compliant with client/BO tax
Unjustified status
residence laws)
38
Transactions
Client activities/wealth & Business profile Cash withdrawals/deposits

 Transactions are incoherent with client  Injustified cash withdrawals
activities/wealth or in a sector VAT fraud sensitive
 Incoherence between turnover and movements on
bank accounts
Supporting documentation Trans- Dormant account
 Incoherence doc action  Reactivation
Tax transparency – High risk jurisdiction Mixing personal and Professional accounts
 Funds received from high risk countries  Numerous transaction mixing personal and
Service without economic reality professional accounts
Commission received or paid to
foreign entities without substance
or commercial activity
Structure & Information (“S&I”)
Changes of article of association Complex structure

 Changes without economic justification  Using complex structure without economic
rationale
Supporting documentation Back to back loan

S&I  Use back to back loan without economic
 Incoherence pricing
rationale
Tax transparency – High risk jurisdiction Tax Compliance status

 Doubt of tax document  Refuse to provide the compliance status
39
Collective Investment Activities (“C,I,A”)
Complex investment structuring
 One or more legal investment structures interposed
Investor tax reporting between the client and the ultimate target
 Changes without econoAbsence of tax reporting investment, located in different jurisdictions with
provided by UCI in countries of distribution for which some of them not complying with international
such investor tax reporting is required transparency standards
Tax base erosion

Supporting documentation
 Significant decrease of the investment fund
 Incoherence pricing
manager’s taxable earnings by using cross-border
 The Client is not in possession of adequate and
 sufficient information on the quality and status of C,I,A transfers or intangible assets (e.g. goodwill) not TP
compliant
the investors in order to complete its subscription
tax return
Investment Transaction
Portfolio Management / SICAR  Unregulated markets where the economic
 PM : Client is involved in securities lending beneficiaries of the counterparties to the transaction
transactions which may create tax arbitrage or tax and/or their intermediaries are located in a jurisdiction
refund that have been or could be considered as not subject to AEOI / CRS / FATCA reporting or which
aggravated tax fraud/tax evasion present risk factors
 Transactions do not have apparent economic
 SICAR : The SICAR does not invest in securities rationale in a specific context (e.g. Private Equity /
representing “risk capital” Real Estate)
 Frequent transactions result in losses for which the
professionals or the counterparty appears to have no
concern.
5 – Adequate Internal Organisation
40
 AML/CTF policies and procedures
 Persons responsible for AML/CTF (RR/RC)
 Controls in place
 Recruitment, Training and Awareness
Professionals are to establish adequate and appropriate policies and procedures (Art. 4 of the law of 12
November 2004 as amended and CSSF Regulation 12-02):
 Establish customer due diligence, reporting, record keeping, internal control, risk assessment, risk management,
compliance management and communication.
 Communicate and implement the relevant policies and procedures (where applicable) to branches and
subsidiaries.
 Take appropriate measures to train and raise the awareness of employees, to assist them in recognizing
transactions linked to AML/CFT and how to proceed in such instances.
 Have systems in place enabling them to respond fully and rapidly to enquiries from the Luxembourg
authorities.
41
 Board of Directors
 Authorised / Senior Management (“Direction autorisée”)
 Chief Compliance Officer
 Employees
 Everyone is responsible!
In accordance with Article 4(1) of the Law of 12 November 2004 as amended, above-mentioned professionals
must appoint:
 a member from their management body, responsible for compliance with professional obligations in the fight
against money laundering and terrorist financing (responsable du respect des obligations, hereafter referred to as
RR), and
 if the size and nature of the activity so requires, a compliance officer at appropriate hierarchical level
(responsable du contrôle du respect des obligations, hereafter referred to as RC).
Investment Funds and Investment Fund Managers are legally required to appoint both a RR and a RC
42
 Performed by 1st and 2d line of defense and supported by adequate systems
• On-going due diligence (business relationships, name screening, transaction monitoring)
• Inquiries and Reporting
• Risk assessment / scoring and review
 Internal Audit
• AML/CTF policy to be controlled by Internal Audit
• Annual report to Authorized Management and Board of Directors (or to specialized committee) on AML/CTF
assessment and compliance
 Recruitment
• Know-Your-Employee (e.g. extract of criminal record)
• Specific checks on certain persons (Compliance, Authorized Management)
 Training
• For all employees, when they start and on-going
• Tailor-made to employees facing higher ML/TF risk operations / clients
• Case study in line with the risk assessment
• Track record
 Awareness
• Keep employees aware of new trends and ML/TF techniques (regular meetings, documentation, newsletters,
real cases…)
• Program up-to-date with legislation
• Point of Contact
43
6 – Cooperation with the Authorities
Professionals, their directors and employees have the obligation to cooperate fully with the Luxembourg
authorities responsible for combating money laundering and terrorist financing without prejudice to the
obligations to which they are subject towards the CSSF (if applicable)
(Art. 5 of the law of 12 November 2004 as amended and the FIU Circular 22/10).
What does it mean?
1. Inform the Financial Intelligence Unit (active cooperation)
• with no delay
• on their own initiative,
• when they know, suspect or have reasonable reasons to suspect that money laundering or financing of terrorism
is being or has been committed or attempted, be it by reason of the person involved, its evolution, the origin of
funds, the nature, the objective or the modalities of the transaction
44
2. Declare suspicions : Professionals have neither an obligation to actively investigate such facts nor to verify
whether such facts are sufficiently conclusive to be used as the basis for an investigation, nor to qualify the
criminality of their suspicions nor to prove their exactitude. In case of AML/CTF suspicion a Suspicious
Activity/Transaction Report (SAR/STR) must be filed (electronically through the tool “goAML”)
3. Provide all information required immediately upon request. (Passive cooperation)
4. Refrain from carrying out the suspicious transactions : in cases of AML/CTF suspicion, professionals have the
legal obligation to refrain from carrying out the related transaction(s) before having informed the Public Prosecutor.
Law of 12 November 2004 as amended - Article 5 (3)
The Public Prosecutor may block one or several suspicious transaction(s), although only for a maximum period of 6
months, or decide other types of “ad hoc” measures (report movements on the account(s), request client to
contact the Public Prosecutor’s office at next contact, etc.)
Implementation of the 5th AML directive: blocking period can be prolonged “until further notice”
45
Request for mutual assistance
● As a general rule, requests for mutual assistance and communications are made directly between judicial
authorities with territorial competence.
● Urgent requests may be made via Interpol or anybody competent under provisions introduced pursuant to the
Treaty on European Union.
● Spontaneous exchange of information (i.e. without prior request) may take place between Member States
regarding criminal offences and administrative infringements. The punishment or handling of which falls within
the competence of the receiving authority.
● “Commission Rogatoire Internationale”(Rogatory Letters): To be previously validated by Luxembourg authority
before executing. Used for legal or judicial assistance, sent by the central authority of one country to the central
authority of another country usually through the courts, when seeking evidence or judicial assistance from the
other jurisdiction. They can be used in money laundering cases.
“Tipping off” is forbidden:

Professionals are not allowed to disclose to the customer or to other third parties that information was transmitted
or is being to be reported to the Luxembourg authorities or that an investigation is ongoing or may be carried out.
Exceptions to the no tipping-off rule
a) intra-group disclosures, subject to compliance with certain requirements
b) between Professionals in cases related to the same customer and the same transaction under specific conditions.
Further reading:
Guidelines of the CRF (1/11/2018) – article 6.1
46
What is a suspicion?
● Suspicion could be defined as an unfavorable opinion about someone, its behavior, based on indications,
impressions, intuitions without any tangible evidences.
● It could be considered as an appreciation or perception, which is highly subjective because it is built upon a
collection of impressions, the level of experience of the individual that will then, be subject to changes
depending on the individual ability to assess the elements brought to his/her attention.
● When a doubt arises or a question is left unanswered, it must cleared out. If there is no satisfactory outcome, it
becomes a suspicion.
Financial Intelligence Unit (FIU)’s position is clear:

● The professional does not need to have a proof of money laundering or terrorist financing, any suspicion must
be reported.
● The suspicion can originate from a fact (relating to an individual or the source of its assets) and/or a transaction
(nature, objectives or modalities).
● Whenever the professional has such suspicion, (s)he is legally obliged to report it to the FIU.
 (FIU/CRF Circular 22/10 + CRF Guidelines 2018)
47
● Unusual and suspicious transactions from an economic point of view, or with an illicit goal
● Countries, amounts, circuits…
● Complex transactions: understand the need for complexity
● Large amounts
● Illegitimate transactions compared to what we know about the customer
● Concomitant in/out transactions, that are not really plausible
● Customer proposing transactions outside the usual scope of activities of the institution
● Dormant accounts suddenly activated without plausible reasons (always ask past/present/future : why was it dormant, why woken up,
what are the intentions)
● Atypical customer behavior, failure to provide documentary evidence, non plausible explanation or false declaration about the origin of
the assets
● Sophisticated transactions/structures without economical justification
● Information on ongoing criminal investigations or judgment revealed by the press, information provided by some private database, in
rare cases after a reputation inquiry done by a private company
● High risk transactions (client’s country of origin, sophisticated patterns, etc.)
● Cashier’s desk transactions (multiple cash transactions within a short period of time, deposits done by different individuals on the same
account, etc.)
● Aggravated suspicions (multiple accounts closing and opening, request to use an internal bank account to perform a transaction, etc.)
• (1) The customer is a legal person or a legal arrangement set up in a jurisdiction that is not on CRS regulations and without the change being justified by the development of the
subject to AEOI/CRS/FATCA reporting10 and this “entity” has no economic, asset or other business of the company or legal structure.
reality • (12) Requests for assistance or provision of services whose purpose could be to foster
• (2) The customer is a company or uses companies in which a multitude of statutory circumvention of the customer’s tax obligations.
changes (unexpected and short-term changes) have taken place • (13) Use by the customer of complex structures without economic or asset purpose
• (3) The use of companies or legal structures located in a jurisdiction other than the tax • (14) Unjustified refusal of any contact or unjustified request of hold mail and more
residence or place of regular economic or professional interests of the beneficial owner particularly if the customer is domiciled in a jurisdiction that is not subject to
• (4) Completion of a commercial transaction at a price that is obviously under-estimated, AEOI/CRS/FATCA reporting
over-estimated or inconsistent. • (15) The transfer of funds from a country that according to the professional could be
• (5) Findings of anomalies in the documentation justifying the transactions, and notably considered as being risky from a tax transparency point of view.
atypical or unusual transactions • (16) Inconsistent information available to the professional concerning the tax residence of
• (6) The customer’s refusal to provide the tax compliance documentation or information the customer.
needed for tax reportings or the presence of indications raising suspicions regarding fiscal • (17) Use of so-called back-to-back loans, without valid justification.
• (7) Substantial increase, over a short period, of movements on banking account(s) which • (18) Move of the tax residence from a jurisdiction that is not subject to AEOI/CRS/FATCA
was (were) until then scarcely active or inactive, without this rise being justified, notably reporting to a jurisdiction that is subject to such reporting without notifying the
by a verified development of economic or business activities of the customer. professional, in order, potentially, to escape reporting.
• (8) Observation of inconsistencies between the business volume (e.g. based on company • (19) Financial transactions that are inconsistent with the usual activities of the customer or
accounts) and movements on bank accounts. with its profile or with the asset situation stated by the customer or suspect operations in
• (9) Substantial and/or irregular transactions linked to professional activities on sectors that are prone to VAT or other tax fraud, in a generally cross-border context.
personal/private accounts. • (20) Withdrawal or deposit of cash that is not justified by the level or nature of the
• (10) Payment or reception of fees to or from foreign companies without business commercial activity or known professional or asset situation.
activities or without substance or link between the counterparties and whose purpose • (21) Documentation on tax compliance leaving room for doubt as it was issued by a
seems to be economically unjustified re-invoicing. person close to the final customer and there being a potential conflict of interests.
• (11) Classification of a company or legal structure as “Active Non-Financial Entity” based
48
7 – Payer Payee
Obligation introduced by the Regulation (EU) 2015/847 on information accompanying transfers of funds
 This regulation repeals Regulation (EC) No 1781/2006, which was related to the information about the payer
only. Entry into force with the 4th AML directive (June 2017) aiming at enhancing the traceability of transfers
(fight against terrorism financing).
 For every transfer, the payment service provider must provide the name of the payee and the payee’s
payment account number (in addition to the payer data).
 More detailed technical provisions regarding transfers of funds both within and outside the EU. Within the EU,
the transfer will have to be accompanied by at least the payment account number of both the payer and the
payee. Upon request by the service provider of the payee, the service provider of the payer will have to provide
further information for transfer of funds of more than EUR 1.000 (name, nationality and address of the payer).
49
8 – Cases studies
 2 persons come to your bank to open an account for each of them. One month later, each of them asks for a
loan to buy a car.
 In order to provide some guarantee on these loans, they provide a copy of their payslip and working contract.
The employer of both persons is a company based in Luxembourg.
 As part of your due diligence controls, you cannot find the existence of such company and cannot reach anyone
at the number and address provided for the employer.
 You call back your new clients who told you that the company has just been created but is not already registered
by the public trade register website.
 However, during the next 3 months, the salary is still paid on a monthly basis on the client’s accounts.
Question : What do you think about this situation and what do you do?
50
 One of your client has an account with your bank since 3 years. The customer service Department raise to you –
as a Compliance Officer – that the mailing of this client is returned to the bank since 2 months, even though
there is still some activity on the account.
 Looking at the client profile, the client is a man, married and he has 3 children.
 Looking at the transactions, the only operations are:
• unemployment and government subsidies monthly inflows, and
• outflows such as cash withdrawals by using an ATM located in a neighboring country.
Question : What is your view on this situation ?
 You receive an internal report from the head of cash desk explaining that one of your clients Mr. Zen (80 years
old) has an account open in your bank since more than 20 years.
 He came to the bank together with a young man Mr. Joy and they have asked to withdraw € 50,000
 The cashier has refused to give such an amount in cash because no valid explanation was provided. So Mr. Joy
has requested to have those funds transferred to his personal bank account (account held at the same bank but
opened 2 months before) and mentioned that Mr. Joy is indeed his grandson. The explanation given about the
purpose of the transfer is the purchase of a car.
 He has asked to keep this transaction secret and to not mention it to Mr. Joy’s stepmother. She is co-account
holder and only 1 signature is required.
 The transfer is executed as requested. Mr. Joy has also an account open in your bank.
 One week later, Mr. Joy comes back (alone) to the bank and asks to withdraw € 10,000 in cash and to prepare
the same cash amount to be withdrawn next week.
Question : What do you do and/or recommend ?
51
 One of your clients receive payments on a monthly basis on his personal account that are coming from various
companies, which are not his employer.
 The team in charge of transactions monitoring finds out those companies are service providers in the same field
of activity than that of his employer.
Question : What action do you take on this situation ?
 Mr. Ben is CEO of the Zoo Group, with 14 branches worldwide.

 Mr. Ben has been Home Secretary in an instable country.
 Mr. Yup is general manager of Win, a foreign company registered in a low tax jurisdiction.
 Company View is a branch of the group Zoo.
 Company Win has signed a sale agreement with Mr. Ben, to sell him a real estate property for EUR 10 millions.
 In order to make the purchase, Mr. Ben has transfered EUR 1 million on the notary account. The money has been
transfered from the foreign account of the branch of the Zoo group.
 The day before the completion of the transaction, the sale is canceled and Mr. Ben requests the money to be
returned on an account belonging to him in a foreign country.
 How should the notary react?

 Analyze this situation and point out the «red flags»
52
 Several private customers obtain consumer loans, by using fake documents
 The monies have been transfered to the account of jihadist family members
 The money was withdrawn in cash and shipped to Turkey, via a transfer operator
 In Turkey, individuals mandated by the Islamic State are responsible for channeling the funds to the real
beneficiaries
 Prepaid cards are bought in a foreign country via Internet to pay the various stakeholders
 What red flags do you identify?

 Discuss the possible controls that could / should be put in place.
Q&A
Thank you for your participation!
53
05/05/2021
The support includes documents prepared by the ABBL
1
05/05/2021
The support includes documents prepared by the ABBL
1. Introduction
2. Clients Services
3. Market Organisation
4. Governance
5. Case Studies
2
05/05/2021
⏷ MiFID I: Directive 2004/39/EC on markets in financial instruments. Luxembourg Law of 13 July 2007
⏷ MiFID II aims to reinforce the rules on securities markets in various areas notably by:
• ensuring that organised trading takes place on regulated platforms
• introducing rules on algorithmic and high frequency trading
• improving the transparency and oversight of financial markets
• enhancing investor protection and improving conduct of business rules as well as conditions for competition in the
trading and clearing of financial instruments
• introducing a harmonised commodity position limits regime
• strengthening the protection of investors by introducing requirements on the organisation and conduct of actors in
these markets
⏷ MiFIR compliments MiFID II by setting out requirements on:

• the disclosure of data on trading activity to the public
• the disclosure of transaction data to regulators and supervisors
• the mandatory trading of derivatives on organised venues
• the removal of barriers between trading venues and providers of clearing services to ensure more competition
• specific supervisory actions regarding financial instruments and positions in commodity derivatives
Objective of MiFID II is to make European financial markets more transparent and to strengthen the investor
protection (weaknesses revealed by the 2008 financial crisis)
Planned Financial Crisis Failures

Planned from the beginning Respond to financial crisis To improve MiFID I
 MiFID I has foreseen an  Strengthen transparency and  Complement the scope in terms of
assessment and a possible improve functioning financial instruments
revision in light of the evolution  Improve oversight and  Address the changes in the market
of the market practices supervision structure and technology
 Meet G20 targets for derivative  Address the failures of MiFID
(review clauses) market reform (market structures, local
 Strengthen investor protection discretions, definition and
standards, etc.)
10 years after a major financial crisis…

Need for a comprehensive European single rule book applicable to financial institutions and financial instruments
3
05/05/2021
European Regulatory Framework

• Directive 2014/65/EU of 15 May 2014 (MiFID II)
• Commission Delegated Directive (EU) 2017/593
• Level 2 measures under MiFID II
https://ec.europa.eu/info/sites/info/files/mifid2-level-2-measures-full_en.pdf
• Regulation (EU) N°600/2014 (MiFIR)
• Level 2 measures under MiFIR
https://ec.europa.eu/info/sites/info/files/mifir-level-2-measures-full_en.pdf
• MiFID ITS and RTS overview table
http://ec.europa.eu/finance/securities/docs/isd/mifid/its-rts-overview-table_en.pdf
• ESMA guidelines and FAQs
Luxembourg Regulatory Framework
• Luxembourg Law of 30 May 2018 on Market in Financial Instruments
• Grand-ducal Regulation of 30 May 2018 on protection of financial instruments and funds belonging to
clients, product governance obligations, rules on fees, commissions and benefits
• CSSF Circulars and CSSF FAQs
 Responsibility of Management
 Inducements
 Product Approval
⏷ 2 texts, 220 pages (level 1): a Directive and a Regulation
 Suitability & Appropriateness
⏷ 5500+ pages when considering ESMA publications…  Best Execution
 Etc.
MiFID • Amendment to the Markets in Financial Instruments Directive ("MiFID")

Recast Text ‒ adapted MiFID Level 1: quite general, supported by implementing standards (Levels 2 and 3)
‒ rather focused on investor protection (conduct of business rules), but not only
‒ transposed into national law
MiFID
• Adoption of a new regulation, known as "MiFIR“
II
‒ new regulation, focus on all matters where harmonization is critical, i.e. market organization and
transparency: rather technical, will be complemented by RTS*
‒ Part of a wider “rule book” with other regulations
‒ Includes also aspects of supervision
MiFiR ‒ direct effect without any need for local implementation
 Pre-trade transparency requirements for trading venues, for equity,

non equity, granting of waivers, etc.
 Post-trade transparency and publication of quotes
 Transaction reporting
 Derivatives: trading, CCP, etc.
4
05/05/2021
 Evolution of MiFID, with a strong emphasis on markets

Consumer Protection +  Conduct of business
Market Transparency  Market organization
 Customer protection continued in PRIIPs
 Market transparency continued in EMIR
 Insurance continued in IDD
Finally ejected out of MiFID: to be
dealt with in own directive but with
similar principles 3 Jan.2018
Trading obligation, necessary in EMIR,

IDD MiFID II implemented by MiFID/R
(G20 objectives reached by the
(Law 10 Aug. 2018) combination of both)
Product governance, shared

 OTC derivatives trading and clearing, where trading
MiFID – PRIIPS – IDD
PRIIPS EMIR 
is expected from MiFID II
Market efficiency
 Consumer protection 31 Dec. 2016 4 Jul. 2012
 Marketing process, shared with MiFID II
 Establishes the KID, also used for MiFID II
(simplified view)
And other links with UCITS V, AIFMD, MAD2, CRD, etc.
• Scope, means, responsibilities A typical value chain in banking

Supervisory Authorities
Sales & Client Provision of Market Reporting Assets

Marketing Acquisition Services Execution Safekeeping
• Instruments in • Information to • Suitability and • Best execution • Reporting to • Client assets

scope clients / Marketing appropriateness • Execution chain / clients safekeeping
• Information to • Client categorisation • Inducements status • Transaction
clients • Client profiling • Product • Client order reporting
• Product • Client agreements governance handling • Pre-Post trade
governance Transparency
Governance
• Conflicts of interests • Complaints handling • Business continuity • Compliance, Internal Audit, Risk Management
• Senior Management • Personal transactions • Organization / Procedures • Outsourcing
• Records keeping
High impacts Source: EY analysis
5
05/05/2021
⏷ From a compliance perspective, MiFID II impacts the following areas:

• Client Categorisation
• Client Profiling
• Appropriateness
• Suitability
• Independent # non-independent advice
• Best Execution
• Information to Clients
• Reporting
• Governance
• Supervision and Sanctions
1. Introduction
2. Clients Services
4. Governance
5. Case Studies
6
05/05/2021
 Same definition and principles + New requirements

 Same conditions opt-in/opt-out (Annex II)
 Same definition, same principles (category by default)

RETAIL  Municipalities and local public authorities (new)
Opt-in/Opt-out
PROTECTION
 Same definition, same principles

PROFESSIONAL  Excluding municipalities and local public authorities (new)
Opt-in/Opt-out
 More information to provide (e.g. financial instruments and risks, execution venues,
ELIGIBLE costs and charges etc.) (new)
COUNTERPARTY  New reporting obligation (mutual agreement) (new)
 No major change
 Client profiling is based on the following criteria
• Knowledge and Experience
• Financial Situation
• Investment Objectives
• Risk tolerance / appetite (new)
 Responsibility of the financial institution only
• Reassessment on an annual basis (at least)
 Client signature required
7
05/05/2021
Knowledge
Financial
and Objectives Risk Tolerance
Situation
Experience
Retail client
Professional
To be
on request (Elective
assessed *
professional)
Professional per se Assumed Assumed
* Two of the three below criteria to be met:

- 10 big transactions per quarter during the previous year
- level of assets at least € 500k.
- at least 1 year experience in field of financial investments
General principles
 3 main provisions
 Information about advisory
• Before advice : nature, type of service (independent versus non-independent + broad/more restricted analysis + periodic
assessment of the suitability
 Information about instruments (slide 18)
• To clients or potential clients - before the provision of investment services or ancillary services - general description of
the nature and risks of financial instruments - client’s categorisation (retail client, professional client or ECP).
• To explain the nature of the specific type of instrument, its functioning and performance in different market conditions
(positive and negative conditions)
 Information about costs
• All costs and charges + aggregated + regular basis (at least annual basis)
• Ex-ante : calculated figures / comprehensive form-standardized format
• Ex-post : personalized / annually and aggregated (in EUR and %), incl. inducements
• Prof + ECP: possibility to agree on a limited application
8
05/05/2021
Specific protection for clients under discretionary management

 Client delegates asset management under a “framework agreement” defining applicable rules/boundaries/objectives
 As the client is no longer “master” of the investment decisions, rules are similar as for independent advice (ensure that
management is done solely in the investors’ interests):
• No retrocessions, or pass all to client (beware of management)
• Robust investment methodologies
• Transparent strategies and asset allocations (to be known by clients before agreement)
 More information in the Instruments / Risks

 Whether the instrument is intended for retail or professional clients
 Appropriate guidance and warnings of risks
 Information about the functioning and performance in different market conditions, incl. both
negative and positive conditions Impact on
 Specifically address the risk of financial instruments involving impediments or restrictions ► The Instruments/Risks
for the disinvestment (e.g. case for illiquid financial instruments or financial instruments with disclosure
a fixed investment term). ► Any term sheets used
► KID / KIID
 More information when a financial instrument is composed of two or more different financial
instruments or services
 More information in case of capital guarantee or protection
Specify the scope and nature of such guarantee or capital protection. When the guarantee is provided by a third party, the information about
the guarantee shall include sufficient detail about the guarantor and the guarantee to enable the retail client or potential retail client
to make a fair assessment of the guarantee.
9
05/05/2021
o Costs and Charges… to all clients (with exceptions)

 Ex-ante + ex-post
• on the costs of the firm + on the instrument costs
• incl. retrocessions / inducements (seen as a cost)

• Aggregated as initial / ongoing / exit costs
• In EUR and in %
 Ex-ante
• Since ESMA updated its Q&A in March 2019: specific to client situation (ISIN, amount)
• Trade-by-trade simulation for execution only and advisory transactions
• Pre-contractual simulation before entering into advisory agreement or discretionary management, based on amount
to be invested, strategy, currency, etc. Simulation may be based on past costs & charges for similar portfolios
• With illustration or explanation of impact of costs on return
 Ex-post
• Actual costs incurred
• At least annually
 When execution only for complex product

 Broader application
Non complex products Complex products

(non exhaustive list) (non exhaustive list)
 Shares (listed companies)  Financial instruments when they incorporate a derivative

 Bonds admitted on RM/MTF or a structure
 Money market instruments (some)  Structured deposits
 Structured deposits  Instruments that incorporate a condition that could
 UCITS fundamentally alter the nature or risk of the investment
 Instruments that include exit charges which would make
them illiquid in practice
 Structured UCITS
 Shares in non-UCITS collective investment undertakings
KEEP RECORD : assessment result, warning to client if inappropriate

or if insufficient information to perform the assessment
10
05/05/2021
• More emphasis on « risk »

 Valid and reliable assessments of client’s knowledge and experience, financial situation, investment objectives, risk tolerance,
ability to bear losses
 Consistency check
• Also applicable to Robot-advisor / automated advisory
• Statements
 For retail clients: a suitability report to the client specifying the advice given and how it meets preferences, objectives and
other characteristics of the client (like Beratung Protocol from Germany)
 Before the transaction (or just after if sales by distance and upon prior client’s consent)
 In periodic report for portfolio management
NON COMPLEX PRODUCT COMPLEX PRODUCT
Exemption Appropriateness
EXECUTION ONLY
(no test) (for retail clients)
ADVISORY Suitability Suitability
PORTFOLIO MANAGEMENT Suitability Suitability
Where bundled package of services or products, the overall bundled package must be suitable
11
05/05/2021
 Extended to all clients

• Exceptions for ECP based on a contractual agreement defining the content and timing of the reporting
 Portfolio management reports
• Activities undertake and performance over the period
• Frequency : from 6 months to quarterly (or access to the online system)
• Loss : where the value of the portfolio depreciates by 10% and at multiples of 10%
• Quartely ex-post cost sheet with an overview of all costs incurred by the client
• At least annually, a periodic suitability assessment
o Advisory services
 Frequency : at least quarterly (more frequent on request)
 At least annually ex-post cost sheet with an overview of all costs incurred by the client
 Pre-trade suitability report for each advise provided
 Pre-trade costs and charges simulation for each transaction
 Execution report after each transaction (contract notes)
o Leveraged financial instruments
 Loss : where the value of a position depreciates by 10% and at multiple of 10% (within 24 hours and immediately when
investments in derivatives)
 Possible to agree with the client to calculate at portfolio level (i.e. if hedge on equities)
12
05/05/2021
 Investment advice means the provision of personal recommendations to a client, either upon its request or at the initiative
of the investment firm, in respect of one or more transactions relating to financial instruments (Article 4(1)(4) MiFID II).
 Provision of a general recommendation about a transaction in a financial instrument or a type of financial instrument
constitutes the provision of an ancillary service and its protections apply to the provision of that recommendation.
 A recommendation is not a personal recommendation if it is issued exclusively through distribution channels or to the
public.
 Independent Financial Adviser needs to:
• explain to clients clearly and concisely, how the service fulfils the independence criteria,
• provide details of the factors taken into consideration when making the recommendation, including:
 the number and variety of products composing the universe of investable products
 the quantity of “in-house” products
 the selection process (risk-weighting, complexity)
 the independence requirements
New type of advice => « independent »

o Independent in regard to the selection:
• To assess a sufficient number and variety of financial instruments, proportionate to the scope of
investment advisory service offered and representative of the market
• Sufficiently diverse with regards to their type and issuers for the clients objectives
• Not limited to the financial instruments issued by the entity, an entity with close links or with such links as
to pose a risk of impairing the independent basis of the advice
• Comparisons based on risks, costs, complexity and other characteristics
o Independent in regard to commissions (inducements)
• No fees or commissions or non-monetary benefits paid to or provided by any third party
• Tolerance for minor non-monetary benefits capable of enhancing the quality of the service, if they are
clearly disclosed to clients before the provision of services
13
05/05/2021
 Information on Advisory (before provision of service)

- Nature and type of advisory (independent / non-independent)
- Degree of open architecture, products picking approach, types and range of instruments considered…
- Provision of a periodic assessment of the suitability, or not
 Independent investment advice and third-party UCI marketing
A firm authorised to provide investment advice and UCI marketing can qualify as independent investment adviser, provided it
complies with the restrictions associated with independent advice.
 Independent advice for own products
A firm that markets its own products can qualify as independent investment adviser:
- the firm has the appropriate authorisation to provide investment advisory services
- the firm complies with all the restrictions incumbent upon independent advisers
- the firm could occasionally result in a firm recommending its own products
- the firm has to be able at all times to provide its analysis, internal assessments determining if and to what extent clients’
interests are or could be affected
- to provide its assessment to its clients and on request to the supervisory authority
 The same Financial Institution can provide both (independent and non-independent advice) only if:
 appropriate structure (an advisor as a natural person cannot be both / segregation of access - Chinese walls)
 clients understands where he stands
 Information on Advisory (before provision of service)
• Nature and type of advisory (independent / non-independent)
• Degree of open architecture, products picking approach, types and range of instruments considered…
• Provision of a periodic assessment of the suitability, or not
ESMA: Q&As on MiFID II and MiFIR investor protection and intermediaries topics
Before investment During and after investment Ongoing

• Categorisation • Order handled promptly • Conflict of interest
• Type of service provided • Best execution • Safeguarding of assets
• Info to receive to make informed • Confirmation and periodic reports on • Complaints
decision investments
• Client agreement • Reporting to clients
14
05/05/2021
 Definition
Commissions or non monetary benefits paid or received from/to third parties in relation to an investment service to a client
and which are not seen as « proper » or « standard » fees (i.e. necessary for the delivery of the service)
 Non monetary benefits
• No list defined by UE yet
• Information or documentation relating to a financial instrument or an investment service (generic in nature or
personalized to reflect the circumstances of an individual client)
• Written material from a third party that is commissioned and paid for by an corporate issuer or potential issuer to promote
a new issuance by the company
• Participation in conferences, seminars and other training events on the benefits and features of a specific financial
instrument or an investment service
• Hospitality of a reasonable de minimis value (e.g. food and drink during a business meeting or a conference, seminar or
other events)
 to be clearly disclosed before providing services to clients
General principles
 Banned where the client’s interests is compromised
 Prohibited by nature
 When providing independent advice
 When providing portfolio management If received, must be fully returned
to the client
 When providing Investment research
(if not paid by the bank’s own account or from a separate research account)
 Tolerated cases
If designed to enhance the quality of the service to clients
 Non-independent advisory If does not impair the obligation to act in the best interest
of the client Cumulative
 Execution/ RTO
If disclosed to client prior to the provision of service
 Business introducers If the amounts are reported on an annual basis
15
05/05/2021
Quality enhancement test:

1. The inducement is justified by the provision of an additional or higher level of service to the relevant client, proportional
to the level of inducements received (examples)
• non-independent advice, with access to a wide range of suitable financial instruments including an appropriate
number of instruments from third party product providers
• non-independent advice, with an annual assessment of the continuing suitability of the financial instruments in which
the client has invested; or with another on-going service that is likely to be of value to the client such as advice about
the suggested optimal asset allocation of the client
2. The inducement does not directly benefit the Bank, its shareholders or employees without a tangible benefit for the
client
3. Any on-going inducement is justified by an on-going benefit to the client (service not biased or distorted by the
inducement)
 To demonstrate:
• Keeping an internal list of any remuneration accepted by the firm from a third party in relation to the provision of services
• Recording how the inducements enhance the quality of service and how the client’s interests is ensured
 Transparency requirements
EX-ANTE Provision of Service EX-POST
Existence, nature and amount Reports => Inform clients

(clear, comprehensive, about the actual amount
accurate and understandable) (individual approach)
16
05/05/2021
 Art. 71 of the MiFID II Delegated Regulation allows for professional clients to be re-categorised as ECP only where they fall within one
of the following categories:
• Entities which are required to be authorised or regulated to operate in the financial markets,
• Large undertakings which meet certain size requirements, or
• National and regional governments, Central Banks, and other international and supranational institutions (e.g. the World Bank).
 This expressly excludes elective professional clients from requesting re-categorisation as ECP
 Formalities for clients capable and wishing to be treated as ECP:
• The firm must provide the client with a clear written warning of the consequences of the re-categorisation, including the protections
they may lose.
• The client must respond in writing to confirm his request (whether it is a general request, or only in respect of one or more
investment services or transactions) and his understanding of the consequences.
17
05/05/2021
• ECP regime is an exceptional client regime under the MiFID II

• ECP are exempted from requirements:
• General principles and information to clients
• Assessment of suitability and appropriateness and reporting to clients
• Obligation to execute orders on terms most favourable to the client
• Client order handling rules
• ECP benefit for more restricted information in relation to:
• Independent nature of the advice provided
• Financial instruments type analysis
• Periodicity of the suitability assessment
• Information of the financial instruments
New obligations for ECPs:

• To act honestly, fairly and professionally
• To communicate in a fair, clear and not misleading way
• To provide certain information to ECP
• Certain reporting obligations extended to ECP,
- however it is for the Financial Institution and the ECP to contractually decide what information will be provided and by whom
Third-country entities:
Member States may extend the ECP regime to locally ‘equivalent’ entities and third-country entities recognised as ECP.
- Not certain that all Member States treat a given ECP in the same manner.
18
05/05/2021
Provide a more detailed and more practically focused execution policy summary to clients, explaining clearly how
orders will be executed by the firm and how the selection is done:
 List the factors used to select an execution venue for execution and the entity used for transmission or placing
orders and their relative importance (and consistency with monitoring approach).
 How venue selection occurs, specific execution strategies used, the process used to analyze the execution quality,
how the firm monitors the achievement of the best possible result
 List the venues / entities used for execution/transmission/placing clients orders in the policy, specifying which
venues / entities are used for each class of financial instrument
 Clear, meaningful, to effectively understand how and where orders are executed
 Distinguish between types of clients, instruments, orders
 Explaining special situations (e.g. use of internal matching systems, a single venue, execution outside Regulated
Market/MTF/OTF)
Provide a more detailed and more practically focused execution policy summary to clients, explaining clearly how
orders will be executed by the firm and how the selection is done (continued):
 Retail clients:
 provide link to the most recent execution quality data published
 Summary of the policy focused on the total costs client will face
 Information about any payment or benefits received from any party in the chain, without a breach of the inducement
rule (may also be disclosed in another document)
19
05/05/2021
 Dealing in OTC product
 Check the fairness of the price proposed to clients by gathering market data used for the price estimation/calculation and
by comparing with comparable products (when possible)
 Orders executed outside a RM/MTF/OTF
 If executing party: need express consent (no change, like in MiFID I) before proceeding and in the form of general
agreement or in respect of individual transaction
 If RTO: need to explain in the policy the main execution principles used by the other entities and provide appropriate
information about these entities upon client request
 Clearly stated in the policy, with additional information on the risk of this execution route and the counterparty risk (seen
as “new” since bilateral). On request, more consequence in terms of counterparty risk
 Client orders handling rules
 More details required in the Best Execution policy reflecting Client Order Handling arrangements, e.g.: handling of limit
orders (standard, large size, which venue what if, etc.)
 Single Execution venue / entity
 Use of a single execution venue: must show how it satisfies the Best Ex requirements and the results must be at least as
good as with other entities => based on data and internal analysis
20
05/05/2021
 Monitoring
 To monitor the effectiveness of the execution arrangements, to assess on a regular basis whether the execution venues
still qualify to provide the best possible results, to inform the existing clients of material changes
 To be able to demonstrate the compliance with the execution policy
 To review the policy at least annually and in case of material change,
 To organize the review on the same aspects as laid out in the policy
 Additional disclosures
 Make public on a annual basis, for each class of instrument:
 the top 5 venues in terms of trading volumes where they have executed clients orders during the previous year
 with information on the execution quality obtained for each one
1. Introduction
2. Clients Services
4. Governance
5. Case Studies
21
05/05/2021
Definition:
Systematic internalisers (SIs) are investment firms which, on an organised, frequent, systematic and substantial basis, deal on
own account by executing client orders outside a regulated market, MTF or OTF without operating a multilateral system.
 SI in MiFID II is a counterparty, not a trading venue: TV are facilities in which multiple third-party buying and selling interests
interact in the system. A SI operates a bilateral system and is not allowed to bring together third party buying and selling
interests in functionally the same way as TV.
 Execution of client orders as an constituent element of the systematic internaliser’s definition.
 SI as a risk-taking market actor is characterised by risk-facing transactions (impact the Profit & Loss account). By undertaking
such risk-facing transactions, SIs are a valuable source of liquidity to market participants.
 Asset classes within the scope of the SI regime:
• equity-like instruments (depositary receipts, ETFs, certificates and other similar financial instruments), and
• non-equity instruments (derivatives, bonds, structured finance products and emission allowances).
 Quantitative criteria
 Specific rules for calculating systematic internaliser thresholds:
• Transactions that are not contributing to the price formation process and/or are not reportable
• Primary market transactions, creation and redemption of ETFs (not included in the calculation)
• Off order book trades that are reported to a regulated market, MTF or OTF under its rules (do not count)
• Calculations granularity
• Calculations' level for structured finance products (SFPs)
Limits to fall into the systematic internaliser categorY
22
05/05/2021
• Transactions with a third country dimension to be treated for the SI calculations

• Source of data, assessment periods and notification requirement. SI to notify its competent authority to be transmitted to
ESMA's register of SIs.
• Opt-in to the SI regime even when it doesn't meet all or any of the quantitative criteria, provided it complies in full with the
applicable requirements. CSSF notification required.
• SI in non-TOTV instruments (not traded on a trading venue)
• SI and an OTF interrelations - connectivity forbidden. The operation of an OTF and systematic internalisation within the same
legal entity is not allowed.
• Tick-size regime exemption means SI is allowed to trade shares, depositary receipts and exchange-traded funds in different
price increments than public markets.
• Obligation for SI to make public firm quotes in respect of bonds, structured finance products, emission allowances and
derivatives pursuant to MiFIR
• Relevant assessment periods: on a quarterly basis on the basis of data from the past 6 months.
The Investment Firm may easily cross the thresholds in case of illiquid product
 actually, the Investment Firm does not necessarily choose to be SI
23
05/05/2021
o Direct electronic access (DEA) means:

• That a member, participant or client of a trading venue (the provider) allows a legal entity or natural person to make use
of its trading code (access). So the person can electronically transmit orders relating to a financial instrument directly to
the trading venue, possibly thereby making use of the infrastructure of the provider or a connection system that has been
made available by the provider, and
• Arrangements where such an infrastructure is not used by a person (sponsored access).
o Responsibility: the investment firm that offer DEA remain responsible for orders placed by their clients (Market Abuse).
o Mandatory binding agreements to be in place with DEA clients
o Eligibility to provide DEA: firm must be authorized as an investment firm
o Credit risk is a key concern raised by DEA arrangements.
o MiFID II clarifies that the trading of a person having direct electronic access may fall under the definitions of algorithmic
trading and/or high frequency algorithmic trading.
System and controls requirements for providers of DEA:

• proper assessment of the suitability of all users
• pre-set trading and credit thresholds
• pre-trade controls in place to allow the automatic cancellation of a trade, where there is a risk that a trade could contribute to
a disorderly market (Market manipulation)
• monitoring of client’s trading activity on a real time basis to allow the trading venue to adapt such pre-trade controls where
necessary
• due diligence of direct electronic access clients, including credit and risk assessment (annual review)
• on-going review of direct electronic access clients, and pre and post-trade controls
• Unique identification numbers are assigned to all users of direct electronic access
• Post-trade controls, post trade real-time counterparty risk exposure, monitoring for margin and P&L (client margin
obligations)
• Conformity testing: algorithmic trading systems and trading algorithms to be tested against conformity with the direct market
access provider (matching logic, process of data flows downloaded from the trading venue). The Investment Firm retain full
responsibility. Annual self-assessment.
24
05/05/2021
Notification
• Person providing direct electronic access must notify its NCA (where applicable, notify its trading venue).
• To keep records of all key compliance and risk controls in place
• To be provided to its NCA on request
• To promptly inform the NCA of any material breaches of its physical and electronic security measures. To provide an incident
report to the NCA.
Scope Requirements
. Use of trading member’s trading code to . Suitability of clients must be assessed
transmit orders directly to trading venue (intended trading strategies of clients)
. Trading to be monitored
. Clients must not exceed trading and credit
thresholds
Includes: Controls to prevent disorderly market or

market abuse
- Direct Market Access (i.e. use of trading Ensure clients comply with MiFID and
venue member’s infrastructure) trading venue’s rules
- Sponsored access (i.e. where the

infrastructure is not used)
25
05/05/2021
o MiFID II introduces the concept of algorithmic trading and, as a subset of that, high-frequency algorithmic trading (article
4(1)(39) of MiFID II).
o All high-frequency algorithmic trading investment firms must be authorised as investment firms.
o Definition: Algorithmic trading means trading in financial instruments where computer algorithm automatically determines
individual parameters of orders such as whether to initiate the order, the timing, price or quantity of the order or how to
manage the order after its submission.
o No or limited human intervention is indicative of AT.
o It does not include any system that is only used for the purpose of routing orders to one or more trading venues or for the
processing of orders involving no determination of any trading parameters or for the confirmation of orders or the post-
trade processing of executed transactions”.
o AT should refer not only to the automatic generation of orders but also to the optimisation of order-execution process by
automated means.
o AT include smart order routers where such devices use algorithms for optimization for order execution processes (parameters
of the order).
o AT do not cover automated order routers where, although using algorithms, such devices only determine the trading venue.
o High-frequency AT is a trading technique being a form of AT where the trading system analyses the data from the market at
high speed and send or update large number of orders within a short time frame.
• Infrastructure intended to minimise network
• System-determination of order initiation, generation, routing or execution without human intervention
• High message intraday rates which constitute orders, quotes or cancellations.
• high-frequency AT trader needs to be authorised investment firm.
26
05/05/2021
o Algorithmic trading policy with approval process and assigned owners (3LOD model).
o Systems and controls requirements
• To have in place effective and resilient systems and appropriate risk controls.
• To ensure that these systems are tested and to have in place business continuity arrangements.
• To be appropriate order limits to prevent erroneous orders and orders that could create a disorderly market.
• To have controls which automatically cancel (kill-switch procedure) any orders not permitted to exceed the firm risk
thresholds.
• To develop and test methodologies, algorithms, systems and strategies (separate testing environment).
• Pre-defined limits on algorithms (number of financial instruments traded, price, quantity, trading strategies, number of
trading venues).
• Any material change to be approved by the Senior Management’ designated person.
• To monitor trading activity and detect market manipulation.
• Pre-trade controls, real time alerts, post trade controls.
• Arrangements for physical and IT security (segregation of access and duties, reporting lines).
o To notify its NCA.
o Record keeping (to be provided to NCA on request)
 Objective: capture ALL trading volume

 In T+1, report directly to the local authorities, through a Approved Reporting Mechanism (ARM)
OR via the trading venue on behalf of IF
 NEW:
• More data to report, incl. client data, some staff data, circumstance of the trade, etc.
• More situations to report: nearly all instruments related to a market, in nearly all trading
situations
• Extension of the reporting duty to the RTO entity (not just “market facing” firm)
 A Trade Repository under EMIR can be recognized as a ARM
RTS of ESMA: 65 fields,  Trades reported through EMIR can satisfy if details are similar (merge the obligations), which will
all fields are mandatory,
unless stated otherwise
not be the case
27
05/05/2021
 Clear definition of reported transactions and fields (RTS 22 Annex 1 – Com. Del. Reg. 2017/590), with common European
standards and format (i.e. XML template in accordance with the ISO 20022 methodology)
 Information going further than just trade related: includes i.e. the identification of any applicable waiver, of a short sale, of a
risk effect for commodity derivatives, the identification of the clients and the trader / the person responsible for the execution
of the client order, the computer algorithm responsible for the decision, etc.
 Obligation for RTO (all entities in the chain) to pass on the complete information when sending an order to another firm or to
report themselves after execution (issue: client confidentiality, data protection, professional secrecy)
SUPERVISION SANCTIONS
• Additional power to NCA, e.g. (require information Member States to decide on sanctions, following EU
about the size and purpose of a position or an exposure guiding principles:
entered into via a derivative, and any assets or liabilities • Public statement, indicating the person / entity and the
in the underlying market nature of the breach
• Order to cease the conduct
• Clearly provides with minimum set of remedies in • Withdrawal or suspension of the authorization (incl. for
case of issues, like requirement of the cessation of any reporting entities)
practice, freezing or sequestration of assets, suspension • Temporary or permanent ban against persons in the
or removal of/from trading, etc. management body
• Temporary ban of a F.I. as member of a market venue •
• Power to ESMA or NCA or EBA to temporarily prohibit Legal person: pecuniary sanctions of up to 10% of annual
or restrict (incl. on precautionary basis): • The turnover
marketing, distribution or sales of particular financial • Physical person: up to EUR 5 M, or up to twice the
instruments or types of instruments • A type of amount of the benefit derived from the breach
financial activity or practice (ex: binary options for retail • Sanctions and measures applied should be published
clients) (with related details, e.g. type, persons, etc.)
• Appropriate mechanisms to encourage reporting of
breaches within investment firms
28
05/05/2021
1. Introduction
2. Clients Services
4. Governance
5. Case Studies
Strengthen the governance of entities, with more scrutiny on the role, functioning and
composition of the management body (Board of Directors)
. Convergence with the principles set out for CRD IV (EC 2013/36 – art.88 and 91)
. New concept: governing body of an IF, a market operator or a data services provider, which set out
Senior
the strategy and implement the appropriate governance, and which includes persons who direct the
Management
business
. Strong emphasis on Market operators, with specific obligations
. Ensure that the IF/Operator is managed in a sound and prudent way, for the entity, the clients and
the integrity of the markets
Role . Define, approve and oversee the strategy, the internal organization, a remuneration policy for sales
staff, the services, activities, products and operations offered to clients, in accordance with the risk
tolerance of the firm and the nature of clients
. Monitor and assess periodically the effectiveness of all policies
. Defined criteria to qualify

. Must commit sufficient time to perform their function, with limits on the number of executive /
non-executive directorships that can be combined by a person, act with integrity, honesty and
independence, with adequate knowledge, skills and experience •Must take into account diversity, i.e.
Composition
implementing a policy promoting diversity as regards age, gender, provenance, education,
professional background
. Defined criteria for recruiting management body, incl. policy, nomination process, gender
considerations, with opportunity to create a “nomination committee” in the F.I.
29
05/05/2021
Define a Target Market, a distribution strategy and new flows of information

o As Manufacturer:
• To design product that meets clients expected characteristics:
1. The type of clients to whom the product is targeted
2. Client knowledge and experience
3. Financial situation with a focus on the ability to bear losses
4. Risk tolerance and compatibility of the risk/reward profile of the product with the target market
5. Clients’ Objectives and Needs
• To identify, assess and manage conflicts of interests
• For every new product
• To ensure follow-up control (gather data)
• Need to collaborate with distributors
o As Distributor:
• To define target markets
• For all MiFID products and others that are offered or distributed
• To ensure periodic review: products # clients # markets
• To provide sales data to manufacturers
30
05/05/2021
 New procedure for Manufacturers and Distributors (all clients)
 Need to implement a formal “Product Approval Process”

 Approval of each financial instrument or adaptation BEFORE it is marketed or distributed to clients
 Conflict of interest
Source: EY analysis
. Approval by New Activity-Business Committee (with all relevant parties)

. Risk analysis
. Roles and Responsibilities (Senior Management – BoD)
. Agreements / SLAs
Governance . Significant changes => new approval
Process
. Feedback from distributor (F.I. as manufacturer) . Client type

. Performance of the Investment Product . Knowledge and experience
. Identified Target Market / Distribution Strategy On-going Target Market . Financial capacity
Monitoring Identification
. Information on the types of client . Risk tolerance
. Complaints . Client objectives and needs
Product
Governance
To provide adequate information on:

. Target Market . Manufacturer # Distributor # both
Information to Conflicts of
. Marketing material distributors Interest . Usual internal CoI identification
. Scenario Analysis (segregation of duties)
. Term sheet
Distribution
Strategy . Type of clients (investment services)
. Characteristics of Investment Product
. Type of investment services provided
31
05/05/2021
 Client / business conversations recording (data protection requirements)
 Recording of phone and electronic communications when:

- Transactions concluded when dealing on own account
- Clients orders, in RTO or in execution services
- From reception of order to conclusion of the transaction, incl. cancellations or modifications -> ability to trace back
the entire flow of communications
- Any conversations or communications intended to result in such transactions, even if they did not result in such
transaction
 Not applicable to private device that should not be used for professional reasons
 If face-to-face : written minutes
 CSSF circulars 17/665 and 17/670

 ESMA guidelines for the assessment of knowledge and competence
• Professionals shall ensure that staff providing relevant services possess the necessary knowledge and competence to
comply with the regulatory requirements and business standards
• Level of knowledge and competence to be aligned with relevant products or services, detailed criteria for:
• Staff giving information about investment products, investment services or ancillary service
• Staff providing investment advice
• Annual assessment to be performed by the Compliance function and outcome included in a formal report
• Appointment of a member of the Authorised Management in charge of implementing the circulars and the ESMA guidelines
• Organisational requirements:
• Formal assessment of each person in scope
• Supervising staff members
• Specific procedures / policies
32
05/05/2021
 Compliance function : no major impact (CSSF Circular 12/552 as amended)
 Complaints handling : no major impact (CSSF Regulation 16-07)
 Records keeping : no major impact (Data protection – GDPR)
 Specific situations to explicitly address in the CoI Policy:

 Impact of the receipt of inducements
 CoI caused by remuneration or other incentive structure
 CoI caused by the way the performance of the staff is assessed • Sales commissioning
 More details on the disclosure of potential conflicts to clients (also for non-retail clients)
 In a durable medium
 Before the provision of service
 With a specific description of the conflict, incl. enough detail for the client to take an informed decision
(nature, source of conflict, risks, mitigation measures)
 Clearly stating that the current arrangements have not been sufficient to prevent the risk
33
05/05/2021
 Periodical review, at least annual review

 New requirement for Investment Research
 Physical separation between the financial analysts involved in the production of the investment research
and other relevant persons whose responsibilities or business interests may conflict with the interests of
clients or other parties may be concerned.
 If the requirement is not appropriate to the firm (size/nature/scale and complexity of business), alternative
information barriers shall be put in place.
 Specific requirements for the underwriting and placing activities
 Specific information to provide when advising corporate finance strategy
 Impacts on underwriting and placing (incl. pricing)
1. Introduction
2. Clients Services
4. Governance
5. Case Studies
34
05/05/2021
 A grandmother (80 years) and her grandson (25 years) request to open an account together.
 When establishing their risk profile, the outcome for the grandmother is “conservative” and that of
the grandson is “aggressive”.
 They want to have an advisory mandate, where they can both take investment decisions.
 The grandmother wants to help her grandson with his “financial education”.
 The grandson wants to be very active and therefore suggest to opt for an aggressive strategy.
 How do you approach this situation?
 An existing client of your bank - a very busy real estate developer - has an account on which he
normally receives advice.
 He has a “medium” strategy and always has a “buy and hold” approach.
 He recently added his sister as a proxy on the account.
 She holds a degree in economics and works for an insurance company.
 She wants to be more active on the account and starts passing at least 2 orders on a weekly basis.
 Furthermore, she plans to invest part of the portfolio in options and in commodities, as she wants
to boost its performance.
35
05/05/2021
 You work for the Green Frog bank, a subsidiary of the Green Frog Group. The group is listed on the
Euronext stock exchange.
 Your client is interested in reinvesting dividends recently paid on his account, in shares.
 There is a market consensus between analysts that the Green Frog Group has interesting
perspectives and will probably have a dividend yield well above market average.
 Would you advise the purchase of Green Frog shares?
 Your client, with a moderate risk profile, has about 5% of cash available on his account.
 While preparing his next visit, you observe that according to his current asset allocation, this cash can
be invested in shares.
 Based on the researches made by your credit institution, you recommend to invest in a new
European telecom company, which has a very strong potential.
 The client is very enthusiastic and wants to sell his money market funds, which represent 20% of his
portfolio, in order to invest a total of 25% in these shares.
36
05/05/2021
 Your client has given an order to sell his position in shares 123.
 Immediately after entering the sell order in the system, your dealing room calls you to warn you
that the order represents 60% of the average daily volume.
Questions?
37
1
Through this section about Market integrity, you should be able to:
 understand what market integrity means and why it is important to pursue it
 explain what Market Abuse is about and to detail & identify the constitutive elements of it
 make the difference between insider dealing trading and market manipulation
 find your way through the regulatory framework
 analyze practical cases, identify the risks and the measures that should be taken to mitigate them
 organize and increase awareness & monitoring among your colleagues
 know how to react and report in front of report suspicious orders and transactions
 understand the main obligations under the EMIR rules
2
 Market abuse is a circumstance where financial investors are disadvantaged, directly or indirectly, by others who:
 use information which is not publicly available or
 disseminate false or misleading information or
 try to distort the price-setting mechanism of financial instruments
 Market abuse is any unlawful behavior in the financial markets. Therefore, Authorities prohibit following types of
misconduct:
 insider dealing/trading
 market manipulation
 Authorities require certain duties from financial institutions (& individuals)

 to avoid market abuse and preserve market integrity (ex ante):
• prevention (raise awareness, Chinese walls, conduct frameworks) & monitoring (organize
controls to detect & remediate weaknesses)
• disclosing, reporting & organizational duties
 to detect and to report suspicious transactions & orders (ex post)
3
 Nowadays, most economists believe that market abuse
• hampers the integrity of the markets
• increases the cost of capital
• is detrimental to the general economic growth
 Although the fight against market abuse is rather recent, it is perceived as illicit behavior against market
transparency; it is now strictly regulated with legal obligations and sanctions in place has become much more strict
This unfair practice is now considered as a criminal offence in almost all countries
MAD :
 stands for Market Abuse Directive 2003/06/EC, adopted together with the related directives 2003/125/EC
(investment recommendations) and 2004/72/EC (accepted market practices)
 introduced and implemented dissuasive measures and sanctions to fight insider dealing, unlawful disclosure of
inside information and market manipulation
 transposed into Luxembourg law on 9 May 2006 (giving increased powers to CSSF)
 Repealed by the Market Abuse Regulation 596/2014.
4
MAD II = MAR + CSMAD
 MAR : the Market Abuse Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16
April 2014 on market became applicable as from July 2016.
 CSMAD: the Criminal Sanctions Market Abuse Directive 2014/57/EU of the European Parliament and of the
Council of 16 April 2014 on criminal sanctions for market abuse (market abuse directive). It repeals Directive
2003/06/EC and related ones.
 In addition, on March 23rd 2018, ESMA (European Securities and Markets Authority) updated its questions and
answers on the common operation of the MAD issues Regulatory Technical Standards, Implementing Technical
Standards, Technical Advice, Guidelines and Questions & Answers
Key changes introduced by the Market Abuse Regulation

 extending the market abuse regime to apply not only to financial instruments admitted to trading on a regulated market but
to financial instruments on other trading platforms such as multilateral trading facilities and organised trading facilities and
related financial instruments;
 extending the market abuse rules to cover EU emissions allowances;
 bringing the manipulation of benchmarks expressly within the market manipulation offence;
 the introduction of a new offence of attempted market manipulation;
 the introduction of a specific format for insider lists;
 a new requirement to notify the regulator on announcement of inside information where the issuer has delayed the
announcement of that information;
 the introduction of a specific regime for the disclosure of inside information in the course of market soundings;
 and the extension of the Suspicious Transaction Reporting (STR) regime to cover suspicious orders (STOR).
5
Key changes introduced by Market Abuse Law
 The CSSF is granted comprehensive investigation and supervisory power;
 Cooperation of the CSSF with the ESMA and other competent authorities;
 CSSF can impose administrative measures and has sanctioning powers (such as temporary ban of a person discharging
managerial responsibilities, administrative fines…);
 Procedure for reporting infringements: guidelines are provided, supervised entities should have a framework in place alike
AML reporting of suspicious orders and transactions;
 Publication of decisions by the CSSF (“name and blame”);
 Criminal sanctions for committing or recommending or inducing another person to commit insider dealing, unlawful
disclosure of inside information and market manipulation:
• Natural persons: imprisonment 8 days – 4 years / fines € 251- € 5 mln
• Legal entities: fines from € 500 up to € 15 mln
Technical Standards
MAR empowers ESMA to develop regulatory technical standards (RTS) and implementing technical standards (ITS). ESMA
delivered a first set of technical standards on 28 September 2015, on the following items:
Regulatory technical standards Implementing technical standards

• the conditions, restrictions, disclosure and reporting obligations for • the technical means for the public disclosure of inside information
buyback programs and stabilisation measures ; and its delay;
• the arrangements, systems, procedures and notification templates • the systems and notification templates to be used in market
to report suspicious orders and transactions; soundings and the technical means for appropriate
• the establishment, maintenance and termination of accepted communication;
market practices; • the precise format of insider lists and the format to update them;
• the arrangements, procedures and record keeping requirements for • the format and template for the notification of managers’
persons conducting market soundings; transactions.
• the technical arrangements for the objective presentation of
investment recommendations or other information recommending
or suggesting an investment strategy and for disclosure of particular
interests or indications of conflict of interest.
6
ESMA received 2 mandates from the European Commission to assist on the content of the delegated acts required
by some provisions of the MAR.
 The 1st mandate was about further specifications related to the
 indicators of market manipulation;
 minimum threshold of CO2 equivalent and a minimum threshold of rated thermal input for the purposes of exemption, re: the
public disclosure of inside information;
 Competent authority for the notification of delays in the public disclosure of inside information; and
 characteristics of a manager’s transaction which trigger the notification duty, and specification of the circumstances under
which trading during a closed period may be permitted by the issuer.
The 2nd mandate refers to the specification of actual or potential infringements of MAR.
ESMA Guidelines
ESMA issues guidelines on:
 inside information for commodity derivatives markets or spot markets;
 the factors for persons receiving market soundings to assess
1. whether the information amounts to inside information,
2. the steps to take if inside information has been disclosed to them in order to comply with MAR provisions on inside
information and
3. the records to maintain in order to demonstrate such compliance, or delays in disclosure of inside information; and
 delays in the disclosure of inside information.
7
 The ESMA issues in addition the document “Questions & Answers” on the Market Abuse Regulation;
 The purpose of this document is to promote common supervisory approaches and practices in the application of MAR and its
implementing measures. It does this by providing responses to questions posed by the general public and competent
authorities in relation to the practical application of the MAR framework;
 The document is consequently regularly updated (latest version as of 2020: March 29th 2019).
 Some behaviours are forbidden: insider dealing, unlawful disclosure of inside information, market manipulation
 Some specific obligations apply:
• To issuers of listed financial instruments
• To their management, board members and relatives
• To persons issuing public recommendations (market analysts)
• To financial institutions (Banks, Financial Service Providers, UCITS…)
 General obligations related to the organisation
• set up a specific internal function (in charge of STOR)
• train entire implied staff, including information on risks & sanctions
• ensure monitoring framework of transactions, orders & behaviours
8
Principles
 Obligation of a general vigilance by the implied staff: staff awareness;
 Use of tools for detecting market abuse suspicions (monitoring systems)
 In case of suspicious behaviour, orders or transaction, a due investigation is required
 After analysis, the financial professional the PFS evaluates and the case being, decides to declare suspicions
 Reporting of a suspicious behaviour, order or transaction is done towards the CSSF and the FIU
 No tipping off obligation applies
 Keep records
 Insider dealing
• carrying out transactions on financial instruments (directly or indirectly e.g. power of attorney, inducing another person…);
• listed on a regulated market (stock exchange) or MTF, OTF or linked thereto;
• using inside/privileged information (even if the transactions takes place outside of a regulated market);
• unlawful disclosure or misuse of inside information.
e.g. a person has information on a take-over bid, on a claim, on doubtful debts…
 that is not yet available to the public and
 uses it, although he knows/should have known it was inside information
 Inside (‘privileged’) information is information fulfilling 4 criteria :
• not (yet) been made public
• relating to one or several issuers of financial instruments or one or several financial instruments
• precise
• likely to have a significant impact on market price of financial instruments or related financial instruments, if it were made
public.
9
Prompt and fair disclosure of information to the public enhances market integrity, whereas selective disclosure by issuers can
lead to a loss of investor confidence in the integrity of financial markets
• If all investors receive same information at same time, no insider dealing possible;
• The release is to be coordinated (employees, investors, web-site, mailings, press agencies…);
• Press releases are usually issued when the (main) markets are closed.
Insiders need to refrain using the information and need to act transparently
N.B. There are two types of “insiders”:
 Primary insiders
• Those who receive inside information further to their status, mandate or profession
• Eg. Shareholders, management, employees & external contributors in the course of their professional activities (external
auditors, lawyers, advisors…), authors of criminal activities
 Secondary insiders
• All others who obtain information from primary insiders that they know or should have known to be inside information
What is meant by public information?

• Information that has already been publicly released
• Or, that is already known by a large public (cf. internet, media…)
What is meant by precise information?

• If it refers to a set of circumstances or to an event which has arisen or is likely to arise
and
• If it is possible to conclude from the event/circumstances to an effect on the price of a financial instrument
10
It is forbidden to use insider information
 sale or purchase for own account or for the account of somebody else, directly or indirectly. E.g. by buying the securities in
order to realise a gain or selling them in order to minimize a loss
 communicate / disclose inside information to a non-authorised party (unless necessary in a normal professional context)
 recommend a third party to buy or sell a financial instrument, on the basis inside information (that you don’t disclose)
 Related to an issuer
• Bad/good news about financial results to be disclosed soon;
• Capital increase/decrease;
• Information about a merger or an acquisition;
• Sale/purchase of shares after (non public) board discussions on dividends to be distributed;
• Information on a significant litigation;
• Information that conception errors of a product might be the cause of significant client claims;
• Bad loans, insolvency of a major client/supplier;
• …
 Related to a financial instrument:
• Claims or litigation
• Alleged weaknesses in the prospectus, the listing or other formal or documentary aspects
• ...
11
 Behaviours raising questions
• Sudden change in client's behaviour (e.g. client never invested in shares and suddenly wants to buy a specific security at
own initiative and for an significant amount);
• A client who wants to pass a purchase order as quickly as possible without questioning the price, he agrees to take a loss by
selling another position;
• A client who passes an order and calls several times to make sure it has been executed timely, giving the impression to be
nervous;
• A client known as being an insider, who passes an order just before the publication of her/his company's results or relevant
corporate change;
• A client admitting she/he knows important information that is not yet public
→ => an analysis might be required
 Create and keep updated a list of insiders within an issuer (permanent insiders’ list within issuers) and/or, when applicable, a
temporary/occasional insiders’ list).
 Train employees and implement procedures, enhance awareness
 Flag sensitive securities
 Flag clients & employees who are at risk and need closer monitoring of their transactions, further to their sensitive positions or
environment (including secondary insiders)
 Monitor transactions & implement a detection programme (clients + employees)
 Introduce ‘window trading’ to sensitive staff
 Organise & implement “Chinese walls”
12
 Obligation related to the organisation
• Inform Compliance about mandates / relations with listed companies
• Know & respect the personal transactions notification procedure and applicable restrictions
 Specific obligations when you are Board Member within a listed group of companies:
• Know & respect the dealing code (especially blocking periods, windows)
• Notify your transactions to authorities (and to the listed company)
• Confidentiality
 In any case it is forbidden to
• Disclose or use inside information, unless in well defined situations
• Buy or sell when influenced by inside information
 Market soundings are interactions between a seller of financial instruments (DMP = Disclosing Market
Participants) and one or more potential investors (MSP = Market Sounding Participants), prior to the
announcement of a transaction, in order to gauge the interest of potential investors in a possible transaction
and its pricing, size and structuring;
 Prior to and during any market sounding, the DMP shall specifically consider whether the market sounding will
involve the disclosure of inside information and document its conclusions for purposes of regulatory inspection;
 ESMA has provided further guidance on technical standards for the corresponding arrangements, systems and
procedures (Commission Delegated Regulation (EU) 2016/960);
 In addition, CSSF Circular 17/648 implements ESMA guidelines on the factors, steps and records that persons
receiving market soundings must consider and implement.
13
 Knowingly trying to
• mislead other investors and/or the markets
• influence the price or volume of a financial instrument
 by carrying out transactions, giving instructions, or by giving out false or misleading information on (an issuer of) a financial
instrument
 aiming at giving, or are likely to give, false or misleading indications regarding the supply, demand or price, characteristics,
weaknesses of a financial instrument
 which modify, through the action of one or several individuals acting in a concerted manner, the price of one or several
financial instruments at an abnormal or artificial level
 unless there are legitimate reasons to do so or that such practice is commonly accepted by the regulated market (ESMA
publishes AMP: Accepted Market Practises)
Possible indications of a market manipulation

 a client introduces an order with no intention of execution.
He cancels it before it is executed
(=> false/misleading information in the market)
 orders introduced in the market just before the closing (often used to influence the closing price) (= “marking the close”)
 a person purchases a penny stock, then publishes a very positive opinion regarding the company in order to promote it,
causing an increase in demand and consequently in price. He can then sell it with an important gain (= “pump & dump”)
 a client who is "short" on a security and then publishes or spreads negative information regarding this security in order to cause
a price decrease
(= “trash and cash”)
14
Possible indications of a market manipulation
 Persons professionally arranging/executing transactions must have systems in place to detect and report suspicious
transactions and orders (i.e. market abuse and attempted market abuse)
Where?
 In the reception & transmission of orders
 in the execution of transactions in financial instruments
What?
 Arrangements, systems and procedures able to detect suspicious transactions and orders (“each and every order,
including quotes”)
 Appropriate and proportionate to the “scale, size and nature of business activity”
 Automated systems + “human factor” (ongoing vigilance by staff)
 Based on internal, own information and on public disclosure of other trades
 Group context: delegation possible
 Training of staff
N.B. Sanctions apply if non-compliance
 Any doubt of market abuse is to be reported internally, without delays, to the person/body responsible within the
institution (in principle someone within the Compliance Department, e.g. the Compliance Officer or MLRO)
 The transaction is analyzed by the responsible person/body (reporting officer)
 If, after internal analysis, the doubt becomes a suspicion, it is to be reported to the CSSF (Lu)
 Market Abuse being a primary Money Laundering offence, the report MUST also be sent to the local FIU
 Local authorities may send the information to competent foreign authorities
Be careful : the “NO TIPPING OFF principle” applies in this field as well !
BUT, differently from AML matters, the transaction may be executed
15
 Enhance awareness on a regular basis
 Introduce precise rules of conduct supported via procedures and trainings
 Perform effective controls to check awareness level & conduct
 Companies issuing listed financial instruments (including bonds) need a specific “Dealing Code” (defining blocking periods,
stop list, windows…)
 Specific rules of conduct for the exposed employees (might refer to external model codes, such as the Model Code
International Code of Conduct of the Financial Markets Association - freely available, the FX Global Code)
 Depending on the activities of the financial professional PFS, manual monitoring or monitoring via automated tools: queries
on securities, on insiders, on behaviours, abnormal (market) prices or evolutions, volumes…
 Know your Customer :
• Is your customer or close relatives of him/her linked to a listed company?
• Is he/she a potential insider? Closely linked to an insider ?
 Know your Employee
 Know your Director
• Is he/she linked to a listed company?
• Is he/she a potential insider?
• Does his/her activity exposes him/her to inside information and/or market manipulation?
 Keep in mind directors of listed companies need to disclose any sale/purchase of the securities issued by the company
(info available on the authorities website)
16
 For market desk, order desk, dealing room teams, you might refer to the Model Code
International Code of Conduct
of the Financial Markets Association or the FX Global Code.
 The Model Code (freely available through www.acifma.com) includes guidelines & best
practices which span the whole of
• Fixed Income, Currency and Commodity markets best practices. It is used by a lot of
institutions. It covers a broad range of conduct issues, from the detailed processes of the
back office right through to the functions of the electronic platforms used by the front office.
 The FX Global Code is a set of global principles of good practice in the foreign exchange
market. It contains 55 principles that provide a common set of guidelines to promote the
integrity and effective functioning of the wholesale foreign exchange market.
 Monitor market transactions on securities on which

 a press release or other public relevant information has been published
 internal research is being made
 asset management services are provided (e.g. listed UCI’s)
 Monitor closely some indicators :
 Purchase by the customer of securities/bonds/loans/credits
 issued by companies that are not easy to identify (shareholders, countries, memorandum of association, …)
 that do not present documentation in line with usual standards or are rather unclear regarding their goal or their modus
operandi or offer unusually favourable conditions
 held beyond the usual circuit (lawyers, public notaries, fiduciary companies…)
 subscribed/reimbursed through unusual payment circuit
 Margin calls made with non (totally) identified third parties, and/or that are non « logic » in the circuit
17
Client / Proprietary Trading Stock Exchange
Real time Feed
Scenario based
Trade behaviour analysis
Market event Rule Engine Data Dashboard
Base
Spoofing (market manipulation)
Front running
Assessment of the alerts by compliance

Alerts officer / or first line if suspicious activity
SAR and STR notification to CRF & CSSF
 Market Abuse - monitoring (1/2):

 Phantom Orders:
 Orders are placed on the market without any basic intention of executing the order i.e. orders are canceled or lapse
before being executed.
 Pre-arranged trades
 Pre-arranged trades or price agreements between two market participants can give other market participants a wrong
picture of the market situation and influence the formation of the market price.
 Concealing ownership
 The ownership of securities positions is intended to be concealed through transactions. This is allows to fall below the
limit for compulsory reports on reporting dates.
 Layering
 Transactions or orders are organized with the intention of manipulating the supply or demand for an instrument, which
lead to a change in the market price.
18
 Market Abuse - monitoring (2/2):
 Front running
 Placing an order or executing a transaction before a significant order is placed or a large transaction is executed in the
market.
 Marking the close:
 Transactions in a financial instrument executed at a specific time period prior to the close of trading or a fixing at an
execution venue. Either many small transactions or high-volume transactions are executed, depending on the market
conditions.
 Price driver
 Activities that aim at influencing the market price of an instrument during a trading day i.e. placement of orders with
price limits that deviate significantly from the current market price.
 Wash trades
 Wash Trades are transactions that do not result in any change of the economic owner i.e. the buyer and the seller are
the same individual (directly or as beneficial owner) or legal entity (or companies that belong to a corporate group).
 Insider dealing - monitoring :

 Front running
 Placing an order or executing a transaction before a significant order is placed or a large transaction is executed in the
market.
 Trading before event and gaining profit:
 Through the execution of the transactions based on insider information and prior to publication of price-influencing
reports or news, profits are in-tended to be generated. Realized and unrealized gains are taken into consideration.
 Potential Insider watch list
 The control will identify suspicious trading activities of insiders in instruments or companies. It must monitor employee
trading, customer trading as well as proprietary trading or asset management activities.
 Trading before news
 The control will identify suspicious trade activities before a relevant market an ado news is made public.
19
Physical persons: Fines & imprisonment
Offences referred to in
 Article 3 (Insider dealing, recommending or inducing another person to engage in insider dealing) and 5 (Market Manipulation)
are punishable by a maximum term of imprisonment of at least 4 years
 Article 4 (illegal disclosure of insider information) is punishable by a maximum term of imprisonment of at least 2 years.
Legal entities (corporate bodies)
 Fines (criminal & non criminal) + other sanctions such as:
 exclusion from entitlement to public benefits or aid;
 temporary or permanent disqualification from the practice of commercial activities;
 placing under judicial supervision;
 judicial winding-up;
 temporary or permanent closure of establishments used for committing the offence [cf. art 8.CSMAD]
Company X is a video game producer listed since 1996. In 2012, the company announced at the E3 conference
(Electronic Entertainment Expo – trade event for video games industry show) that they will launch a new game in
2013 and showed some preliminary screenshot of the video games. Following this announcement, the stock went
up for the next sessions.
On 15th October, company X, at the closure of financial markets, disclosed that the game will be delayed and not
sold before 2014/2015. This delay further imply a reduction in terms of turnover and a total loss from – 70 / - 40
Millions Eur instead of a projected profit of 110/125 Million Eur.
Following the announcement, big increase of volumes and the stock went down
 26 % on one day. This triggered an investigation from the AMF which established:
 50 employees of the company sold stocks before the announcement,
 They were sold either directly or through the bank which was managing the stock option plan of the company ,
and through an investment fund managed by an asset manager
→ Was there any wrongdoing, by whom, what are they facing ?
20
Company C has been created in 1986 and is specialised in building and selling fake weapons for video games fan,
sport shooter and others. The company is listed on Euronext Paris and since January 2014 accessible from Euronext
growth MTF. Company starts to have financial difficulties in 2011, and faced a bankruptcy plan agreed by the court.
Some assets were being sold and Mr AdB enters directly in the shareholding of the company.
Financial situation of Company C got worse and in March 2014 some false financial information is provided. In July
2014 financial information is being updated showing growing difficulties.
Between March 2014 and July 2014, Mr AdB sold some securities of C. And another company he is the owner of
bought some debt of company C in July.
In September 2014, the CEO of MP telephoned Mr. X and told him MP was intending to raise new capital via a
share placement. The CEO subsequently emailed Mr. X asking whether he would be interested in subscribing for
shares at what he was told would likely be a substantial discount to the company’s current share price. Attached to
the CEO’s email to Mr. X was a presentation setting out the company’s plans for the funds raised through the
placing which included a clear statement that the information it contained was likely to be considered inside
information. When the placement was disclosed, the share price of MP lost 60,5% in the first hour of post-
announcement trading.
Prior to the placing, the CEO emailed Mr X a second time, asking if he would provide a significant level of funding in
order to prevent the share placing proceeding at a considerable discount to the share price at the time. Very shortly
after receiving this email, Mr X instructed his broker to sell his entire shareholding in MP ‘at any price’.
21
 A consultant, specialised in mergers and acquisitions, is currently assisting company ABC, listed on the Euronext
stock exchange, in preparing a takeover of company XYZ, listed on the Luxembourg stock exchange
 When working late at the office, the cleaning lady overhears him on the telephone, discussing the takeover
 The next day, she (he) suggests her (his) son to purchase the shares of XYZ
 A client is an analyst at a well-known London stock broker
 He (she) seems to have a very good “eye” for picking out stocks that go up
→ As a Compliance Officer, what is your approach?
22
 You are the Compliance Officer of a listed company
 This morning, when arriving at work, you receive an e-mail from one of your friends, asking whether it is true that
your company is about to announce the sale of one of its core activities, as there are rumours circulating on the
internet
→ How do you react?
 You are the director of a listed company
 You whish to purchase some shares of your company
→ Which elements should you pay attention to?
23
 You work for Blue Sky Bank Luxembourg, a 100% subsidiary of the Blue Sky Group, listed on the Euronext stock
exchange
 Your client is interested in reinvesting the dividend recently paid on his account, in financial shares
 There is a market consensus between analysts that BSB has interesting perspectives and will probably have a
dividend yield well above market average
→ Would you advise the purchase of shares of BSB?
24
1. What is EMIR ?
1.1 Definition and objectives
○ 1.1.1 Derivatives markets definition
○ 1.1.2 EMIR definition & objectives
1.2 Scope Of EMIR
○ 1.2.1 EU Entities
○ 1.2.2 Non EU Entities
2. Obligations under EMIR
2.1 Reporting
2.2 Clearing
2.3 Risk Mitigating measures for OTC non cleared centrally
3. The role of the Compliance Officer
Before defining EMIR it is useful to define the derivatives markets. A derivative is a contract that derives its value from the
performance of another underlying product. The underlying product can be an asset, index, or interest rate for example.
The derivatives market can be spitted in 2 parts:
• Exchange Traded Derivatives (ETD)
• Over The Counter (OTC) derivatives
ETD are traded on regulated exchanges (Euronext LIFFE, Chicago Mercantile Exchanges…). ETD products are standardized, liquid
and eliminate counterpart default risks.
OTC derivatives are not traded on an exchange but from counterpart to counterpart.
25
DERIVATIVES
MARKETS
Exchange Traded Over The Counter

derivatives derivatives
Forward
Futures Securities Swaps
Rate
Exchanges Exchanges
Exchanges
Options, Warrants,
Futures structured
products
Futures Futures are financial contracts obligating the buyer to purchase an asset or the seller to sell an asset, such as a physical
commodity or a financial instrument, at a predetermined future date and price. Contracts are standardized to facilitate
trading on a futures exchange.
Options Options are a financial derivative sold by an option writer to an option buyer. The contract offers the buyer the right, but
not the obligation, to buy (call option) or sell (put option) the underlying asset at an agreed-upon price during a certain
period of time or on a specific date.
Warrant Warrants are a derivative that give the right, but not the obligation, to buy or sell a security - most commonly an equity -
at a certain price before expiration. The price at which the underlying security can be bought or sold is referred to as the
exercise price or strike price.
Structured A Structured product is a pre-packaged investment strategy based on derivatives such as a single security, a basket of
products security, options, indices… Structured products are designed to facilitate highly customized risk-return objectives.
Forward A forward contract is a customized contract between two parties to buy or sell an asset at a specified price on a future
date. A forward contract can be used for hedging or speculation, although its non-standardized nature makes it
particularly apt for hedging.
Swaps A swap is a derivative contract through which two parties exchange the cash flows or liabilities from two different
financial instruments. Most swaps involve cash flows based on a notional principal amount such as a loan or bond,
although the instrument can be almost anything.
26
Forward A forward contract is a customized contract between two parties to buy or sell an asset at a specified price on a future
date. A forward contract can be used for hedging or speculation, although its non-standardized nature makes it
particularly apt for hedging.
Swaps A swap is a derivative contract through which two parties exchange the cash flows or liabilities from two different financial
instruments. Most swaps involve cash flows based on a notional principal amount such as a loan or bond, although the
instrument can be almost anything.
European Market Infrastructure Regulation (EMIR) is a European regulation, its “full name” is
Regulation (EU) N°648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC
Derivatives, central counterparties and trade repositories.
Similar to the DODD-Franck Act, the regulation as established to increase transparency and
reduce the credit risks that led to the 2008 financial crisis. The original mandate for this
regulation came from the G20 summit in 2009.
EMIR is designed to regulate the Over The Counter (OTC) derivatives market and meet three objectives:
• Increase transparency
• Reduce counterparty risks
• Reduce operational risks
27
On June 2019 the EMIR Refit (Regulation (EU) 2019/834) entered into force.
The purpose of the EMIR Refit is to amend and simplify the European Markets Infrastructure Regulation (EMIR) “to address
disproportionate compliance costs, transparency issues and insufficient access to clearing for certain counterparties.”
Amendments relate to areas including the definition of financial counterparty, restrictions on application of the clearing
obligation, changes to the clearing threshold calculation for non-financial counterparties and responsibility for trade reporting.
EMIR affects all entities “established” in the EU that enter into derivatives, whether they do so for:
• Trading purposes
• To hedge themselves against interests rates or foreign exchange risk
• To gain exposure to certain assets as part of their investment strategy
Certain EMIR obligations (clearing and risk mitigation) may also affect non EU entities.
28
EMIR applies to any legal or natural person established in the EU that is a legal counterparty to a
derivative contract, including interest rate, foreign exchange, equity, credit and commodity derivatives.
EMIR identifies two main categories of counterparty to a derivatives contract:
• Financial Counterparties (FC)
• Non Financial Counterparties (NFC)
• EMIR Refit: Small Financial Counterparties (SFC)
EU entities affected by EMIR are any entity:

 Financial Counterparties (FC) including EU authorized institutions:
• Banks
• Insurance Companies
• MIFID Investment Firms
• UCITS Funds & where appropriate their respective management company
• Alternative Investment Funds managed by an AIFMD
 Non Financial Counterparties (NFC):
• Means an undertaking established in the EU which is not classified as a FC
• There is a distinction between NFC above the clearing threshold “NFC +” and the NFC below the clearing threshold “NFC -”
 Small Financial Counterparties (SFC)
• SFCs are FCs with a limited trading volume in derivative instruments (below a certain threshold for over-the-counter
(“OTC”) derivatives), such as certain investment funds or small banks.
• SFCs may choose not to clear their derivative contracts.
29
Central clearing of certain Risk Mitigating Measures
Over-The-Counter (OTC) apply to OTC derivatives
derivative transactions not cleared via a CCP
Reporting of OTC and ETD

transactions to a Trade Repository
Depending on the financial institution, the role of Compliance might be limited or extended.
At least Compliance has to make sure that
 the 3 duties (clearing, reporting, mitigation of risk) are taken care of;
 responsible staff members are were appointed to be in charge of each of these duties;
 an escalation procedure is organised in order to inform management and compliance;
In case of delegation or outsourcing of certain duties (eg reporting to trade repository) to ensure that conditions for outsourcing
are respected (ongoing monitoring, due diligence…)
30
Q&A
Thank you for your participation!
 CCP: Central counterparty clearing House

 CSSF: Commission de Surveillance du Secteur financier
 CSMAD: Directive on criminal sanctions for insider dealing
and market manipulation (2014/57/EU)
 ESMA: European Securities & Markets Authorities
 ETD: Exchange traded derivatives
 EMIR: European Market Infrastructure Regulation
 ITS: Implementing technical standards
 MAD: Market Abuse directive (2003)
 MAR: Market Abuse Regulation
 MTF: Multilateral trading facilities
 OTC: Over the counter
 OTF: Organized trading facilities
 RM: Regulated markets
 RTS: Regulatory Technical Standards
 STOR: Suspicious transactions & orders reporting
31
1
1995 – Data protection Directive 2016 - General Data Protection Regulation
 Directive nature  Regulation nature
 Relevant Transposition  Direct application as from May 25th 2018
 Data authorities depending on specific country needs  Grants enforcement powers and includes DPO
2
What is personal data?
Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification
number or to one or more factors specific to him / her.
Name Photo E-mail address Zodiac sign IP address Phone number
The data collected must be proportional to the purposes of the data processing. Special categories of personal data (ex “sensitive
data”) processing is strictly regulated.
Biometric data Racial or ethnic origin Medical data Identification data Sexual life Criminal Offense
What personal data belong to the special categories?

 Examples (not exhaustive):
• Racial or ethnic origin, political opinions, religious or philosophical beliefs
• Membership of a trade union
• physical or mental health related data, sexual orientation, …
• Social security number / national identification number
• Judicial data, criminal records
 The processing of ‘special categories of personal data” is strictly regulated /limited (Art. 9 - GDPR)
3
Data Subject
Any individual about whom personal data is processed
Natural person Personal data EU Resident or Citizen Activities of processing in EU or in relation with EU residents
GDPR applies to EU citizens (regardless of their location), EU residents, data controllers / processors established in the EU, data
controllers / processors established in the EU when they process personal data in relation with data subjects that are EU
residents.
Examples: Chinese online shop with website in English delivering goods to EU customers, American social network, …
Processing
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
What is a personal data processing?

Any individual about whom personal data is processed
Making accessible Erasing data Collecting data Archiving data Transferring data Having access
Controller or Processor : natural or legal person, public authority, agency or any other body (school, prison, hospital, supermarket,
bank, social network, telecommunication operator, energy provider, …)
Controller
• Determines the purposes and means of the processing of personal data
• If more than one person is controller, they will be joint controllers
Processor
Processes personal data on behalf of the controller, following his instructions
4
Date Protection rules applicability test:
YES
Establishment or presence in EEA GDPR rules apply
processing PD
NO
YES
Offering goods and/or services in GDPR rules apply
the EEA
NO
YES
Monitors behaviour of data GDPR rules apply
subjects in the EEA
NO
YES
Making accessible GDPR rules apply
NO
Out of GDPR scope
1. Transparency: Data should be processed fairly and lawfully

2. Purpose and lawfulness: Data should be obtained only for one or more specified and lawful purposes and the processing
must have a legal ground (out of the 6 listed by Art. 6 GDPR)
3. Relevancy: Data should be adequate, relevant and limited to the purpose for which it is of processing
4. Accuracy: Data should be accurate and up-to-date
5. Data minimization: Data should be kept for only as long as necessary / lawful (register of data)
6. Rights: Data should be processed in accordance with the rights of data subject (as applicable)
7. Information security: Adequacy of means: Data should be kept secure (physically and technically)
8. Privacy by design: take privacy into account from the start in any (new) process, new device, corporate procedures. Ex.: short
storage period, limited accessibility, store only necessary data,
9. Privacy by default: ensure that personal data is processed with the highest privacy protection so that by default personal data
is not made accessible to an indefinite number of persons. If not stated the person should be able to assume that its personal
data is not processed.
5
DPA (in Lux: CNPD*) powers and duties
• Power of investigation
 The DPA is allowed to access the data being processed. It has direct access to the premises, unless they are residential
premises, where the data is processed and to the processed data, and carries out the necessary checks
• Power of sanction
 The DPA can impose administrative and disciplinary sanctions (alert, admonish controllers, block, delete, destroy data,
impose temporary or definitive ban on a processing, order publication of the prohibition decision)
• Obligation of producing guidelines
 The DPA has the task to produce guidelines and to cooperate with other DPAs
* Commission Nationale pour la Protection des Données
Objective: to give citizens the control over their personal data and to simplify the regulatory environment for business
General Data Protection Regulation

Directive (EU) 2016/680
(EU) 2016/679
Transposed into Lux law by a law of

August 1st 2018 Applicable and binding since 25 May 2018
Protection of natural persons with regard Harmonisation of rules within the

to the processing of personal data by European Union
competent authorities for the purposes of Enhance cooperation between the
the prevention, investigation, detection or national authorities of the 28 Member
prosecution of criminal offences or the States
execution of criminal penalties, and on
the free movement of such data Lawfulness for processing
6
DIRECTIVE: increased exchange of data between police and judicial authorities
• The Directive applies to the cross-border processing of personal data, as well as to the processing of personal data by police
and judicial authorities at strictly national level. Accordingly, police and judicial authorities should no longer apply different
rules according to the origin of the personal data
• Transferring personal data from competent authorities to private entities is made possible under specific conditions. This
allows police authorities to take swift action in cases of a terrorist attack or other emergencies
• Police authorities are now allowed to limit both the information held on the data and the access to the processed data. The
framework allows for police authorities to neither confirm nor deny whether they are in possession of personal data in order to
avoid compromising ongoing investigations.
REGULATION: increased protection of natural person with regard to the processing of personal data and on the
free movement of such data
• New data subject rights : i) data portability ii) right to be forgotten iii) right to object iv) right to object to automated-decision
and profiling
• New data controller obligations : i) data repository / register creation, ii) data privacy impact assessment implementation
• Obligation to appoint a Data Protection Officer : Under certain conditions
• Further responsibilities of Data Processors e.g. Assistance, reporting to Controller, submission to instructions
• Large increase in financial and administrative sanctions e.g. Suspending or interrupting processing
7
DATA CONTROLLER
A person who (either alone or jointly with other persons) determines the purposes for which and the manner in which personal data are to
be processed.
 Lawfulness and Purpose of processing personal data
• The controller must have legitimate reasons for carrying out the planned processing of data (ground for lawfulness to
identify among the 6 options available in GDPR art.6)
• Purpose has to be determined before the processing begins, has to be specified and explicit and legitimate
• Data retention: only for the period of time necessary for the purpose of the processing. Once the purpose fulfilled, the data
should be removed (except if data is “anonymous” as it is not personal data anymore)
 Respect of the data subjects' rights (information about processing, having access on request, right to object, …)
 Data security and confidentiality measures (processing, sub-contractor, protection of data by appropriate technical and
organizational measures)
DATA PROCESSOR
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Execution of
instructions (responsibility for executions and assistance).
Article 6 lists 6 legal grounds for processing personal data

1. Legitimate interests of the data controller
2. Public interest
3. Vital interests
4. Legal obligation
5. Contractual necessity
6. Consent
Data can only be processed for a specific and identified purpose
The data subject needs to be informed about the purpose. If the purpose changes, data may not be processed any more without
new information.
Ex.: Paying the salaries, keeping customers informed of our latest products, identifying a patient, …
8
Reference document: the Register of Processing Activities
 Every personal data processing has to be recorded in a register, kept up to date and available to the CNPD on simple request
 Processing activity: any (group of) operation(s) in link with personal data: collection, archiving, access, transfer, consultation,
deletion, transformation, …
Data Privacy Impact Assessment

 For certain types of processing activities, a specific and detailed risk analysis has to be conducted by the business line and
reviewed by the DPO. This analysis is a Data Privacy Impact Assessment. It explores the factors likely to allow for a data breach
(unauthorised access, loss of data, misuse of data, …) and increase the risks for the rights of the data subjects.
Chief Data Officer Highly recommended

where the core activities involve regular and systematic monitoring of data subjects on a large scale
processing of special categories of data at large scale.
CDO shall directly report to the highest level of management
CDO shall support the DPO in the execution of his/her tasks.
Data Protection Required by GDPR where:

Officer processing is performed by a public authority
where the core activities involve regular and systematic monitoring of data subjects on a large scale
processing of special categories of data at large scale.
DPO shall directly report to the highest level of management
Controller/processor shall support the DPO in the execution of his/her tasks
Role of coordination
Chief Information Senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure
Security Officer information assets and technologies are adequately protected
Respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the
establishment and implementation of policies and procedures
9
Right of access
Right of rectification
Right to be forgotten
Right to restriction of processing
Right to data portability
Right to object
Right to object any automated-decision and profiling
Right of access
Obtain from the controller confirmation as to whether or not personal data concerning a data subject is being processed, and,
where that is the case, access to the personal data and the following information:
 the purposes of the processing;
 the categories of personal data concerned;
 the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in
third countries or international organizations;
 where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to
determine that data retention period; (
 the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of
personal data concerning the data subject or to object to such processing (limited right);
 where the personal data are not collected from the data subject, any available information as to the data source;
 when applicable, the existence of automated decision-making, including profiling.
The right of access may be limited by other regulations (e.g. Suspicious activity/transaction reporting)
10
Right of rectification
 Obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
 Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.
The right of rectification should be read in coordination with the principles of i) accuracy of data, ii) Relevance (completeness) and
iii) obligation of keeping data up-to-date.
Right to be forgotten
Obtain from the controller the erasure of personal data concerning the data subject without undue delay where one of the
following grounds applies:
 the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
 the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the
processing;
 the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject
objects to the processing;
 the personal data have been unlawfully processed;
 the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the
controller is subject;
 the personal data have been collected in relation to the offer of information society services.
RETENTION PERIOD
11
Right to restriction of processing
Obtain from the controller restriction of processing where one of the following applies
 the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of
the personal data;
 the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their
use instead;
 the controller no longer needs the personal data for the purposes of the processing, but they are required by the data
subject for the establishment, exercise or defence of legal claims;
 the data subject has objected to processing pending the verification whether the legitimate grounds of the controller
override those of the data subject.
Right to data portability

Requests the transfer of the personal data concerning the data subject, from one data controller to another data controller, in a
structured, commonly used and machine-readable format, where:
• the processing is based on consent or the execution of a contract between the controller and the data subject and
• the processing is carried out by automated means (no paper only data)
 This includes: emails sent and received, identification data, transactions on a account, internet browsing history
 The portability is not absolute over analysis and other proprietary elements linked to the data (e.g. profiling or risk
analysis performed by obliged entities)
 Example: Payment Services Directive 2 involves data portability
12
Right to object
Object, on grounds relating to the data subject particular situation, at any time to processing of personal data concerning the data
subject :
• Whenever such data is eligible to be erased
• Whenever such date has being obtained via a lawfulness compatible with such right
• Whenever the data is to be transferred out of the EU
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the
processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of
legal claims (e.g. statutory retention periods, cooperation with authorities…
Object any automated-decision / profiling

Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects the data subject
• This right shall not apply if the decision:
• is necessary for entering into, or performance of, a contract between the data subject and a data controller
• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to
safeguard the data subject’s rights and freedoms and legitimate interests;
• Is necessary for compliance with regulatory obligations of the controller or processor
or
• is based on the data subject’s explicit consent (for the period for which that consent is maintained)
13
 Before addressing a request, the controller shall:
• control the identity of the persons concerned

• In case of doubt, the data controller may request identification documentation
 The information shall be provided in writing, or by other means, including, where appropriate, by electronic
means (when requested by the data subject, the information may be provided orally, provided that the identity
of the data subject is proven by other means)
 The controller shall facilitate the exercise of data subject rights
 The controller shall provide information on action taken on a request to the data subject without undue delay
and in any event within one month of receipt of the request (that period may be extended by two further
months where necessary, taking into account the complexity and number of the requests)
 Clear distinction between countries which are equivalent or not with regards to data protection ( EU Data
Adequacy decision): Andorra, Argentine, Canada, Israel, Japan, New Zealand, Suisse, Uruguay, …
 Forbidden to non equivalent countries except if very strict measures are in place:
 Appropriate security measures
PLUS
 Standard contractual clauses (adopted by the UE or by the DPA’s)
OR
 Binding Corporate Rules (BCR
The topic of international transfers is very complex and still in evolution.
14
Circular or guidelines from the National Competent Authority (NCA)
• The data protection shall be guaranteed at all times
• Pay attention to data protection provisions in case of outsourcing of services including client or employee data
• Check which counterparts including sub-contractors or service providers are involved and in which jurisdiction
• The outsourcing does not relieve the institution of its legal and regulatory obligations or its responsibilities to its customers. A
data protection agreement may be necessary between Controller and Processor
• The outsourcing shall not result in any delegation of the institution’ responsibility to the subcontractor/ data processor
11. Data & Digital :

The block chain technology and challenges under GDPR
 A block chain is a shared immutable digital ledger that records transactions / documents / information in a block which is
then added to a chain of other blocks on a de-centralised network. Blockchain technology operates through a peer network,
where transactions must be verified by participants before they can be added to the chain.
 Challenges: The GDPR will apply to any personal data that is stored or transmitted using a block chain network:
• De-centralised network: every person who access the network may be considered a data controller
• Who is liable for a GDPR breach?
• Block chain is an immutable ledger hence data can not be erased
 Solutions “Compliant by Design”:
• Recommendation for regulatory guidance (EDPB: European Data Protection Board)
• Code of conduct and certification measures between regulatory and private sector
What is block chain technology:
https://m.youtube.com/watch?v=SzAuB2FG79A
15
Many employees working on professional devices have access to internet and email. Many employers tolerate personal use of
email / internet as long as reasonable and not in constraint with the professional duties. Employees have right to privacy at work
(secrecy of correspondence). Employer needs to protect his goods and assets (confidentiality of data,…)
To this end, employers should inform the employees on:
 the use of information tools (private use? surfing on internet? creation of personal files?);
 the record keeping rules;
 restrictions (blocking of internet sites, threshold on size of files, …);
 the modalities of controls (controls should be gradual for example sample without employees’ names towards more precise
controls if needed).
Recommendations for internet use
 Internet access is normally given for professional use, employer should inform employees on the conditions and modalities
for private use of internet;
 Monitoring of internet use should be proportionate and define first a global and non personal scope and this for a defined
period of time; if internet use might indicate a harm to the company over a period, then a more personalized surveillance is
appropriate;
 Preventive use of virus scanners;
 Prohibitions or restrictions to download tools from internet or to connect to discussion platforms (chats, blogs).
Recommendations for email use
 Private emails should be made distinctive from professional emails – private emails can not
be accessed by the employers (even if use of private emails is not permitted);
 Continuity of the service by adding an out-of-office message or deviating incoming emails

to another person (absent person must be informed on the identity of this person);
 End of service: leaving employee to transfer all professional emails to another person (fe
line manager), to delete or to transfer private emails onto a private support, and inform
senders to the “old email” to use another email address;
 Staff should be made aware and trained on the risks of email use like fraud, phishing, theft of
email address, virus…
16
How can you implement these recommendations?
 Internal control policies and procedures;
 IT charter;
 Code of ethics;
 Employees handbook;
 Working instructions
 USB key encryption
 Clean desk policy including rules regarding screen saver, lock down rules
 Risk awareness on phishing attempt
 Privacy policy
 Cookie policy
What is a data breach?

Accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
 Examples of data breaches
 All sorts of accidents such as:
 A third person gets access to servers storing customer data due to security breaches in the computer system of the
service provider
 Anybody can access to online client accounts without passwords while only a client with a password should have access
to his account
 An employee of a service provider loses a CD, an USB stick, a smartphone with customer data on it
 A commercial agent of a mobile operator in a shop loses a contract from a new customer
 What to do in case of breach ?
 Notify the DPA within 72 hours (under GDPR)
 If the risk for the data subject is not low => notify the data subject without undue delay
 Inventory of personal data breaches to be maintained (registry)
 Some exemptions from the obligation to notify (risk assessment from a data subject perspective: if there is no risk at all).
17
The GDPR imposes fines on data controllers and processors for non-compliance
Under GDPR, the processing of personal data without observing the required formalities provided by law is punished by :
fines up to the EUR 20 millions

or 2% to 4% of the worldwide annual revenue of the prior financial year, whichever is higher
(elements taken into account: nature of infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification,
certification, other…)
Belgium: In the UK, the average cost of a data breach has US Equifax agreed to pay a minimum of $575
Until recently, most decisions of the Belgian Data grown to nearly £2.7 million, according to IBM million for its 2017 breach. Uber’s poor handling
Protection Authority (Belgian DPA) research, and the reputational harm can be of its 2016 breach cost it close to $150 million.
concerned national companies or individuals. incalculable. Weakly protected and heavily regulated health
However, on 14 July 2020, the Belgian DPA Virgin Media data cost medical facilities big that year, too,
imposed a fine of EUR600,000 on Google Almost a million Virgin Media customers were resulting in the US Department of Health and
Belgium SA/NV (Google Belgium) for not believed to be impacted by a massive data Human Services collecting increasingly large
respecting a Belgian resident’s right to be breach in March 2020 which saw the personal fines. Overall, hacks and data thefts have cost the
forgotten. details of 900,000 people accessed after a following companies a total of nearly $1.23
This is the highest fine ever imposed by the marketing database was left open for 10 months. billion and counting.
Belgian DPA.
In its decision, the Belgian DPA stresses the
importance of its decision by calling it a
“landmark decision” (“décision de principe”) in
which it decides on certain “fundamental EU data protection authorities will continue to put pressure on regulated entities and the
aspects” linked to de-referencing (on the basis of number of fines will continue to increase. As the CNPD has now a clear framework to conduct
CJEU case-law), as well as on the demarcation of investigations, firms need to prepare themselves for active investigations. On January 22,
its powers to act. 2020 the CNPD adopted its regulation which governs the procedure for investigations.
Luxembourg’s data protection authority now has a clear framework within which to conduct
investigations. For regulated entities, these procedures are similar to on-site investigations
carried out by other regulators and supervised entities should update their regulatory
investigations policies.
18
● A client complains because he has received marketing advertisements on his personal email
● You are the Data Protection Officer
How do you handle the situation?
19
● Your Bank has different branches worldwide, based in EU, USA and Asia
● Each branch has its own HR software
● In order to improve the HR processes, the Bank wants to change its HR software and to set up an unique
solution which will be hosted in India and managed in Luxembourg
● You are the Data Protection Officer
What would be your approach?
● Your are DPO of an Automotive company

● Employees remit their medical certificate to their direct supervisor when off sick.
What critics could be formulated by the employees, on basis of which principles

/ rights defined in GDPR?
What would be an alternative better solution?
20
● Your are DPO of a pension fund
● An IT security issue has allowed your PSF in charge of the payroll and administrative tasks to access data about
the names of the affiliated companies as well as to the names of the beneficiaries of the pensions paid.
Is this a data breach? Why / why not?

What measures shall be taken?
● Your are DPO of a bank

● A former customer (account closed 6 years ago) wants “to be forgotten”.
● You hold following information about him:
• KYC (ID, source of funds, profession, CV, different addresses, family, information found on Internet about him, …)
• KYT: over 10 years of transactions details, documents in relation with special transactions
• Suspicious transaction report sent 8 years ago to the FIU in relation with one of his transaction
• Pictures and plans of his house for which he requested a mortgage but eventually did not take from your institution
• Letter of complaint that he wrote 5 years ago about bad level of service in his local branch
How will you address this request?
21
Thank you for you attention
 The knowledge provided by this document is purely informative. Although the House of Training
makes its utmost to ensure that this information is correct and up to date, it declines any
responsibility as to possible damages, losses, losses of earnings, direct or indirect induced by its use.
 The contents are subject to the laws of copyright, all rights reserved.
22
05/05/2021
1. GOVERNANCE, RISKS AND COMPLIANCE (« GRC »)

2. TIMETABLE AND OWNERSHIP
3. RCSA - EVENT EVALUATION, LIKELIHOOD, EFFECTIVENESS of CONTROLS
• AREA OF RISKS
• INHERENT RISK ASSESSMENT
• LIKELIHOOD WITH A TIME HORIZON
• PROBABILITY AND IMPACT SEVERITY EVALUATION
4. CONTROL ENVIRONMENT
5. RESIDUAL RISK ASSESSMENT
6. THE COMPLIANCE MONITORING PLAN
Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance,
enterprise risk management and compliance with regulations Corporate governance is a broader concept which
may be described as the set of relationships between an institution, its board of directors, its authorised
management, its shareholders and other stakeholders.
When corporate failures strike, meaning that risk has not been managed carefully, there is most often a corporate
governance breakdown behind the crash.
How to implement a sound GRC?
CSSF circular 12/552 as amended – similar rules in CSSF 18/69
 An internal governance which is consistent with the three-lines-of-defence model.
 A sound and prudent business management, including the risks inherent in them.
….
1
05/05/2021
Boards are required to maintain sound risk management and internal control systems and have to confirm in their annual report
that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its
business model, future performance, solvency or liquidity.
Reminder – A SOUND CORPORATE GOVERNANCE
The first line of defence consists of the business units that take or acquire risks under a predefined policy and limits and carry out
day to day controls.
The internal control procedures shall provide that the operating staff control, on a day-to-day basis, the transactions they carry
out in order to identify as soon as possible the errors and omissions that occurred during the processing of the current
transactions.
Examples of these controls are: daily screening, transaction monitoring, reconciliation of cash flows, settlement of transactions,
The second line is formed by the support functions, including the financial and accounting function as well as the IT function, and
the compliance and risk control functions which contribute to the independent risk control.
The third line consists of the internal audit function which, provides an independent, objective and critical review of the first two
lines of defence.
 The professionals shall consider all relevant risk factors before determining the overall risk level and the level and type of
appropriate measures to apply in order to manage and mitigate these risks.
 The professionals shall ensure that the information on the risks included in the national and supranational risk assessment or
communicated by the supervisory authorities, self regulatory bodies or the European Supervisory Authorities is incorporated in
their risk assessment.
 The professionals shall document, keep up-to-date and make the risk assessments available to the supervisory authorities and
self regulatory bodies. The supervisory authorities and self-regulatory bodies may decide that individual documented risk
assessments are not required where the specific risks inherent in the sector are clear and understood.
2
05/05/2021
The ownership and responsibility for completion of the Risk Controls Self Assessment (« RCSA »)
 The role of Compliance and Risk Management is to support and to challenge the business by providing advice on the risk
management framework and RCSA requirements;
 The RCSA is also used
• to plan the annual compliance monitoring programme (« CMP »);
• To allocate the Compliance resources in an optimum manner
• To determine the needs for tool enhancements and project development
 All inputs and outputs to the RCSA belong to the business and should be agreed by senior management and wherever
appropriate approved by the management board
 Integrated in the Governance process with the approval of the Authorized Management
3
05/05/2021
 Risk Mapping
 Per service lines or per processes
 Inherent risk assessment
 Control environment
 Residual risk assessment
 Compliance risk identification:

•Identify all applicable requirements via the regulatory watch
•Analyse the regulatory requirements
• Gap analysis & Impact
 Compliance Risk Assessment:
• Categorise requirements
• Classify according to defined level of risks (likelihood & Impact)
 Compliance Risk Management:
• Advice & Training
• Design & implement controls, procedures
 Compliance Risk Monitoring:
• Review process
• Compliance monitoring plan
• Reporting
4
05/05/2021
 Objectives that relates to the entity conducting and conforming itself in line with applicable laws, regulations and its own
(Group) policies concerning conduct and integrity.
 Monitoring and oversight will provide assurance or show weaknesses.
 There must be proactive action for regulatory and ethical change.
 The outcome is to minimise the risk occurrence on regulatory censure, supervisory remediation, unlawful practice,
reputational damage and loss of business.
 Inherent risks are the risk for not complying with the provisions of the laws or the regulations applicable to the industry. Risks
must be valuated according to the impact on the business, should the risk not properly monitored.
• Likelihood of the risk to happen
• Impact on the firm, should an incident happen
 Inherent risks consider the possibility of unplanned or unintended causes which could have an impact on compliance risks
 Examples
• Category of risks: AML & CFT
• Regulatory framework: consolidated Luxembourg law dated 12 Novembre 2004 on AML & CFT
• Sub-category of risks:
• on-boarding without local acceptance committee approval
• acceptance of a transaction without agreement duly signed
• Error of booking a name in the client database
• Risk that the clients and/or services have been attributed an incorrect risk rating.
• Inadequacy of the training materials
• ….
List other inherent risks
5
05/05/2021
 Examples
• Category of risks: Conflict of interest
• Regulatory framework: CSSF circular 12/552 on corporate governance as amended; CSSF circular 04/155 on the compliance
function. CSSF circular 18/698 applicable to management companies and transfer agent
• Sub-category of risks:
• Risk that the staff does not sign off the internal rules regarding personal transactions transactions
• Risk that the Bank does not correctly and completely assess all relevant fees, commissions or non monetary benefits
paid or received.
• Risk that the Bank does not adequately inform its clients on conflict of interest
• Risk that the Bank does not keep an updated inventory of occurred conflict of interests
List other inherent risks
Take the time to make the Compliance Risk Assessment on other compliance risks
On which category of risks do you have a compliance risk exposure?
 In summary
Composent Describe your

Area of risk Business Line likelihood impact Inherent rating
of risk inherent risk
(what services are at risk)
6
05/05/2021
Impacted areas
Impact Civil, criminal and Impact
Impact Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref regulatory fines or Financial /
fallout / brand damage impact
penalties materiality
Risk that all clients and/or services
have not been risk rated for ML/TF
risks. The absence of risk based
Art 3(2a) of Law of 12 Directive AML Group
approach and would lead to
Client AML November 2004 Local AML Policy
AML/CFT improper levels of KYC and 3 4 2 3
risk rating Art 5 of RCSSF 12-02 Compliance Working
frequency of files review. It can also
CSSF Circular 11/519 Memorandum
mislead Compliance as regards the
necessity to flag certain clients for
the transaction monitoring
Impacted areas
Complexity of
Global
Theme Generic Risk Detailed Risk Legal ref Internal ref Valume of activity process / laws / Degree of change Staff
impact
regulations
Risk that all clients and/or
services have not been risk rated
for ML/TF risks. The absence of Directive AML
risk based approach and would Art 3(2a) of Law of 12 Group
Client AML lead to improper levels of KYC November 2004 Local AML Policy
AML/CFT 4 3 3 3 3.25
risk rating and frequency of files review. It Art 5 of RCSSF 12-02 Compliance
can also mislead Compliance as CSSF Circular 11/519 Working
regards the necessity to flag Memorandum
certain clients for the transaction
monitoring
Impacted areas
Theme Generic Risk Detailed Risk Legal ref Internal ref Gross Risk Score
Risk that all clients and/or services have not been risk
rated for ML/TF risks. The absence of risk based Art 3(2a) of Law of 12 November Directive AML Group
approach and would lead to improper levels of KYC 2004 Local AML Policy
AML/CFT Client AML risk rating 3
and frequency of files review. It can also mislead Art 5 of RCSSF 12-02 Compliance Working
Compliance as regards the necessity to flag certain CSSF Circular 11/519 Memorandum
clients for the transaction monitoring
7
05/05/2021
Impacted areas
Impact
Impact Civil, criminal Impact
Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref and regulatory fines or Financial /
fallout / brand impact
damage
Risk that the Bank does not Directive 2014/65/UE Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 3 2 3 2,67
protection classification
his MIFID classification Law of 30 May 2018 procedure
Likelihood factors
Volume of Complexity of process / Global

Theme Generic Risk Detailed Risk Legal ref Internal ref Degree of change Staff
activity laws / regulations Likelihood
Risk that the Bank does not Directive 2014/65/UE MFID II Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 3 2 3 2,67 2,00
Risk that the Bank does not Directive 2014/65/UE MFID II Investor protection Policy
Investor Client
inform his client regarding Reglement UE 600/2014 MIFIR Client classification 5,33
Impacted areas
Impact
Impact Civil, criminal Impact
Reputational Global
Theme Generic Risk Detailed Risk Legal ref Internal ref and regulatory fines or Financial /
fallout / brand impact
damage
Market Risk that the Bank EU Regulation 596/2014 Market Abuse Policy
Market
abuse & performs market Law of 23 December 2016 Conflict of interest policy 3 3 2 2,67
manipulation
integrity manipulation CSSF 06/257 – Sect.3 Conflict of interest procedure
Likelihood factors
Volume of Complexity of process / Global

Theme Generic Risk Detailed Risk Legal ref Internal ref Degree of change Staff
activity laws / regulations Likelihood
Market Abuse Policy

Market EU Regulation 596/2014
Market Risk that the Bank performs Conflict of interest policy
abuse & Law of 23 December 2016 2 3 3 3 2,75
manipulation market manipulation Conflict of interest
integrity CSSF 06/257 – Sect.3
procedure
Market Abuse Policy

Market EU Regulation 596/2014
Market Risk that the Bank performs Conflict of interest policy
abuse & Law of 23 December 2016 7,33
manipulation market manipulation Conflict of interest
integrity CSSF 06/257 – Sect.3
procedure
8
05/05/2021
Description Rating Likelihood comments

Risk is seen as unlikely to occur 1 less than x%
Risk is possible but unusual 2 Between x% and y% Take into account the number of
Risk is plausible 3 Between y% and z% occurrence during the
contemplated time horizon
Risk is highly likely to occur 4 Above z%
Time horizons are usually strategic and corporate objective specific
Likelihood can be based on different elements:

 Volume of the relevant impacted activity
 Complexity of the processes, laws or regulations
 Level of staff technicity
Delivery Delivery
Measure of impact Financial EBITDA Regulatory Reputational
continuity process
Negligible effect
Reportable effect
Significant material effect
Catastrophic effect
Each impact effect type can be mutually exclusive * a group of related effects could be a greater magnitude
Impact of an incident can be based on different elements:

 Reputation
 Fines & Penalties
 Financial materiality
9
05/05/2021
 Consider the controls your company has in place. Take into account both the 1LoD and the 2LoD
 For each area of risks, understand and describe the control environment, explaining preventative controls and reactive measures
to those risks as may be relevant
Example: there is a management 4 eyes and segregated senior sign off required by the local procedures. This process is
(partially) automated but …. . Measures are in place to note exceptions and report those to management, …
 For each area of risks, assess the overall effectiveness of the controls (are they being lived or ignored). You must considerwhat
indicators would validate your rating of control effectiveness if asked and challenged.
 Potential gaps in the adequacy of controls and measures which safeguard risks can be perceived as a weakness or could be
considered as an opportunity to instigate change to address effectiveness and efficiency.
 Consider any causes or triggers that might still lead to the possibility of the occurrence of an event despite existing
preventative controls and safeguards to lower the likelihood
 Should an event occur, consider what the effect or determined consequences would be despite any existing reactive controls
that should mitigate and or soften the impact
 Assess and rate the likelihood and impact of the residual risk
 Consider any remaining risk that might not be sufficiently managed or perhaps unable to be managed, based upon the detail
provided.
10
05/05/2021
 Presentation of a heat map

 Risk based approach for residual risk valorisation
 Mitigating measures to be implemented in order to bring the risk value to an acceptable level / rate
 Target for the following year
 Man-day budget in the CMP as well as frequency of controls will be a direct consequence of the CRA
 The following is an example plan of those residual risks which, after conducting the Compliance Risk Assessment, shall be
subject to monitoring. Various forms of CMP exist.
Risk area Frequency Service lines Month Comments
Sanction screening Daily Client database The plan should focus on the most material risks and
should be achievable zith the resources available
AML – file review Monthly Transfer Agent The frequency of testing a particular topic or theme
Market abuse – personal Quarterly Human Resources should be aligned to the risk posed
transactions The rational as to why a particular topic has or has not
been included within the CMP must be clearly
Training Yearly Human Resources documented within the RCSA with supporting
evidence where necessary.
The CMP is a living document to allow flexibility
where required.
11
05/05/2021
 Outcomes of CMP must be reported to local management and boards

 Templates exist
 Findings and recommendations will be risk rated to ensure consistent reporting
 The outputs must clearly identify desired outcome, responsibility for completion and deadline for any remedial action required
12

Training Materials - Compliance-Implem. of The Reg. Fram. - 20AB02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training Materials - Compliance-Implem. of The Reg. Fram. - 20AB02

Uploaded by

Copyright:

Available Formats

 attempting to commit one of the above offences.

Predicate offences for ML:

• Tax offences • Terrorism and terrorism financing

Money Laundering occurs in 3 stages :

1. Placement 2. Layering 3. Integration

 Any act as defined by the art. 135-5 of Penal code.

Differences between Money Laundering and Terrorism Financing

 Money Laundering: The ORIGIN of money, funds, assets is ILLICIT

 In some cases, terrorism is financed by money launderers

● United Nations Convention against Transnational Organized Crime, 2000

● United Nations Convention against Corruption, 2003

FATF conducts on a regular basis

Wolfsberg Group is an association of global bank

● (EU) 2018/843 – published 19 June 2018 (the 5th AML Directive)

Luxembourg legislation and rules non exhaustive lists

EDD Measures for transactions involving High Risk Countries

 Identification & Verification of the identity of beneficial owner of legal entities

 Extended Scope of Professionals subject to AML CTF Obligations

 Acceptance of electronic identification means as set out in Regulation (EU) No 910/2014

 AML/CTF Risk assessment / AML Risk Appetite

 Customer Due Diligence (CDD)

 Adequate Internal Organization

 Cooperation with the authorities

3 – AML Risk Assessment

 The main objectives of this risk assessment are:

 To identify the ML / TF risks for which the professional is exposed

 To assess how those risks are mitigated

The NRA performed an assessment of the

RISK FACTORS - CATEGORIES

1. Client Due Diligence obligations

Published on 20Th December 2019 Circular 19/732’s

 Creation of beneficial owners' national central registers

 5th AMLD broaden access to UBO information:

Register of Trust & Fiducies

 Adapt the level of detail when client or beneficiary resides abroad

 Detect complex and unusual transactions/operations

 Detect persons / entities subject to financial restrictive measures

 Perform due diligence measures according to the identified risk level

 False or falsified information/documents given by the customer

Client has been identified as non-tax compliant in Luxembourg or another jurisdiction

Client refuses any form of contact or communication without a valid reason

Client is not interested in earning a return

DOCUMENTATION Client unwilling to disclose source of wealth or origin of funds

Inconsistency between transactions and business volume / nature

Commercial transaction at a price which is obviously under or over estimated or inconsistent

Use of back to back loans without valid justification

 Customer showing signs of agitation, nervousness

 Obligation to perform a prior Risk Assessment relating to:

 Mandatory at least in the following cases:

EDD applies to business relationships carrying a higher risk

• What should be kept?

● Roles & Responsibilities on AML / CTF Obligations

● Key concepts and challenges

● Third Party Introducer

Some Definitions Operational set-up for Intermediary

Enhanced Due Diligence Operational Reliance vs look-through Information upon Governance

• CDD measures will depend on how

Third party introducer

Residence – FATCA/CRS (“RFC”)

Nominee shareholder Entity without economic substance

Geography & conflict of residence

Client activities/wealth & Business profile Cash withdrawals/deposits

Supporting documentation Trans- Dormant account