Compliance -
 
 
Fundamentals
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
Welcome to the House of Training!
Training opens doors and horizons. This is a privileged time, remember to take advantage
of this opportunity.

Some useful information before you start...

Our courses are developed and validated by quality circles that bring together
experts by specialty. In principle, the contents are reviewed at the beginning of each
semester. If important news that could cause changes in the course material would fall
between these periods, the related information will be provided orally during the course or
through documents annexed to the actual course material.

Our trainers are professionals and practitioners, specialists in their field.

Our exams: The vast majority of our courses offers the possibility to register for an
exam. It is recommended to register within 2 months of your training session, due to the
regular update of the course material related to the evolution of current events. Each
"Fundamentals" exam lasts for an average of 1 hour and intermediate and advanced level
exams ("Informing ...", "Implementing ...", "Mastering ...", etc.) last about 1:30.

For more information about our offer, course content, prerequisites, additional training,
course dates and/or exams or other procedures for each module: our website
www.houseoftraining.lu provides fast and efficient search by keyword.
 Training in Compliance:
Specificities of the exams

Compliance-Fundamentals

 All questions are written in English.

 To be successful, the candidates must score at least 60% of the total points.
 The ‘Compliance-Fundamentals’ exam consists of multiple choice questions. The
consultation of the course material during the examination is not permitted.

Compliance-Implementation of the Regulatory Framework

 All questions are in English, however, candidate answers may be written in English or
French, depending on the language of the course followed by the candidate.
 To be successful, candidates must get at least 60% of the total points.
 The ‘Compliance-Implementation of the Regulatory Framework’ exam paper is
composed of open questions requiring that candidates develop their arguments in a
clear, concise and structured way. The consultation of the course material
‘Compliance-Fundamentals’ and ‘Compliance-Implementation of the Regulatory
Framework’ (incl. appendices as well as circulars, legal texts...) during the
examination session is permitted. It is not permitted however, to copy-paste
information from the available sources of information unless it is quoted.

Compliance-Mastering all aspects of a Compliance Officer’s function

in the financial sector

 Passing the exams of the ‘Compliance-Fundamentals’ and ‘Compliance-

Implementation of the Regulatory Framework’ modules and having at least 3 years of
practical experience in a compliance function are conditions to be admitted to the
‘Compliance-Mastering all aspects of a Compliance officer’s function’ course. Please
consult our website and/or our brochure for further details.
 In the ‘Compliance-Mastering all aspects of a Compliance officer’s function’ module
the participants are required to work in a team (usually, 3 persons per team)
 The final step of the ‘Compliance-Mastering all aspects of a Compliance officer’s
function’ module is an assessment session where all the members of each team
jointly present their case study.
 TABLE OF CONTENTS – Compliance-Fundamentals

SESSION 1:

1. Introduction – Why Compliance?

1.1 Genesis and evolution
1.2 Compliance, ethics and governance

2. What is Compliance?
2.1 Definition and objectives
2.2 Compliance risks
2.3 Compliance charter
2.4 Pyramid of norms
2.5 Risk-based approach

3. International bodies promoting Compliance

3.1 Basel Committee on Banking Supervision
3.2 European Supervisory Authorities (ESAs)
3.3 FATF / GAFI
3.4 Wolfsberg Group

Addendum: further readings

SESSION 2:

1. Establishing a Compliance function

1.1 General principles
1.2 Compliance requirements

2. Compliance risks

3. Compliance function role and responsibilities

3.1 Compliance part of the Internal Control Functions
3.2 The Internal Control Framework
3.3 Roles and responsibilities : Board of Directors (BoD)
3.4 Roles and responsibilities : Authorised management (Conducting Officers)
3.5 Roles and responsibilities : Employees
3.6 Roles and responsibilities : Compliance Function
3.6 Roles and responsibilities : Person in charge of AML/CTF
3.7 Relationships with key other functions/stakeholders

Compliance founding documents

SESSION 3:

1. Ethics
1.1. Principles
1.2 Code of Conduct

1
 1.3 Anti-corruption
1.4 Whistleblowing
1.5 Professional Secrecy

2. Financial Crime
2.1 Anti-Money Laundering (AML) / Counter Terrorism Financing (CTF)
2.2 Tax offences
2.3 Fraud

3. International sanctions

4. Tax compliance
4.1 FATCA
4.2 Automatic Exchange of Information in tax matters (CRS)
4.3 FATCA/CRS Reporting

Tax compliance

SESSION 4:

1. Market integrity

2. Client protection

3. Conflicts of interests

4. Data protection

5. Remuneration Policy

2
 30/03/2021

The support includes documents prepared by the ABBL

1
 30/03/2021

•
•

•
•
•
•
•

•
•
•
•

2
 30/03/2021

 ~1970 USA, several major business and government excesses generate legal, public and political reaction.
An unstable  SEC investigations discovered number of US companies participated in bribery overseas.
geopolitical  International sanctions, restrictions and embargoes are used more and more in the foreign policies of the
environment in a countries
globalized economy  The fight against money laundering and terrorism financing
 The globalisation of the economies in a context of fast exchange of information involved new risks:
external fraud, cyber-fraud, financial crime, etc.

Development, of
Corporate Social  The white collar crime knows a strong growth (abuse of corporate assets, abuse of
Responsibility and weaknesses, bankruptcy, fraud with the grants or the issue of CO2 quotas, market
ethics abuse, manipulation or interest rates, etc.)

A highly regulated  Media pressure, of NGOs, the consumers…

industry  A regulatory “tsunami”… Development of “class actions” in Europe

How did the financial crisis impact the regulatory environment and the development, expansion, growth of
the risks of non-compliance and reputation?

Strengthening of the international rules and increasing transparency and

Banking and financial
crisis: loss of trust in the
financial institutions
integrity of the markets, protection of the investors and the consumers of
financial instruments.
At the European level, the European Commission published and updated
Directives/Regulations which find their source in the “consumer protection”
package: MiFID2/MIFIR, PRIIPS, Directive Intermediation of Insurance “IMD2”,
Directive Transparency, MAD/MAR, EMIR, AIFMD, AML etc.

Economic crisis periods tend to encourage the development, expansion, growth

Economic crisis of the risks of fraud or the violations of the rules, white collar crime or
“financial crime”…

The budgetary crisis in the occidental countries encouraged the governments to

reinforce the pressure and the development of tax matters regulations: US
FATCA, CRS, BEPS…
Budgetary crisis
In this context, tax crime is a key subject of 4th AML Directive AML (primary
offence of money laundering). It’s the case in Luxembourg since 1 January 2017.
In 2019, the implementation of the 5th AML Directive requires amongst other,
Ultimate Beneficial Owners register by member state and a list of high risk
countries

3
 30/03/2021

Compliance can be defined as the process by which a business ensures that it has fulfilled all of its regulatory and
statutory obligations.

It refers to processes which make it possible to ensure the respect of the norms applicable to the business by all
employees including authorised management and Board of Directors (BoD) and also the values and the ethical spirits
inculcated by the Management of the Financial Institutions.

CSSF Circular 12/552 (as amended) is applicable to credit institutions, investment firms and professional performing lending operations

CSSF Circular 04/155 is applicable to all electronic money institutions and payment institutions

CSSF Circular 18/698 is applicable to investment funds managers

The aim of the Compliance function is:

● to anticipate
● to identify the compliance risks of an institution
● to assess
● and to assist the authorised management in limiting these risks.
● to be performed on an ongoing basis and without delay.

4
 30/03/2021

CSSF Circular 12/552 as amended - Art. 131 and CSSF Circular 18/698
(International ref. Basel Committee : compliance in banks, 2005)
“risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply
with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its banking activities
(together, “compliance laws, rules and standards”)”
[…] these risks may include a variety of risks in connection with all activities of the institution such as :

 reputational risk,
 legal risk,
 risk of dispute,
 risk of sanctions,
 some operational risk aspects, in connection with all activities of the institution.

The compliance charter must be approved by the authorised management and the BoD, and brought to the attention of all staff
members, including subsidiaries and branches abroad and shall at least set the terms of operation of the Compliance function:
 objectives, responsibilities and powers of the Compliance function
 define the position of the compliance function in the organisation chart (independence, objectivity, integrity, competences,
authority and adequacy of the resources),
 recognise the right of initiative to open inquiries on all activities (including subsidiaries and branches),
 define the responsibilities and reporting lines of the Chief Compliance Officer (CCO),
 describe the relationships with the risk control and internal audit functions,
 establish the conditions and circumstances applicable where external experts are used,
 establish the right for the CCO to directly and on his/her initiative contact the chairman of the BoD, the members of the audit
committee, the compliance committee as well as the CSSF.

5
 30/03/2021

INTERNATIONAL STANDARDS

EUROPEAN
REGULATIONS, DIRECTIVES and GUIDELINES

LUXEMBOURG LAWS

GRAND-DUCAL REGULATIONS

LUXEMBOURG NATIONAL COMPETENT

AUTHORITIES
REGULATIONS / CIRCULARS

internal manuals and procedure of the institution which, while clearly not norms, are the internal
rules of the institutions which any staff member will apply in the executions of his/her tasks.

Strong necessity of a thorough

risk assessment / mapping
Aim at :
1. Highlighting the strengths and weaknesses of the financial institution facing its legal and regulatory obligations
2. Preventing immediate and long term impacts:
• Potential sanctions, withdrawal of the authorisation to carry on activities
• Reputation (risk of image)
• Litigation / dispute
• Risk of financial loss (institution direct exposure or customers indemnification due to non respect of legal
and regulatory requirements)
 The corrective measures should be documented in the Compliance Action Plan

6
 30/03/2021

● Basel Committee on Banking Supervision (www.bis.org/bcbs)

● European Supervisory Authorities (www.eba.europa.eu; https://eiopa.europa.eu; www.esma.europa.eu)
● FATF/ GAFI (www.fatf-gafi.org)
● Wolfsberg Group (www.wolfsberg-principles.com)
● The Organisation for Economic Co-operation and Development (OECD) (www.oecd.org)

STRONG AND DEEP INFLUENCE

ON ALL COMPLIANCE REGULATIONS

7
 30/03/2021

 Established on 17 May 1930, the Bank of International Settlements (BIS) is an international financial organisation
owned by 60 member central banks representing countries from around the world that together make up
about 95% of world GDP.
 The BCBS does not possess any formal supranational authority. Its decisions do not have legal force.
 The Basel Committee on Banking Supervision (BCBS) provides a forum for regular cooperation on banking
supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the
quality of banking supervision worldwide.
 Founded in 1974 by the central bank Governors of the Group of Ten countries (aftermath of serious disturbances
in international currency and banking markets)
 Comprised of 45 members central banks and bank supervisors from 28 jurisdictions (2019).

Activities

 exchanging information on developments in banking sector and financial markets, to help identify current or
emerging risks;
 sharing supervisory issues, approached and techniques to promote common understanding and improve
cross-boarder cooperation;
 establishing and promoting global standards, guidelines and sound practices;
 addressing regulatory and supervisory gaps that pose risks to financial stability;
 monitoring the implementation of BCBS standards in member countries;
 consulting with central banks and bank supervisory authorities which are not members of the BCBS,
promoting implementation of standards, guidelines, sound practices;
 coordinating and cooperating with other financial sector standard setters and international bodies.

8
 30/03/2021

How ?
Through ongoing efforts, by exchanging information on national supervisory issues, approaches and techniques,
with a view to a common understanding
Policy dissemination: policy decisions by the Basel Committee are published in the form of:
 standards, which establish minimum requirements for member jurisdictions
 guidelines, which elaborate standards in areas important for the prudential regulation and supervision of banks
 sound practices, which describe observed practices with a view to promoting common understanding and improving
supervisory or banking practices

Regular issuance of High Level Papers, as part of its ongoing efforts to address bank supervisory issues and
enhance sound practices in banking organisations, e.g.;
 29 April 2005: Compliance and the Compliance function in banks
 26 August 2008: Implementation of the Compliance principles
 15 January 2014: Sound management of risks related to ML + TF
 7 June 21017: Sound management of risks related to ML + TF

Main principles (1/2)

• Banking Supervisors must be convinced that effective Compliance policies and procedures are followed
and that Management takes appropriate corrective action when Compliance failures are identified.

• Compliance should be part of the culture of the organisation; it is not just the responsibility of the
Compliance staff.

• A bank should organise its Compliance function and set priorities for the management of its compliance
risks in a way that is consistent with its own risk management strategy and structures.

• Regardless of how the Compliance function is organised within a bank, it should be independent and
sufficiently resourced, its responsibilities should be clearly specified, and its activities should be subject
to periodic and independent review by the Internal Audit function.

NB : The Basel Committee accepts significant differences between banks regarding the organisation of the
Compliance function.

9
 30/03/2021

Main principles (2/2)

 The bank’s Board of Directors is responsible for overseeing the management of the bank’s compliance
risks. The Board should approve the bank’s Compliance policy, including a formal document establishing a
permanent and effective Compliance function. At least once a year, the Board or a committee of the
Board, should assess the extent to which the bank is effectively managing its compliance risks.

 The bank’s Senior Management is responsible for:

 the effective management of the bank's compliance risk,

 establishing and communicating the Compliance policy;
 ensuring that it is adhered to; and
 reporting to the Board of Directors on the management of the bank's Compliance risk. the effective management of
the bank’s compliance risks.

 In case of cross-border groups : The compliance function and its responsibilities should be consistent
with local legal and regulatory requirements

The ESAs are the:

 European Banking Authority (EBA)
 European Insurance and Occupational Pensions Authority (EIOPA)
 European Securities and Markets Authorities (ESMA)

Tasks
 harmonising financial supervision in the EU by developing single rulebook, set of prudential
standards;
 helping to ensure the consistent application of the rulebook to create a level playing field;
 mandated to assess risks and vulnerabilities in the financial sector.

Independent EU Authorities, but accountable to the European Parliament, the European Council of the
European Union and the European Commission.

10
 30/03/2021

The EBA was established on 1 January 2011 as part of the European System of Financial Supervision (EDFS)
Objectives
 EBA works:
 to ensure effective and consistent prudential regulation and supervision across European banking sector;
 to maintain the EU financial stability;
 to ensure an effective and consistent level of prudential regulation and supervision across the European banking sector;
 to safeguard the integrity, efficiency and orderly functioning of the banking sector;
 to improve the functioning of the internal market by ensuring appropriate, efficient and harmonised European supervision
and regulation;
 to contribute, through the adoption of Binding Technical Standards and Guidelines, to the creation of the European Single
Rulebook in banking. The Single Rulebook aims at providing a single set of harmonised prudential rules for financial
institutions throughout the EU, helping create a level playing field and providing high protection to depositors, investors and
consumers.

Role and responsibilities

 EIOPA was etablished in consequence of the reform to the structure of supervision of the financial sector in the EU. Before
and during the financial crisis in 2007 and 2008, the European Parliament has called for a mve towards more an integrated
European supervision in order to ensure a true level playing field for all actors at the level of the EU and to reflect the
increasing integration of financial markets in the Union.
 EIOPA’s main goals are :
 Better protecting consumers, rebuilding trust in the financial system.
 Ensuring a high, effective and consistent level of regulation and supervision taking account the varying interests of all Members
States and the different nature of financial institutions.
 Greater harmonisation and coherent application of rules for financial institutions & market across the European Union.
 Strengthening oversight of cross-border groups.
 Promote coordinated EU supervisory response.

11
 30/03/2021

Role and responsibilities

 ESMA was founded in 2009 and began operations on 1 January 2011.
 ESMA is an independent EU Authority that contributes to safeguarding the stability of the European
Union’s financial system by enhancing the protection of investors and promoting stable and orderly
financial markets.
 ESMA has:
 one mission: to enhance investor protection and promote stable and orderly financial market
 Three objectives: investor protection, orderly markets, financial stability
 assessing risks to investors, markets and financial stability
 completing a single rulebook for UE financial markets
 promoting supervisory convergence
 directly supervising specific financial entities (credit rating agencies, trade repositaries)

 ESMA has the power to issue guidelines (Article 16 of ESMA Regulation 1095/2010) which are addressed
to competent authorities or, as the case may be, to market participants.

 According to Regulation 1095/2010, ESMA is entitled to elaborate technical standards to be submitted

to the Commission for endorsement.

 ESMA provides an overview of all technical standards and guidelines published on its website, with
information about the process and related document(s).

 ESMA is the direct supervisor of specific financial entities; Credit Rating Agencies (CRAs) and Trade
Repositories (TRs). These entities form essential parts of the EU’s market infrastructure.

12
 30/03/2021

 Established in 1961, headquartered in Paris, 36 member countries, it was originally established to stimulate the
economic progress of its members.
 Forum for governments to share experiences and seek solutions to common problems.
 International standards on a wide range of things, from agriculture and tax to the safety of chemicals
 Main Compliance topics : Fight TAXATION –
 SCOPE : international and domestic issues, across direct and indirect tax matters, tax transparency – ensuring
that bank secrecy and other forms of financial opacity do not prevent tax administrations from being able to
apply their tax laws no matter where their taxpayers choose to place
 Global Forum on Transparency and Exchange of Information for Tax Purposes (Global Forum)
 161 members of the Global Forum on Transparency and Exchange of Information for Tax Purposes
 100 countries and jurisdictions committed to automatically exchanging financial account information by
September 2018
 Compliance related topics : FATCA, CRS : Common Reporting standards; Transfer pricing, anti-tax avoidance
directive (ATAD), etc.

Role and responsibilities

An inter-governmental body established in 1989 by the Ministers of its Member jurisdictions (39 members in 2020)
 Objectives : to set standards, to promote effective implementation of legal, regulatory and operational measures for AML/CTF
and other related threats to the integrity of the international financial system
 Is a “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory
reforms.
 The FATF has developed a series of Recommendations that are recognised as the international standard for AML/CTF and
proliferation of weapons of mass destruction.
 First issued in 1990, the FATF Recommendations were revised (latest in 20202012) to ensure that they remain up to date and
relevant, and they are intended to be of universal application.
 The FATF monitors the progress of its members in implementing necessary measures, reviews ML/TF techniques and counter-
measures, and promotes the adoption and implementation of appropriate measures globally (Luxembourg is subject to review
in 2020).

13
 30/03/2021

 Starting in 2000, the Wolfsberg Group is an association of 13 global banks which aim to develop
frameworks and guidance for the management of financial crime risks, particularly with respect to Know Your
Customer, AML/CTF policies.
 It has since developed a large range of standards, also focused on other financial crime risks, such as
corruption, terrorist financing and sanctions.
 The Wolfsberg Group has neither a written constitution nor any formalized set of rules or statutes. It has
developed its practices and procedures over the course of its existence.
 Wolfberg Standards (PEPs, Private Banking, Payment transparency, …)
 Wolfsberg Due Diligence Questionnaire (2017)
 Wolfsberg FAQ Risk Assessment for ML, sanctions, bribery&corruption (September 2015)

Members
Banco Santander, Bank of America, MUFG Bank, Barclays, Citigroup, Crédit Suisse, Deutsche Bank,
Goldman Sachs, HSBC, J.P. Morgan Chase, Société Générale, Standard Chartered Bank, UBS.

 Law of 5 April 1993 on the Financial Sector, as amended

 Law of 7 December 2015 on the Insurance Sector (coordinated version)
 Law of 12 November 2004 on AML/CTF as amended => Grand Ducal Regulation 1 February 2010
 CSSF Regulation N°12-02 on AML/CTF
 CSSF Circular 12/552, as amended, on Central administration, Internal governance and Risk management (for
Credit institutions, Investment firms, and professionals performing lending operations)
 CSSF Circular 18/698 for investment funds managers
 CSSF Circular 04/155 (applicable to payment institutions, electronic money institutions)
 ESA Guidelines on risk based approach
 ESMA Guidelines 2012/388
 FIU/CRF Circular 22/10 AML/CTF
 FATF recommendations (relevant FATF publications, including those related to financial sanctions related to
TF, those related to preventing, suppressing and halting the proliferations of mass destruction weapons and its
financing, those related to securities sector…)

14
 30/03/2021

Questions?

15
 30/03/2021

•
•

•
•
•
•

•
•
•

1
 30/03/2021

The amended Luxembourg Law of 5 April 1993 on the financial sector (the Law) applies to:
 Credit Institutions incorporated under Luxembourg Law: legal persons whose activities consist in receiving from the public
deposits or other repayable funds and in granting credits for their own account. The persons whose activities consist in
receiving deposits or other repayable funds from the public and in granting credits for their own account may be called either
credit institutions or banks.
 Professionals of the Financial Sector (PFS): regulated entities providing financial services that are not solely reserved for credit
institutions, i.e. the receipt of deposits from the public. PFS category encompasses 3 sub-groups, classified and defined as
follows, depending on the type of business conducted and the nature of services provided
 Investment firms: defined as undertakings providing or performing investment services or investment operations for
third parties on a professional and regular basis, and primarily include: (i) Investment advisers; (ii) Brokers in financial
instruments; (iii) Commission agents and (iv) Private portfolio managers.
 Specialised PFS: they are neither “investment firms" nor "support PSF" and include primarily (i) Registrar agents; (ii)
Professionals carrying on lending operations; (iii) Corporate domiciliation agents and (iv) Professionals providing
company formation and management services. They are authorized to carry out financial operations in Luxembourg.
 Support PFS: they do not exercise a financial activity themselves, but act as subcontractors of operation functions on
behalf of other financial professionals such client communication agents, administrative agents of the financial sector,
primary IT systems operators of the financial sector).

2
 30/03/2021

Important excerpts of the Law linked to Compliance obligations (similar regulatory provisions applicable to investment firms)
• Credit institutions shall have robust internal governance arrangements, which include a clear organisational structure with well defined, transparent and consistent
lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, and adequate internal control
mechanisms, including sound administrative and accounting procedures and remuneration policies and practices allowing and promoting a sound and effective risk
management, as well as control and security arrangements for information processing systems.
• Credit institutions shall meet the organisational requirements referred to in Article 37-1 when providing investment services and/or performing investment activities.
Organisational requirements:
1. Policies and procedures sufficient to ensure compliance of the credit institutions or investment firms, including their managers, employees and tied agents with their
obligations laid down in the relevant legal and regulatory provisions.
2. Appropriate rules governing transactions by their managers, employees and tied agents.
3. Effective organisational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest as defined in Article 37-
2 from adversely affecting the interests of their clients.
4. Reasonable steps to ensure continuity and regularity in the performance of investment services and activities.
5. Sound administrative and accounting organisation, an appropriate internal control system, effective procedures for risk assessment, and effective control and
security arrangements for information processing systems.
6. Where they rely on third parties for the performance of operational functions which are critical for the provision of continuous and satisfactory services to clients or
the performance of activities on a continuous and satisfactory basis, reasonable steps to avoid undue additional operational risk.
7. Appropriate arrangement for records to be kept of all services and transactions undertaken by them, in accordance with the period laid down in the Commercial
Code,
8. Appropriate arrangements so as to safeguard clients’ ownership rights, especially in the event of insolvency of the credit institution or investment firm, and to
prevent the use of clients’ financial instruments on own account except with the clients’ express consent.
9. Appropriate arrangements to safeguard clients’ ownership rights, and, except in the case of credit institutions, prevent the use of client funds for their own account.

Co-existence of three Circulars issued by the CSSF re. the Compliance function:
1. CSSF Circular 12/552 (as amended) on the central administration, internal governance and risk management ( applicable
to Credit Institutions, investment firms and professionals performing lending operations)
2. CSSF Circular 18/698 ( Investment fund managers)
3. CSSF Circular 04/155 ( Electronic money institutions and payment institutions)
Contents:
 Nature and purpose of the Compliance function
 Responsibilities of the Board of Directors
 Responsibilities of Senior or Executive Management (i.e. authorized/senior management)
 Establishment of a Compliance policy and Compliance charter
 Organization of the Compliance function
 Responsibilities of the Compliance function
 Control of the Compliance function

3
 30/03/2021

Legal sources: 1. Basel Committee recommendations; 2. FATF

3. EU Regulations/Directives; 4. Luxembourg Laws; 5. CSSF Regulations/Circulars

1. Permanence of the function

 No outsourcing allowed: certain exception exists i.e. for investment fund managers based on the principle of proportionality subject to prior
authorization from the CSSF.
 Possibility to recourse to external experts.
2. Independence of the function
 The Chief Compliance Officer (CCO) reports directly to the Executive Management.
 An Executive Director is responsible for the supervision of the Compliance risks and function.
 Escalation: possibility to contact directly the Chairman of the Board.
3. Resources and organization
 The CCO, who is also generally the Money Laundering Reporting Officer (MLRO), is the key contact person with the competent national
authorities in relation with AML/CTF and market abuse and for notification on AML & CFT issues.
 The Compliance function shall be organized in an adequate and permanent manner.
 Based on the principle of proportionality, a full-time position of the CCO is not necessary, but conflict of interest shall be avoided, and obtain
explicit permission form the CSSF.
 The CCO shall have a high degree of professional qualification in the area of banking and financial activities and a good knowledge of the rules in
force: the name of the CCO and any subsequent change shall be notified to the CSSF.

4. Implementing a Compliance program

 Permanent and recurring obligations for financial institutions: Client onboarding, ‘Black list’ checks, transactions
monitoring, regulatory updates, risks assessment / mapping, training and reporting;

 To develop a control plan according to the risk, resources (budget) and timeframe;

 To ensure the identification and assessment of the compliance risk before new activities, products or business
relationships, transactions and network of the group at international level.

 The annual Compliance Monitoring Plan (CMP) should take into consideration the organization of the actions
and tasks, and distributing them between teams following an agenda including all necessary priorities and
potential unforeseen events. It is then necessary to assess the budget and resources that are necessary to its
realization. This also includes staff costs, specific software, operational costs, outsourced activities, etc.

4
 30/03/2021

The aim of the Compliance function is to:

 anticipate, identify and assess the compliance risks as well as
 to assist the Authorized Management (or similar) in controlling these risks.

These risks may vary in connection with all activities of the institution and may be categorized as follows:
 reputational risk,
 legal risk,
 risk of dispute,
 risk of sanctions, and
 some operational risks aspects.

The Compliance risk assessment is an essential part of ensuring a robust compliance risk based monitoring
programme. It provides key insights into the risk profile of the firm and a clear picture of the strength of the
control framework environment.

It also enables the assessment of the compliance risks arising from the business activities conducted within the
firm and the measures implemented to mitigate and reduce those risks.

5
 30/03/2021

The three-lines-of-defence (LoD) model

1. The first line of defence: the business units (they take, acquire risks under predefined policy and limits and carry out
controls)
2. The second line of defence: support functions, finance and accounting, IT, compliance and risks control (they contribute to
independent risk control)
3. The third line of defence: internal audit (provides independent, objective and critical review of the first two lines of
defence)
Each of them shall be under the responsibility of a separate head of function, even though some exceptions
might be
authorised following the principle of proportionality.

N.B.: Internal audit and compliance can never be assigned to the same person.

Board of Directors / Audit Committee

Authorized (Senior) Management

External Audit (Indpendent)

Regulator

1st LoD 2nd LoD 3rd LoD

Compliance

Financial Control
Business Units’ Internal Audit
Controls Risk Management

IT Risk

Support Functions

6
 30/03/2021

The BoD shall have the overall responsibility for the institution and shall approve and lay down in writing:
 the business strategy (business model) taking into account long term financial interests, solvency, liquidity situation;
 the risk strategy, risk tolerance, guiding principles governing risk identification, measurement, reporting, management,
monitoring;
 the strategy with respect to regulatory and internal own funds and liquidity;
 the guiding principles of a clear and consistent organisational and operational structure (creation and maintenance of legal
entities/structures), information systems, security, internal communication (whistleblower procedure);
 the guiding principles relating to internal control mechanisms, internal control functions, remuneration policy, escalation,
settlement and sanctions, professional conduct (internal code of conduct), corporate values, management of conflicts of
interest;
 the guiding principles as regards the central administration (human and material resources), the administrative, accounting
and IT organisation, outsourcing, cloud computing infrastructure, change in activity (markets, customers, new products and
services), approval of ‘non-standard’ or ‘non-transparent’ activities;
 the guiding principles to business continuity management and crisis management arrangements (BCP);
 the procedures governing composition, responsibilities, organisation and operation of the BoD; and
 the guiding principles on appointment and succession of individuals with key functions (for further details please refer to
the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key
function holders EBA/GL/2017/12 as lastly updated in December 2019).

 Promotion of a Compliance culture;

 Development of structures enabling fulfilment of Compliance objectives, and ensure at regular intervals its
adequacy;
 Approval of the Compliance Charter and Code of Conduct;
 Assess the management of the compliance risks on an annual basis;
 Approval of the Chief Compliance Officer’ appointment and dismissal;
 Can be assisted by specialised committees (e.g. Audit, Compliance, Risk, Remuneration Committees) but BoD
cannot delegate its decision-making powers and responsibilities to them.

7
 30/03/2021

The Authorized/Senior Management is in charge of:

 effective, sound and prudent day-to-day business (and inherent risk) management, in compliance with the BoD’ strategies
and guiding principles;
 implementing internal written policies and procedures all the strategies and guiding principles in relation to central
administration and internal governance;
 define the internal code of conduct;
 promotion of a sound Compliance culture within the institution;
 establishing the Compliance function and appoint a Chief Compliance Officer;
 drawing up and implement the Compliance Charter;
 appointing a member of the Authorized/Senior Management responsible for the Compliance Function ;
 reporting at least once a year to the BoD on the status of the Compliance activity (including identified deficiencies);
 deciding and the follow up on corrective measures aiming at keeping the residual risk at an accepted level.
Important note: the members of the Authorized/Senior Management, both individually and collectively, should have the
necessary professional competencies (expertise, understanding and experience) to manage the institution and effectively
determine the business direction.

All employees are individually responsible for complying with the Compliance principles set out in the Compliance
charter, internal code of conduct, and complementary policies and procedures

8
 30/03/2021

The CCO is in charge of:

 implementing the Compliance Charter;

 identifying and assessing the compliance risks, centralize & follow-up Compliance issues;
 identifying applicable laws, rules and standards and making available to the staff;
 implementing a training and awareness program for all staff and the Board on Compliance topics;
 making periodical verifications that the rules in force are applied and make recommendations for remedial
actions; and
 documenting the work performed on Compliance and report to the Authorized/Senior Management and Board
of Directors.

Regulatory Gap & impact Implementing /

Advising Training Monitoring Reporting
Watch analysis updating policies

Example:
1. Identify and understand the upcoming EU AML 6th Directive, and associated national law
2. Detect possible gaps with the internal processes and policies with regard to the new predicate offences of Money Laundering
3. Advise the Authorised management on the possible gaps and recommend appropriate measures to get fully compliant with the new
regulation
4. Update AML/CTF procedures including these new offences
5. Organise training sessions (e.g. update e-learning tools)
6. Integrate new controls in the CMP (new parameters in the AML tool or substantive tests)
7. Report to the Management on the controls’ results, the trend, specific risk identified, and corrective actions when required

9
 30/03/2021

The Article 40 of the CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and
terrorist financing as amended by CSSF Regulation No 20-05 of 14 August 2020 require the following:

 Professionals to appoint a person responsible for compliance with the AML/CFT professional obligations at the level of the
authorized management or Board of Directors according to the arrangements specified in Article 1 of this regulation.

 For credit institutions and investment firms, the professionals shall appoint a compliance officer in charge of the control of
compliance with the AML/CFT professional obligations; investment fund managers and investment funds subject to AML/CFT
supervision by the CSSF may appoint a third party.

 The compliance officer and the person responsible for compliance” shall have the professional experience, knowledge of the
Luxembourg legal and regulatory framework relating to AML/CFT, the hierarchy and powers within the entity (including the
power to access on a timely basis the identification data of customers and other information and documentation required by
the due diligence measures), as well as the availability necessary to the effective and autonomous exercise of their functions.

The Article 42 of the CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist
financing as amended by CSSF Regulation No 20-05 of 14 August 2020 require the following:
 The compliance officer shall apply the AML/CFT policy and procedures of the professional and shall have the power to propose to the authorized
management, on his own initiative, any measure necessary or useful to this end, including the release of required means.
 The compliance officer shall ensure the quality of the AML/CFT controls carried out by the first line of defense and, as the second line of defense,
shall verify compliance by the professional with all the AML/CFT professional obligations.
 The compliance officer shall prepare, implement and ensure the realization of the continuing training and awareness-raising program of the staff.
 The compliance officer shall be the privileged contact person for the Luxembourg authorities in charge of AML/CFT as regards AML/CFT issues and
for the competent authorities with respect to the application of restrictive measures in financial matters. He shall also be in charge of the
transmission of any information or statement to these authorities
 The compliance with the AML/CFT policy shall be subject to regular controls and verifications, at a frequency determined according to the money
laundering and terrorist financing risks to which the professional is exposed. The compliance officer shall report in writing on a regular basis and, if
necessary, on an ad hoc basis to the person responsible for compliance, to the authorized management and, where appropriate, to the Board of
Directors (or specialized committees). These reports concern the follow-up of the recommendations, problems, shortcomings and irregularities
identified in the past as well as the new problems, shortcomings and irregularities identified
 A summary report must be submitted to the BoD, and where appropriate to the specialised committees for approval.

10
 30/03/2021

1. Regulated internal control functions

 Internal Audit,
 Risk Management,
 Compliance

2. Key other functions

 Tax,
 Legal,
 Customer Data Management

3. External Audit

 Common objectives:

 strengthen the Internal Control framework,

 identifying and assessing risks, and defining appropriate mitigating measures

 Exchange reports on risks identified and incidents (audit reports, operational risks report, Legal reports…)

 Share specific tools and methodologies (e.g. follow-up of action plans on audit issues), risks matrix,
incidents inventory, etc.

 Share and coordinate regulatory inventory

 Operate through formal and regular meetings

11
 30/03/2021

Each financial institution must implement a formal Compliance framework which is to be updated on a
regular basis and approved by the BoD
The compliance framework must have 2 main components:
 Compliance Policy setting the Compliance Risks / Principles
 Compliance Charter defining the organisation of the Compliance function
The content of these documents must be brought to the attention of all staff members of the institution
including the ones working in branches, affiliates and subsidiaries, in Luxembourg or abroad within a group
These documents must:
 define the compliance risk;
 describe the key compliance principles the whole institution has to follow; and
 the way the Compliance Function is implemented and operates including notably its objectives, responsibilities
and powers

12
 30/03/2021

Each financial institution has to put in place a Compliance Policy to be updated on a regular basis and to be
approved by the Board of Directors

The Compliance Policy must:

 be in writing
 describe the relevant aspects of the compliance risk
 explain the principles established by the Authorized/Senior Management and by the BoD
 implement the Compliance function
 define its objectives and independency
 stipulate the creation of a Compliance Charter
 set up a continuous training program

The Compliance Charter must:

• Define the position of the Compliance function in the organisation chart and its key characteristics: independence,
objectivity, integrity, competences, authority and adequacy of the resources (number and skills of employees/tools…);
• Define the right of the Compliance function to open inquiries on all activities performed by the institution in Luxembourg
and abroad (subs and branches);
• Set up the right of access of the Compliance function to all documents, materials, minutes ...required to fulfil its mission;
• define the responsibilities and reporting lines of the CCO ;
• describe the relationship of the Compliance function with the risk control and internal audit functions (possible delegation
and/or coordination needs);
• establish the conditions and circumstances applicable where external experts/advisors are used;
• establish the right for the CCO to directly and on his/her own initiative contact the Chairman of the BoD, or where
appropriate, the members of the audit committee , the compliance committee as well as the CSSF.

The content of the compliance charter is brought to the attention of all staff members of the institution.

13
 30/03/2021

 Ultimate responsibility for Compliance

 Delegate aspects of Compliance to Authorised/Senior Management
 Approve Compliance Policy
BoD  Receive confidence on Compliance
 Promote ethical and positive Compliance culture

 Implement Compliance policy framework and processes

 Insure business activities comply with applicable regulatory requirements
Authorised  Monitoring of the Compliance
 Report to BoD
Management

 Assist, advise and provide confidence to Authorised Management, BoD, and other employees
Compliance
function

 Responsibility to conduct business in accordance to regulatory requirements

 Must adhere and follow internal policies and procedures in place
Employees  Report all operational/business risks to Management or Compliance

Questions?

14
30/03/2021

15
30/03/2021

1
 30/03/2021

A financial institution’s reputation relies on a strict observance of the rules (legal, professional, contractual,…) as well as on an
honest, responsible and ethical attitude adopted by all its employees.
The Code of Ethics sets the principles and values which the institution considers to be fundamental in its relations with all its
stakeholders:
 Employees
 Clients
 Market
 Suppliers
 Shareholders
 Third parties
It provides the reference framework within which all staff members are to perform their activities.

2
 30/03/2021

7 principles set forth by the Luxembourg Banking Association (ABBL) as updated in April 2019
• loyalty, fairness and integrity: Professionals shall act with loyalty, fairness and integrity in their relations with
customers, other financial sector professionals and the markets, and society in general.
• Competence, care and diligence: Professionals shall act with diligence and care in relation to the services provided
by them. They must have the resources and procedures required to implement their activities effectively.
• Respect for privacy and confidentiality: Professionals shall strictly respect the duty of confidentiality and discretion
in regard both to customers and to third parties.
• Compliance with laws and regulations: Professionals shall comply loyally and rigorously with the letter and the spirit
of the norms and rules applicable to the performance of their duties.
• Security and reliability: Professionals shall make sure to protect the security of the assets entrusted to them and the
reliability of the services provided by them.
• Sound and efficient governance
• Responsible banking: Professionals commit to be transparent and clear about how their products and services may
create value for their clients and investors, and how they impact the society.

Another reference: ICMA Private Wealth Management Charter of Quality

The ICMA Private Wealth Management Charter of Quality brings together in a single document the guiding principles of best
practice adopted by the cross-border private banking industry.

The 3 main principles which are of paramount importance to the nature of business relationships with clients are the foundation
of the charter, namely:

• Integrity: in business relationships; of markets, financial products and services; and of staff;
• Transparency: towards clients, and regarding the regulatory environment;
• Professionalism: regarding the primacy of clients’ legitimate interests and efficiency

The CSSF and CAA requested banks, investment firms and insurance companies to undersign the Charter and to adhere to the
principles stated herein.

3
 30/03/2021

Regulatory sources: amended Luxembourg Law of 13 February 2011 and Luxembourg Penal Code
Bribery: active or passive offering, suggesting, paying, or authorising of a payment or advantage to someone for their, or another's
personal gain with the intention either to motivate active or passive deviation from a duty or to secure the performance of a duty.

Corruption: refers to the state or situation resulting from providing, soliciting, authorising or offering a bribe.
Particular attention shall be done to (non-exhaustive list):
• Transactions with countries that rate high on the corruption perceptions index.
• Transactions with PEPs.
• Transactions involving government / public contracts.
• Charitable organizations.

Avoidance of Bribery & Corruption

• Code of Conduct of the institution.
• Policy and procedure for on-boarding of exposed clients or countries.
• Policy and procedure for handling and mitigating conflicts of interest.
• Policy and procedure for handling of gifts and business entertainments:
• No acceptance of gifts or legacies from clients above the set threshold or outside internal policy of the institution.
• No presentation of gifts or advantages to customers, suppliers, government officials or intermediaries as a way of gaining
economic or political advantage for the institution’s business.
• Monitoring of transactions (cf. employees or clients having access to privileged and sensitive information)

4
 30/03/2021

Whistleblowing definition
Whistleblowing is when an employee reports suspected wrongdoing at work (‘disclosure in the public interest’) outside the usual
escalation route.
An employee can report any act, process or behavior that are not right, are illegal or if anyone at work is neglecting his duties,
including (but not limited to):
• a criminal offence;
• the company not obeying the law;
• covering up wrongdoing.
Whistleblowing procedure
Ensure that all members of staff can whistle blow (even anonymously), on (suspected) criminal or unethical conduct
How?
• by encouraging staff to make disclosure of Criminal or Unethical conduct
• by ensuring that disclosures will be treated with discretion and utmost confidentiality
• by explicitly protecting the individual against dismissal or other adverse treatment who makes a disclosure in good faith

 Origin of professional secrecy: transposition of Code Napoléon into Luxembourg law; application on profession of doctors and priests
assimilated with profession within the financial sector. All persons whom by state or profession are in custody of secrecies entrusted to them
(extract from art 458 of the Penal Code)
 Regulatory sources: the main laws relative to the financial sector on the professional secrecy:
 Article 41 of the law of 5 April 1993 (Banks and PFS)
 Article 111-1 of the law of 6 December 1991 (Insurance)
 Article 22 of the law of 18 December 2009 (Audit)
According to Article 41 (1) of the amended Law of 5 April 1993 on the financial sector, as amended:
 natural and legal persons, subject to prudential supervision of the CSSF pursuant to this law or established in Luxembourg and subject to the
supervision of the European Central Bank or a foreign supervisory authority for the exercise of an activity referred to in this law; as well as
members of the management body; all directors; all employees and other persons who work for these natural and legal persons;
 natural and legal persons having been granted authorization pursuant to this law and in liquidation and all the persons designated,
employed or mandated for any function in the framework of a liquidation procedure of such persons,
shall be required to keep secret any information confided to them in the context of their professional activities or mandate. Disclosure of
such information shall be punishable by the penalties laid down in Article 458 of the Penal Code.
Important note: the amendments brought by the Law of 27 February 2018 exempts obligation to secrecy for outsourcing to CSSF-, ECB-, and
CAA-supervised firms, and covers other outsourcing situations as well. Additionally, it exempts professional secrecy requirements if the client
consents under the terms and conditions agreed on amongst all parties concerned

5
 30/03/2021

General obligations for confidentiality

 Professional secrecy has not disappeared but exceptions under strict rules possible (AML, CRS, request for specific
information between tax authorities based on bilateral agreements,…).
 Continuity of the secrecy obligation after leaving the institution.
 Continuity of the secrecy obligation towards clients that have closed the account.

What is confidential information?

 All information related to the institution itself that has not been made public (including internal memos, policies, credit
applications, employee and supplier data).
 All non-public information about existing and prospective clients.
 Assume all information to be confidential unless it has clearly been made public.
 The more staff have knowledge of the confidential information, the more risk there is that confidentiality will be breached.
Therefore, always remember the “need-to-know” principle.

AML/CFT Fraud

6
 30/03/2021

Definition of Money Laundering:

 Knowingly facilitating, by any means, the misleading justification of the nature, the origin, the location, the mobility
or the ownership of goods, constituting the direct or indirect object or product of a primary offense (i.e. including any
offense sanctioned by imprisonment of at least 6 months).

 Knowingly helping by the investment, the dissimulation, the disguise, the transfer or the conversion of goods
originated from a primary offense.

 Acquiring, detaining or using goods while knowing that these goods come from a primary offense.

 Attempting to commit one of the above offenses.

7
 30/03/2021

Money Laundering: is the introduction of illegally gained assets into the legal financial system with the aim of concealing or
disguising their true origin.

Terrorist Financing: is the financial support, in any form, of terrorism or those who encourage, plan or engage in it.

Common element: concealment (origin and/or purpose is disguised).

Difference:
Illicit assets Licit assets
Illicit / Licit assets Illicit assets

For an act of Money Laundering, 3 elements are required: primary offence, material element, intentional element.

Placement
“the introduction of illegally gained assets into the legal financial system with the aim of concealing or disguising
their true origin.”
Layering
“the source of the illegally obtained funds is obscured through a succession of transfers and transactions to give
them appearance of legitimacy”.
Integration
“In order that those same funds can eventually be made to re-appear as legitimate income.”

8
 30/03/2021

All the entities having principally a business in the financial sector and the insurance are subject to the
Luxembourg Law of 12 November 2004 related to the fight of money laundering and terrorism financing as
amended (non-exhaustive list):
• Credit institutions and professionals of the financial sector.
• Payment institutions and electronic money institutions.
• Insurance and insurance intermediaries.
• Pension funds.
• Investment Funds, SIF, SICAR, management companies.
• Securitization undertakings.
• Managers and advisors of undertakings for collective investment, investment companies in risk capital (SICAR) and pension
funds.
• Statutory auditors.
• Accountants.
• Notaries.
• Lawyers.
• Persons who exercise in Luxembourg on a professional basis an activity of tax or economic advice.
• Casinos.

Key regulatory obligations applicable to Professionals subject to the AML Law:

• Customer due diligence measures

• Adequate internal organization
• Cooperation with the authorities

9
 30/03/2021

Regulations and standards

• United Nations: since 1988 convention (http://www.unodc.org)
• FATF (http://www.fatf-gafi.org)
• Wolfsberg Group (http://www.wolfsberg-principles.com/index.htm)
• European Union: 4th, 5th and 6th EU Directives.
• Luxembourg law: Financial Sector (1993), AML (2004) including its amendments.
• Grand-Ducal Regulation: Feb-2010.
• CSSF Regulation 12-02 as amended by the CSSF Regulation 20-05.

Main features of the AML Law (including its amendments):

• Extended scope of professionals: credit institutions, professionals of the financial and insurance sector, pension funds,
management companies, alternative investment fund managers, undertakings for collective investment (UCIs, UCITS, SIFs,
RAIFs) and investment companies in risk capital (SICAR), statutory auditors, accountants and accounting professionals, real
estate agents, notaries, court bailiffs, lawyers, tax and economic advisers, traders of goods making or receiving cash payments
in excess of € 10,000 (high value goods traders) + Company providing gambling and game of chance presenting high risks,
have to apply diligence measures to their customers for transactions equal to or higher than 2000 EUR.
• Clarification on the identification of the Beneficial owner: research of the controlling person of the structure. If no person
with this profile can be identified or if there is any doubt that the person(s) identified are the beneficial owner(s), then the
person falling under the definition is/are any natural person(s) who otherwise exercise(s) control over the management of a
legal entity.
• Politically Exposed Persons (PEPs): domestic PEPs are now in scope of the PEP definition and subject to Enhanced Customer
Due Diligence.
• Increase in sanctions for non-compliance for both individuals and firms (public reprimands, withdrawal of authorization, fines
of up to 10% of the total annual turnover of a legal, fines for individuals of up to € 5 million).
• Tax crimes = predicate offence for money laundering.

10
 30/03/2021

Written Risk Assessment Document: i) identify and assess your money laundering and terrorist financing risks, taking into
account risk factors (including those relating to their customers, countries or geographic areas, products, services, transactions or
delivery channels) and risk variables (such as the purpose of an account or relationship, the size of the transactions undertaken,
the regulatory and duration of the business relationship), in order to adapt your level of vigilance in accordance with the identified
risks; ii) document, keep up-to-date and make available the risk assessments to the relevant control authorities and self-
regulatory bodies concerned; iii) identify and assess the money laundering and terrorist financing risks which may arise in relation
to the development of new products, business practices and technologies.

Wire transfer regulation EU 2015/847 as amended by the EU Regulation 2019/2175:

• One of the main innovations of Regulation (EU) 2015/847 was to lay down rules about information accompanying transfers
not only in relation to the payer but also the payee thereby implementing the FATF recommendation 16 on wire transfers
whose aim is to ensure that basic information on the originator and the beneficiary of wire transfers is immediately available.

• As of 26 June 2017, information relating to both payers and payees must accompany a transfer of funds, sent or received in
any currency, when either the payer’s or payee’s payment service provider (PSP) or an intermediary PSP is established in the
European Union.

• The PSP of the recipient must put in place procedures to detect missing information on the ordering and beneficiary
customer and determine whether it is appropriate to reject or hold the transaction.

11
 30/03/2021

• Within the scope of the Tax Reform 2017, the list of predicate offences for money laundering was expanded accordingly to include
serious tax crimes.
• Pursuant to the law of 23/12/2016 voted by the local Parliament, three forms of tax offence should now be considered:
• The offence of (simple)Tax Fraud is not considered as a primary offence of money laundering (it is punishable with an
administrative fine up to a maximum of two times the amount of taxes evaded).
• Tax Evasion (“Fraude Fiscale Aggravée”), established by §5 art.396/397 of the Tax code, is criminalized. It will be considered as
such only if the tax evaded amount per tax period is exceeding the following thresholds:
• > 25 % of the annual tax actually due with a minimum tax evaded amount of 10.000 EUR or annual amount of taxes evaded
> 200.000 EUR.
• Imprisonment of 1 month to 3 years and fine from 25.000 EUR up to a maximum of six times the amount of taxes evaded.
• Tax Swindle (“Escroquerie Fiscale”), established by §6 art.396/397 of the Tax code, implies an additional level of gravity
compared with tax evasion, typically when the tax fraud is committed by means of forgery (faux) or deceit (astuce), i.e. fraudulent
tactics with the intention of concealing relevant facts or persuading the local authorities of inaccurate facts.
• Imprisonment of 1 month to 5 years and fine from 25.000 EUR up to a maximum of ten times the amount of taxes evaded.
• Attempting to commit tax evasion or tax swindle incur the same penalties.
• These two last criminal offenses (aggravated tax fraud & tax swindle) are integrated in the list of predicate offenses for money
laundering and entered into force since 1 January 2017.

Definition:
The term Fraud is commonly used to describe a wide variety of dishonest behavior such as deception, forgery, false representation, concealment
of facts, etc.
The 5 elements of fraud are:
 a representation about a material fact, which is false; and
 made intentionally, knowingly, or recklessly;
 which is believed; and
 acted upon by the victim;
 to the victim damage.

/!\ Fraud can be perpetrated by people outside as well as inside an organization and by collusion.
Internal fraud: committed by an employee or contractor against the Institution
Ex: payment fraud, theft, misuse of assets, receipt fraud, financial reporting fraud
Fraud prevention: Chinese Walls, passwords, segregations of functions, four eyes principle, etc.
External fraud: committed by a customer or third party against the Institution
Ex: falsified payment instruction, claims for services that were not provided
Fraud prevention: signature verification, call-back procedure, proper invoice handling, email risk awareness, etc.

12
 30/03/2021

Standards and objectives:

 The UN Security Council is a primary source of sanctions-related global standards (chapter VII, article 41 resolution : teeth of
the collective security arrangement – binding on all country members)
 Global standards drivers are UN security Council, FAFT, EU and US Authorities.
 The main objective of sanctions is to protect collective security of UN members states , national security of the states.
Sanctions programs also expend the scope of national security to international norms of behavior (human rights, terrorism,
cybercrime, WMD…)

13
 30/03/2021

Standards requirement challenges:

• The recent expansion and specialization of the international financial sanctions programs leads financial institution to growing
challenges :

• EU sanctions are subject to national implementation of each EU member local regulator. In addition, each EU member can
implement its own local list or local restrictive measures.

• Extraterritorial application of sanctions:

• Sanctions apply globally to EU nationals ; each EU member have enforcement authority of the EU sanctions programs
• Sanctions apply to US persons (US citizens, US permanent resident, person located in the US ), US entities and to USD
denominated transaction wherever in the world

Sanction types:
 Sanctions can impose asset freezes and /or financial restriction or economic prohibitions, controls, can target individuals,
entities, activities or a government.
 Comprehensive sanctions programs : sanction regime that targets the government of a country and prohibit a wide range of
commercial activities and trade restrictions
 Regime based sanctions programs : sanction regime implementing limited trade restrictions or embargos and financing
prohibition to a country
 List /activity based sanctions programs : sanctioning very specific activity (drug trafficking, terrorism, cybercrime…..) or
including designations on list-based sanctions

Different types of
entities concerned

Business
Countries / Criminal Physical listed Vessels,
Goods… Activities,
Regions organizations people shipping…
Corporate

14
 30/03/2021

Legal sources:
EU / local regulation legal basis:
• Articles 21 et 29 treaty of the EU and article215 Treaty on the functioning of the EU.
• National authorities of each EU member states responsible for the implementation and the enforcement of the
EU sanctions programs.
• Local regulations exist.

US regulation legal basis:

• Congressional authorization for the Executive branch to create sanctions programs under certain conditions.
• Executive orders (issued by the president of the US).
• Implementation and regulation by US administrations , law enforcement agencies: US Treasury OFAC, US
departments of Commerce and state.

15
 30/03/2021

 The Foreign Account Tax Compliance Act (FATCA) was enacted in the USA in March 2010.
 IGA Model 1 signed with Luxembourg in March 2014, and transposed into national law on 29-July-2015.

FATCA aimed to increase US tax revenues by tracing persons who are deemed tax liable.
To this end, banks outside the US are required to provide information to the US tax authorities, the Internal Revenue Service
(IRS), on the identity and accounts of customers who are subject to pay taxes in the US (so-called: ‘FATCA US Persons’).
The US concluded with many countries an Inter Governmental Agreement (IGA).
This gives some relief to Banks and the reporting of clients that are FATCA US Persons. There are two IGA models:
• IGA Model-1: Reporting to the local tax authority (e.g. model selected by Luxembourg)
• IGA Model-2: Direct reporting to the US IRS (e.g. model selected by Switzerland)

• FATCA Review: Classification and documentation of existing client database.

• New client on-boarding: Additional documentation must be obtained to determine the FATCA Status of new
clients. The FATCA status can be established through a self-declaration by the client (IRS form such as W8,W9
and ABBL form, …).

• Monitoring change of circumstances: Comprises keeping the clients ’ FATCA-status in the books up to date
with any changes of US elements.

• Reporting: Comprises designing and developing solutions for annual reporting of the assets of all FATCA US
Persons to the local tax authorities.

16
 30/03/2021

US indicia for identifying US tax liability:

1. US citizen/resident (green card) or entity incorporated in the US
2. US birthplace
3. US address
4a. Only US telephone number
4b. US and foreign telephone number
5. Transfers to US accounts (standing instructions)
6. Power of Attorney granted to person with US address (for individual accounts)
7. Hold mail and in case of US address only

What are the Common Reporting Standards?

A fully reciprocal standard for automatic exchange of information between tax authorities of participating OECD jurisdictions:
 Defines reporting rules & due diligence rules for Financial Institutions (FIs).
 Requires the signing of a Competent Authority Agreement (CAA) by each participating jurisdiction.
 To be translated into domestic law by jurisdictions that sign the CAA.
 Similar to FATCA.
 To detect and deter tax evasion through intergovernmental tax cooperation.

17
 30/03/2021

Account holder due diligence

• All account holders maintained by a CRS Reporting FI must be linked to a tax residence.
• Account holders must be given a CRS classification and identified as “reportable” or “non reportable” account holders.
• Use of self-certification forms (e.g. ABBL combined FATCA/CRS self-declaration form).

Legal entity classification

• Entities located in a CRS participating country must be classified and documented from a CRS perspective.
• Entities classified as Reporting Financial Institutions will have CRS obligations and will be solely responsible towards their local tax.

Reporting
• Identify which countries have signed an agreement with the FI’s country.
• Report to the local tax authority all accounts held by a Reportable Person on a yearly basis (obligation to inform clients).

CRS indicia for identifying customers in scope:

1. Address in a CRS jurisdiction (mailing, PO box, residence, C/O)

2. Phone number from a CRS jurisdiction

3. Standing instructions to the benefit of an account maintained in a CRS jurisdiction

4. Power of attorney granted to a person with a CRS jurisdiction address

18
 30/03/2021

Reporting deadline for FATCA CRS is 30th June of each year

FATCA CRS

Name, address, TIN  

Date and place of birth

- 
(individual only)

Accounts numbers  

Accounts value  

Payments to the accounts (interests,

 
dividends,…)

Gross proceeds on the accounts  

Identification of Individual Account Holder or Controlling Persons (required information)

 Name of Account Holder: Title, Family Name or Surname(s), Maiden Name, First or Given Name

 Current Residence Address: Street, Postal Code, Town/City, Country, Email address

 Date of Birth* (dd/mm/yyyy)

 Place of Birth Town/City of Birth, Country of Birth

 Country of Residence for Tax Purposes and related Taxpayer Identification Number or equivalent number (“TIN”)

19
 30/03/2021

Identification of Legal Entity Account Holder (required information)

 Legal name of entity / branch

 Country of incorporation or organization Street, Postal Code, Town/City, Country, Email address

 Current residence address

 Place of Birth Town/City of Birth, Country of Birth

 Country of Residence for Tax Purposes and related Taxpayer Identification Number or equivalent number (“TIN”)

 CRS status of the legal entity (classification)

20
 30/03/2021

• With Circular 15/631, the CSSF provide some guidelines on the treatment of accounts that have become dormant or inactive.
This in anticipation of upcoming legislation in Luxembourg.

• The rules of this Circular does not only apply to credit institutions but also to other professionals which hold or manage third-
party assets, in particular when such assets are placed with a bank or other financial institutions (PFS).

• The avoidance of accounts become dormant or inactive, can be derived from the Luxembourg AML and MiFID regulation:

• ongoing monitoring of the client relationship

• keeping client documentation up-to-date

• As soon as client becomes dormant, enhanced vigilance is required for the re-activation of the dormant account.

• Art. 2236 of the Civil Code: assets of dormant accounts can never be appropriated by the institution or used for any other
than restitution to the client or legal owners.

Main obligations:
• Set in place internal procedures for identifying inactive relationships and keeping an inventory of dormant accounts
(facilitating also the tracing of assets by legal heirs).
• Determine period after which an account is deemed dormant with minimum rules
• No communication with client or representative during last 6 years.
• No transaction initiated by client or representative during last 3 years.
• Establish contact with dormant client by use of any appropriate communication mean and inform client on the
consequences of a dormant account in case of no reaction by the client.
• Searches for the client or any potential heirs may be made with due consideration of the costs, in particular as regards
recourse to experts. The credit institutions and PFS are entitled to debit the relevant dormant account for all expenses
derived from such a search.
• If the attempts to contact the client are unsuccessful, they shall carry on administrating the client’s assets in
accordance with the principles of loyalty, good faith, diligence and care while being entitled to all justified and
transparent administrative fees.
• Surveillance of the dormant accounts and in case of account activation, due measures should be taken to avoid any
suspect element on the reactivation.

21
30/03/2021

22
30/03/2021

1
 30/03/2021

EMIR (1/3)

• EMIR = European Market Infrastructure Regulation deriving from EU Regulation 648/2012 amended by
Regulation (EU) 2015/2365 on OTC derivatives, central counterparties and trade repositories.

• Background: Following the financial crisis in 2008, the G20 agreed on a number of wide ranging measures to
prevent future crises. Governments in the EU, the US and various Asian countries have committed to drafting
new rules in order to reduce counterparty risk, operational risk and systemic risk.

• EMIR affects all entities established in the EU (banks, insurance companies, pension funds, investment firms,
corporates, funds, SPVs etc.) that enter into derivatives, whether they do so for trading purposes, to hedge
themselves against interest rate or foreign exchange risk or to gain exposure to certain assets as part of their
investment strategy.

• Implemented in Luxembourg by CSSF Circular 13/557 and 19/723.

EMIR (2/3)

EMIR imposes three main obligations on market participants:

 clearing: certain OTC derivatives entered into between certain market participants will have to be
cleared via a central counterparty.
 reporting: all derivatives (OTC and exchange-traded, including derivatives entered into since, or that
were outstanding on, 16 August 2012) will have to be reported to a trade repository.
 risk mitigation techniques: OTC derivatives entered into between certain market participants and
which are not cleared via a CCP are subject to risk mitigation obligations.
 Clients must obtain a Legal Entity Identifier; the LEI enables worldwide unique identification of
counterparties trading OTC derivatives.

2
 30/03/2021

EMIR (3/3)
The EMIR Refit Regulation (EMIR Refit) entered into force on June 17, 2019.
The purpose of the EMIR Refit is to amend and simplify the European Markets Infrastructure Regulation (EMIR) “to
address disproportionate compliance costs, transparency issues and insufficient access to clearing for certain
counterparties.”

Main important changes introduced by Refit:

 Extended definition of financial counterparties (FC) to capture EU AIFs and their EU AIFMs
 FC to report derivative transactions on behalf of non-financial counterparties (NFCs)
 Introduction of so-called “small FCs” which are exempt from clearing obligations (although still subject to the
margin requirements for uncleared OTC)

MARKET ABUSE (1/5)

Regulatory background:

MAD I stands for Market Abuse Directive 2003/06/EC, which was adopted by the Council and the European
Parliament on 28 January 2003.

It introduced and implemented dissuasive measures and appropriate sanctions in order to fight illicit behavior such
as insider dealing and market manipulation; and was transposed into Luxembourg national law on 9 May 2006
and modified on 26 July 2010.

On 5 February 2007, the CSSF published its recommendations in its

Circular 07/280, amended by Circular 07/323.

3
 30/03/2021

MARKET ABUSE (2/5)

MAD II stands for:

MAR / Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market
abuse (market abuse regulation) enters into force since 3 July 2016

CSMAD, Directive 2014/57/EU of the European Parliament and of the Council of 16 April 2014 on criminal
sanctions for market abuse (market abuse directive). It repeals Directive 2003/06/EC and related ones.

Luxembourg adopted the Market Abuse Law on 23 December 2016 which entered into force on 3 January 2017

MARKET ABUSE (3/5)

What is prohibited?
• Insider Dealing
• Market Manipulation
Insider Dealing is the act of carrying out transactions on shares or assets listed on a regulated market (stock exchange) in using
inside / privileged information.
Inside information is information that is:
• Precise (about an event or circumstances that have occurred or can reasonably be expected to occur)
• Not generally available / Not obtainable by analysis or research
• In relation to one or several issuers of financial instruments or one or several financial instruments
• If it were made public, it might affect the price or value of the company / industry sector involved

4
 30/03/2021

MARKET ABUSE (4/5)

Market Manipulation means carrying out transactions or giving instructions:

 aiming to give or are likely to give false or misleading indications regarding the supply, demand or price of
financial instruments

 which modify, through the action of one or several individuals acting in a concerted manner, the price of one or
several financial instruments at an artificial level

 unless there are legitimate reasons to do so or that such practice is commonly accepted by the regulated market

MARKET ABUSE (5/5)

MAR / MAD II: Main features
• Expanded coverage of financial instruments
• Extended scope: not only transactions but also orders are included
• Further guidance on the definition of inside information
• New market manipulation offences
• Reduced disclosure burden for SME’s
• Harmonized criminal sanctions

5
 30/03/2021

What is MiFID?

MiFID stands for Market in Financial Instruments Directive, which was adopted by the Council and the European Parliament on
30 April 2004.

Directive 2004/39/EC, amended by Directive 2006/73/EC.

It establishes the ‘framework for a regulatory regime for financial markets in the Community’; and was transposed into
Luxembourg national law on 13 July 2007.

CSSF Circular 07/307 (amended):

 client categorization
 suitability and appropriateness
 best execution
 conflicts of interests
 information

+ CSSF Circular 17/665 ESMA Guidelines for the assessment of knowledge and competence

MiFID II – applicable since 3 January 2018 – transposed into national law end of May 2018

• Extended scope of products and activities

• Prohibited payment and retention of inducements
• Enhanced investor protection
• Enhanced reporting requirements
• Creation of a new execution venue – Organised Trading Facility
• Stricter governance requirements and accountability of the Authorized Management
• Strengthened supervision with stricter sanctions
• Extended market transparency and transaction reporting (cost and timing)

6
 30/03/2021

Regulatory Framework (not exhaustive)

• MiFID II
• CSSF 12/552 as amended by CSSF 13/563
• CSSF 18/698
Definition
• Interests of the financial institution may differ from the interests of its clients
• Interests of the financial institution may differ from the interests of its third parties and sub-
contractors
• Interests of a client may differ from the interests of another
Key obligations
• Identification - Register
• Measures to prevent – Manage conflicts of interests
• Reporting to the Management and disclosure/notification to clients/third parties

One method of avoiding / managing conflicts of interests: Chinese Walls

What are Chinese Walls?

Barriers created to restrict or prevent movement of information within the
institution, to help manage conflicts of interests and protect the confidentiality
of client information.

What do they look like?

 physical
 organisational
 procedural
 operational

7
 30/03/2021

 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the
free movement of such data has been transposed to Luxembourg national law by the Law of 2 August 2002
(Data Protection Act) and be modified by the Law of 27 July 2007.
 The Data Protection Act aims to protect the freedom and fundamental rights of individuals, and notably their
private life, in relation to the processing of their personal data.
 The Commission Nationale pour la Protection des Données (CNPD) is responsible for enforcing these rules
(www.cnpd.public.lu).

What is personal data?

‘Personal data’ means any information relating to an individual (natural person) who is or can be identified,
directly or indirectly, by reference to an identification number or to one or more factors specific to him,
such as…
Insurance contract/ bank account information,
banking information,
physical characteristics,
habits, preferences, family life,
sports & recreation, education,
profession, religion, politics, medical, judicial data

8
 30/03/2021

Transparency : Data should be processed fairly and lawfully

Purpose :Data should be obtained only for one or more specified and lawful purposes

Relevancy : Data should be adequate, relevant and not excessive for the purpose of processing

Accuracy : Data should be accurate and up-to-date

Data retention : Data should be kept for only as long as necessary

Rights : Data should be processed in accordance with the rights of data subject

Adequate Security Measures : Data should be kept secure

General Data Protection Package :

 Regulation (GDPR – General Data Protection Regulation 2016/679)
 Directive (exchange between police and judicial authorities)
Regulation (applicable since 25 May 2018)
• A reduced administrative burden for companies: abolition of the requirement of prior notification
towards the respective supervisory authority
• Enhanced cooperation between the national authorities of the 28 Member States in order to apply a
single set of rules: companies active in several European markets should no longer be subject to
conflicting decisions
• Harmonised rules within the European Union: the same level of protection will be applicable for all
European citizens, even if their personal data is processed by companies established outside of the
European Union

9
 30/03/2021

DIRECTIVE: increased exchange of data between police and judicial authorities

• The Directive will apply to the cross-border processing of personal data, as well as to the processing of
personal data by police and judicial authorities at strictly national level. Accordingly, police and judicial
authorities should no longer apply different rules according to the origin of the personal data
• Transferring personal data from competent authorities to private entities will be possible under
specific conditions. This allows police authorities to take swift action in cases of a terrorist attack or other
emergencies
• Police authorities will be allowed to limit both the information held in on the data and access to the
processed data. The framework allows for police authorities to neither confirm nor deny whether they
are in possession of personal data in order to avoid compromising ongoing investigations.

Whistleblowing is when an employee reports suspected wrongdoing at work (‘disclosure in the public interest’)
outside the usual escalation route.
An employee can report any act, process or behavior that are not right, are illegal or if anyone at work is neglecting
his duties, including (but not limited to):

 a criminal offence;
 the company not obeying the law;
 covering up wrongdoing.

10
 30/03/2021

On 20 April 2009, CEBS (Committee of European Banking Supervisors) issued a paper on high level principles for
remuneration policies in the financial sector.

European Commission's recommendation 2009/384/EC on remuneration policies

CSSF 10/437: further guidance and implementation of the EU recommendation 2009/384/EC

CSSF 14/585 (transposition of ESMA guidelines on remuneration policies and practices (MiFID)– Addition of Annex V
to CSSF 07/307)

Directive 2014/91/EU (UCITS depositary functions, remuneration policies and sanctions): should be consistent with
sound and effective risk management, neither encourage risk taking which is inconsistent with risk profiles, rules… of
managed UCITS.

CRD IV: Transposed in Luxembourg in July 2015.

CSSF 10/437 (one of the main CSSF Circulars)

• Structure of the remuneration policy (compatible with the entity risk policy; reasonable variable component of
remuneration and capped by an internal limit; for significant bonuses, major part of bonus payment should be
deferred for minimum period; entity should withhold bonuses if performance criteria are not met)
• Performance measurements (should combine individual and overall performance of the entity ; should be
measured on long term (e.g. 3 - 5 y.) and take into account risks taken, compliance with internal controls and
regulations)
• Governance (Board should fix remuneration of executive and supervisory bodies; Board should approve the
remuneration policy ; Board can seek assistance of a remuneration committee; executive management
responsible for implementing remuneration policy)
• Disclosure: in a clear and transparent manner (e.g. annual report)

11
 30/03/2021

Thank you for your attention !

 The knowledge provided by this document is purely informative. Although the House of Training
makes its utmost to ensure that this information is correct and up to date, it declines any
responsibility as to possible damages, losses, losses of earnings, direct or indirect induced by its use.

 The contents are subject to the laws of copyright, all rights reserved.

12