1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions constitute the anti-money laundering, counter-terrorist financing and general financial crime prevention (collectively, ‘AML') regime in your jurisdiction, from a regulatory (preventive/sanctions) and enforcement (civil/criminal penalties) perspective? Are there any legislative and regulatory requirements that apply below the national level (ie, at a state or regional level)?

The main source for AML in Luxembourg is the Luxembourg law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the AML Law) which sets out who is subject to AML regulations and details the applicable professional obligations.

The offence of "money laundering" is defined in the Luxembourg Criminal Code (Code pénal) and the Luxembourg law of 19 February 1973 on the sale of medicinal substances and the fight against drug addiction, as amended. The offence of "terrorist financing" is also defined in the Luxembourg Criminal Code.

The AML Law is complemented by the Grand-ducal Regulation of 1 February 2010 providing details on certain provisions of the AML Law, as amended, and several regulations and circulars issued by competent regulatory authorities. These include for instance CSSF Regulation No. 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing for the financial sector and CAA Regulation No. 20/03 of 30 July 2020 relating to the fight against money laundering and terrorist financing for the insurance sector, each as amended.

International financial sanctions are governed by the Law of 19 December 2020 concerning the implementation of restrictive measures in financial matters.

1.2 Which bilateral and multilateral instruments on AML have effect in your jurisdiction?

Luxembourg is a Member State of the European Union (EU) and is therefore bound by EU regulations and directives relating to AML.

The AML Law implements Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD 4), as amended by Directive (EU) 2018/843 (AMLD 5, and AMLD 4 as amended by AMLD 5 being referred to as AMLD hereinafter) and the Luxembourg AML framework is therefore largely influenced by EU harmonisation efforts in this area. EU instruments also include Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and Regulation (EU) 2018/1672 of the European Parliament and of the Council of 23 October 2018 on controls on cash entering or leaving the Union.

Luxembourg is also a member of the Organisation for Economic Co-operation and Development (OECD) and a member jurisdiction of the Financial Action Task Force (FATF) and expected to comply with the FATF Recommendations.

1.3 Which public sector bodies and authorities are responsible for enforcing the AML laws and regulations? What powers do they have?

The AML Law lists three supervisory authorities which oversee the compliance by the professionals they supervise with AML obligations:

  • the Commission de Surveillance du Secteur Financier (CSSF), which is responsible for ensuring AML compliance by credit institutions, investment firms, local professionals of the financial sector (such as corporate domiciliation agents, registrar agents, etc.), payment institutions, electronic money institutions, tied agents, securitisation undertakings (in certain cases), undertakings for collective investment, management companies, alternative investment fund managers, certain pension funds and other financial sector entities falling under its supervision;
  • the Commissariat aux Assurances (CAA), which is responsible for ensuring AML compliance by insurance and reinsurance undertakings, insurance intermediaries, other professionals of the insurance sector and certain pension funds; and
  • the Administration de l'Enregistrement, des Domaines et de la TVA (AED), which is responsible for ensuring AML compliance by non-financial sector entities not covered by the other public sector bodies and authorities mentioned above or the self-regulatory organisations. These include notably real estate agents, real estate developers, tax advisers, certain trust and company service providers, providers of gambling services, operators in a free zone, certain persons trading in goods, persons trading or acting as intermediaries in the trade of works of art (including when this activity is carried out by art galleries and auction houses), and persons storing, trading or acting as intermediaries in the trade of works of art when this activity is carried out by free ports.

The supervisory authorities may:

  • have access to any document;
  • request information from any person;
  • carry out on-site inspections;
  • obtain recordings of telephone and electronic communications;
  • require the cessation of any practice;
  • request the freezing or sequestration of assets;
  • impose the temporary prohibition of professional activities;
  • require statutory auditors to provide information or to perform on-site investigations;
  • refer information to the State Prosecutor for criminal prosecution;
  • suspend the members of an institution's management body;
  • suspend the exercise of voting rights in a supervised entity; and
  • suspend the pursuit of the business of the supervised entity.

The supervisory authorities may impose sanctions including warnings, reprimands, public statements, withdrawals or suspension of authorisations, temporary bans from exercising activities, and administrative fines (of maximum twice the amount of the benefit derived from the breach or EUR 1 million). There are additional sanctions for specific cases or entities (for instance fines of up to EUR 5 million or 10% of the total annual turnover for banks).

The Cellule de Renseignement Financier (CRF) – the Luxembourg Financial Intelligence Unit (FIU) – receives and analyses suspicious transaction reports and suspicious activity reports. The State Prosecutor is responsible for prosecuting criminal offences.

1.4 Are there any self-regulatory organisations or professional associations? What powers do they have?

The AML Law includes the following self-regulatory organisations which are responsible for ensuring AML compliance by the professionals falling under their supervision:

  • the Institut des réviseurs d'entreprises (for statutory auditors (réviseurs d'entreprises) and approved statutory auditors (réviseurs d'entreprises agréés));
  • the Ordre des experts-comptables (for accountants);
  • the Chambre des Notaires (for notaries);
  • the Ordre des avocats (for lawyers); and
  • the Chambre des huissiers (for bailiffs).

The self-regulatory organisations may:

  • have access to any document;
  • request information from any person;
  • carry out on-site inspections;
  • obtain recordings of telephone and electronic communications;
  • require the cessation of any practice;
  • request the freezing or sequestration of assets;
  • impose the temporary prohibition of professional activities;
  • require statutory auditors to provide information or to perform on-site investigations; and
  • refer information to the State Prosecutor for criminal prosecution.

The self-regulatory organisations may impose sanctions including warnings, reprimands, public statements, temporary bans from exercising activities, temporary suspension of the right to practice the relevant profession or lifelong bans, and administrative fines (of maximum twice the amount of the benefit derived from the breach or EUR 1 million).

1.5 What is the general approach of the financial services regulators in enforcing the AML laws and regulations?

Financial sector regulators – in particular the CSSF and the CAA – adopt regulations and circulars to complement the general measures described in the AML Law. These include additional details about, for instance, the duties and responsibilities of AML compliance officers, the documentation to be collected during customer due diligence, simplified or enhanced due diligence measures, the content of policies, and provide guidance, for instance on the regulators' expectations with respect to the design of an AML risk analysis.

Financial sector regulation is also designed in a way that ensures regular updates on AML matters. Fund managers, for instance, are expected to fill out a "market entry form" (MEF) not only when they are being set up, but also in case of license extension, merger, or entry of a new qualifying shareholder in the shareholding structure of the manager. This MEF includes AML-related data points (and for instance requires the fund managers to ensure that their shareholding structure does not present any risks from an AML perspective).

Regulators rely on annual AML reports from supervised entities, but can also organise market surveys, ask questions within the remit of their supervisory powers and, when deemed relevant, perform on-site AML inspections.

Certain large entities have regular meetings with the FIU to discuss reports.

1.6 What are the statistics regarding past and ongoing AML procedures in your jurisdiction?

Statistics about AML procedures can be found in the annual report of the CRF and in the annual reports of supervisory authorities and self-regulatory bodies.

According to its 2020 annual report, the CRF received 40,782 suspicious transaction reports in 2020, including 40,328 relating to money laundering and 454 relating to the financing of terrorism. It also issued blocking orders for an aggregate amount of EUR 223,924,013.14. The annual report provides more granularity, showing for instance that banks submitted 2,503 reports in 2020 whereas online service providers (including payment institutions, electronic money institutions, virtual asset service providers and retail banks providing online services) submitted 26,254 reports.

For the financial sector, the latest annual report of the CSSF states that the CSSF performed 35 on-site inspections relating to AML matters. The most significant shortcomings identified related to the efficiency of name matching tools, deficiencies in transaction monitoring, lack of enhanced due diligence on higher risk clients, delays in the periodical review of customers, and failures to report.

In 2021 the CSSF also imposed 16 AML-related fines on financial sector entities including banks, investment firms, investment fund managers, payment institutions, and other professionals of the financial sector, with the amount of the fines ranging from EUR 5,000 to EUR 1,320,000.

1.7 What reporting activities exist for reporting suspicious activities and/or transactions (SARs)? Are there any specific powers to identify the proceeds of crime or to require an explanation as to the source of funds?

The persons subject to the AML Law (hereinafter referred to as the professionals), their directors, and their employees are required to promptly inform the CRF when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted.

The reporting obligation covers all types of transactions (including attempted suspicious transactions) regardless of their amounts and requires the filing of all supporting information and documents having prompted the report.

Generally, the SAR is filed by the person appointed as responsible for compliance with applicable AML obligations within the relevant professional. Filings are made via an online platform (goAML).

As part of their customer due diligence measures professionals may request from their customers and potential customers information on the source of their funds and wealth.

When the relevant business relationship or transaction involves high-risk countries, obtaining such information in relation to the customer and its beneficial owner(s) is compulsory; similarly, when entering into a business relationship or transaction with politically exposed persons the professionals shall take reasonable measures to establish the source of wealth and source of funds involved in the transaction.

1.8 Is there a central authority for reporting (ie, a Financial Intelligence Unit (FIU) responsible for assessing SARs reported from relevant entities subject to AML requirements)? Does this authority work internationally?

The national authority responsible for receiving and analysing suspicious transaction reports and other information regarding suspicious facts that might amount to money laundering, associated predicate offences, or terrorism financing in Luxembourg is the Financial Intelligence Unit (Cellule de Renseignement Financier or CRF).

The CRF may exchange, spontaneously or upon request, with a foreign FIU of whatever type, any information and supporting documents that may be relevant for the processing or analysis of information related to money laundering, associated predicate offences, or terrorism financing and the natural or legal person(s) involved.

The CRF may only refuse to exchange information and supporting documents with an FIU from other EU Member States in exceptional circumstances (where the exchange could be contrary to fundamental principles of national law). The CRF may also refuse to exchange information or documentation with a FIU from a third country.

The CRF and Europol may also exchange all information that fall within Europol's missions as referred to in Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol).

The CRF is also responsible for disseminating, spontaneously or upon request, to the Luxembourg competent authorities and self-regulatory bodies and to the judicial authorities, the result of its analyses as well as any other relevant information, when there are reasonable grounds to suspect money laundering, an associated predicate offence or terrorist financing.

1.9 What relevant public or private corporate or other registers exist to assist with conducting and/or validating AML information, ultimate beneficial owners etc; and what details must be disclosed?

The main registers available to professionals to assist them in their KYC activities are the Trade and Companies Register (Registre de commerce et des sociétés) (RCS), the Beneficial Owner Register (Registre des bénéficiaires effectifs) (RBE) and the Register of Fiduciary Contracts and Trusts (Registre des fiducies et des trusts) (RFT).

The RCS is governed by the Luxembourg law of 19 December 2002 on the Trade and Companies Register and the accounting and annual accounts of companies, as amended (the RCS Law), and is not primarily dedicated to AML/CFT. The RBE and the RFT where introduced by the Luxembourg law of 13 January 2019 establishing the Beneficial Owner Register (the RBE Law) and the Luxembourg law of 10 July 2020 establishing a Register of Fiduciary Contracts and Trusts (the RFT Law), respectively, for the purposes of transposing the provisions of Articles 30 and 31 of AMLD.

The RFT is maintained by the AED, whereas the RCS and the RBE are maintained by an economic interest grouping (groupement d'intérêt économique) called "Luxembourg Business Registers".

All the entities listed in Articles 1(2) to (16) of the RCS Law – meaning all legal persons that have to register with the RCS, including notably most commercial companies, foundations, and nonprofit organisations – must provide information to the RBE. Likewise, fiducies and express trusts must provide information to the RFT.

The RCS allows professionals to obtain information about corporates and to collect documentation such as corporate register extracts, articles of association, or annual accounts for instance. The RFT contains information about fiducies and express trusts.

The RBE and the RFT allow the collection of beneficial ownership information for all corporates registered with the RCS and the entities registered with the RFT. The information about beneficial owners to be provided to the RBE and the RFT includes their names, first names, nationality(ies), date and place of birth, country of residence, address, personal identification number, and nature and extent of the interests held in the relevant legal entities.

1.10 How do such registers interoperate with one another and do they do so internationally?

National authorities as defined in the RBE Law and the RFT Law are entitled to obtain access to the information included in the RBE and RFT. Under the AML Law, supervisory authorities and self-regulatory organisations are required to cooperate with their foreign counterparts and the European Supervisory Authorities meaning beneficial ownership and other corporate information may be shared between authorities internationally. In addition, in accordance with Articles 30(10) and 31(9) of AMLD, the RBE and the RFT must be interconnected via the European Central Platform established by Directive (EU) 2017/1132.

2 Scope of application

2.1 Can both individuals and companies be prosecuted under the AML legislation?

Yes, both individuals and companies can be prosecuted. Companies can be criminally liable in Luxembourg, and both individuals and companies can be subject to administrative sanctions.

2.2 Can foreign companies be prosecuted under the AML legislation?

The AML Law applies to Luxembourg branches of foreign professionals and to professionals established in foreign countries (whether in the EU or in third countries) which provide services in Luxembourg without establishing a branch (including by providing cross-border services). Foreign professionals are therefore expected to comply with the obligations set out in the AML Law and may, in principle, be sanctioned by relevant competent authorities for breaches thereof.

According to Article 3 of the Luxembourg Criminal Code (Code pénal), offences committed by foreigners on the territory of the Grand Duchy of Luxembourg shall be punished in accordance with the provisions of Luxembourg law, meaning foreign companies could indeed be punished for AML offences.

2.3 Does the AML legislation have extraterritorial reach?

As mentioned above, the AML Law applies to Luxembourg branches of foreign professionals and to professionals established in foreign countries (whether in the EU or in third countries) which provide services in Luxembourg without establishing a branch (including by providing cross-border services).

In addition, the AML Law specifically provides that virtual asset service providers (VASPs) established or providing services in Luxembourg must register with the CSSF and comply with the provisions of the AML Law, meaning that foreign VASPs are captured by the AML Law.

2.4 Are there restrictions on financial institutions' accounts for foreign shell banks? Which types of firms are subject to such restrictions?

All professionals subject to the AML Law are prohibited from entering into or continuing a correspondent relationship with a shell bank or with a credit or financial institution that is known to allow its accounts to be used by a shell bank. They must also ensure that the respondent institutions do not permit their accounts to be used by shell banks.

A "shell bank" is defined as a credit or financial institution or an institution engaged in equivalent activities, incorporated or authorised in a jurisdiction in which it has no physical presence, involving meaningful mind and management and which is unaffiliated or unassociated with a regulated financial group.

2.5 Are there cross-border transaction reporting requirements? If so, what must be reported under what circumstances and to whom?

The AML Law requires professionals to report all suspicious transactions or attempted suspicious transactions to the FIU, regardless of their national or cross-border nature. There are no specific rules applicable to cross-border transactions. The cross-border nature of a transaction may, depending on the jurisdictions involved, be a risk factor that professionals must take into account when assessing the risk of money laundering.

2.6 Does money laundering of the proceeds of foreign crimes constitute an offence in your jurisdiction?

According to the Luxembourg Criminal Code (Code pénal), money laundering is also punishable when the predicate offence was committed abroad. The predicate offence must however be punishable in the country in which it was committed (Article 506-3). The judge must verify whether the predicate offence exists under the foreign law and whether its commission was proven.

3 AML offences

3.1 What AML offences are recognised in your jurisdiction and what do they involve? Are there any codified or common law defences?

The Luxembourg Criminal Code (Code pénal) lists three types of money laundering offences:

  • knowingly facilitating the false justification of the nature, origin, location, disposition, movement or ownership of property resulting from a predicate offence;
  • knowingly assisting in the placement, concealment, disguise, transfer or conversion of such property;
  • acquiring, holding or using such property, knowing that it was derived from a predicate offence.

The attempt to commit one of these offences is also an offence.

The relevant concepts to determine whether an offence has been committed are interpreted in case law and legal literature (for instance, "placement" includes any type of investment or acquisition; "transfer" includes wire transfers and fictitious loans; "concealment" means actual concealment in a secret vault, or layering operations via fictitious shell company structures; etc.).

The commission of a criminal law offence under Luxembourg law requires a "material element" (élément matériel), meaning proof that the constitutive elements of the criminal offence, as described in the Criminal Code, have been met, and a "moral element" (élément moral) which is akin to an intent and corresponds to the awareness and willingness with which the offense was committed.

There are no specific codified defences to those AML offences.

3.2 How are predicate offences defined in your jurisdiction? Is tax evasion a predicate offence for money laundering?

The offences of money laundering only materialize if they can be linked to one of the predicate offences listed in Article 506-1 of the Luxembourg Criminal Code (Code pénal). Article 506-1 uses a list of cross-references to other articles in the Criminal Code to determine which offences are predicate offences. The list includes a wide range of offences and a catch-all provision which refers to any other offence punishable by a custodial sentence of a minimum length superior to 6 months. As a result, the list covers almost the entire Criminal Code.

By way of a law of 27 December 2016, Luxembourg introduced tax-related offences as predicate offences in the Luxembourg Criminal Code: aggravated tax fraud (fraude fiscale aggravée) and tax evasion (escroquerie fiscale). These offences qualify as predicate offences if they are committed abroad. The CSSF published a circular on the application of the AML Law to predicate tax offences which provides a list of risk factors to help professionals to identify a risk of laundering of a predicate tax offence.

3.3 What reporting offences exist (eg, failure to disclose, tipping-off and prejudicing or obstructing an investigation)?

One of the key professional obligations for persons subject to the AML Law is the obligation to inform the FIU when they know, suspect or have reasonable grounds to suspect that money laundering, a predicate offence, or terrorism financing has been committed or is being committed or attempted. Professionals subject to the AML Law, their directors, and their employees are prohibited from informing customers (or other third parties, subject to certain exemptions) that information is being, has been, or will be provided to competent authorities or that an investigation is ongoing or may be carried out ("no tipping off"). The failure to disclose and the tipping off of customers both constitute a breach of AML obligations and a criminal offence.

Professionals must also generally collaborate with competent authorities, including supervisory authorities and self-regulatory organisations.

The Luxembourg Criminal Code (Code pénal) includes specific offences relating to the obstruction of justice (Articles 140 and 141). These include in particular the alteration, falsification, or erasure of evidence and the destruction, removal, concealment, or alteration of documents or objects likely to facilitate the discovery of an offence or evidence.

Obstructing an investigation is subject to administrative sanctions under financial sector regulation.

3.4 Do any restrictions or thresholds (eg, in terms of parties, asset type or transaction value) serve to limit the types of activities that constitute AML offences?

The AML Law does not foresee any threshold under which a breach of the AML Law will not be investigated/sanctioned.

Failure to comply with the AML Law does not necessary entail the execution of a transaction; the failure to establish and implement AML policies and procedures, the failure to apply customer due diligence to a specific client, or the failure to retain customer documentation for instance constitute breaches of the AML Law in itself irrespective of the execution or non-execution of any transaction.

However, there is a threshold that serves to exclude certain professionals of the scope of application of the AML Law: (i) persons trading in goods, where payments are made or received in cash in an amount of less than EUR 10,000; (ii) persons trading or acting as intermediaries in the trade of works of art, including when this is carried out by art galleries and auction houses, where the value of the transaction or a series of linked transactions amounts to less than EUR 10,000; and (iii) persons storing, trading or acting as intermediaries in the trade of works of art when this is carried out by free ports, where the value of the transaction or a series of linked transactions amounts to less than EUR 10,000.

There are also cases where professionals are not obliged to apply customer due diligence measures. These include (i) the carrying out of occasional transactions that amount to less than EUR 15,000; (ii) transfers of funds for less than EUR 1,000; and (iii) for providers of gambling services, upon the collection of winnings or the wagering of a stake where such a transaction amounts to less than EUR 2,000.

4 Compliance

4.1 Is implementing an AML compliance programme a regulatory requirement in your jurisdiction? If so, what aspects must this cover? Are there any criteria and/or conditions that a money laundering reporting officer or any other person responsible for AML must observe?

The AML Law requires professionals to implement policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing.

This includes (a) the development of internal policies, controls and procedures, including model risk management methods, customer due diligence, cooperation with authorities, record-keeping, internal control, compliance management and the appointment of a compliance officer at appropriate hierarchical level, and employee screening; and (b) if proportionate, an independent audit function to test these policies, controls and procedures.

Professionals shall appoint a person responsible for compliance with applicable AML obligations at the level of the authorised management or board of directors (the "responsable du respect" or "RR") and a compliance officer in charge of the control of compliance with the AML obligations ("responsable du contrôle" or "RC"). Both individuals must have relevant professional experience and be knowledgeable about the Luxembourg legal and regulatory framework relating to AML/CFT. They must also have an appropriate hierarchical position and powers within the professional as well as the availability necessary to the effective and autonomous exercise of their functions.

4.2 What customer and business partner due diligence (know your customer/client due diligence) requirements apply in this regard? Do any look-through requirements apply? Are there any simplified or enhanced due diligence requirements for certain types of persons and activities?

Customer due diligence (CDD) measures include:

  • identifying customers and verifying their identity;
  • identifying the customers' beneficial owner(s) and taking reasonable measures to verify their identity;
  • assessing and understanding the purpose and intended nature of the proposed business relationship; and
  • conducting ongoing due diligence, i.e., monitoring the business relationship (including monitoring transactions undertaken by the customers).

Professionals must apply CDD measures (a) when establishing a business relationship; (b) when carrying out occasional transactions for EUR 15,000 or more or when transferring funds exceeding EUR 1,000; (c) when there is a suspicion of money laundering or terrorist financing (regardless of any derogation, exemption or threshold) and/or (d) in case of doubt about the veracity or adequacy of previously obtained customer data.

Professionals may apply simplified CDD measures where they identify, based on an assessment and by taking into account certain low risk factors, a lower risk of money laundering and financing of terrorism. Where professionals determine that a business relationship presents a higher risk of money laundering or financing of terrorism, they must apply enhanced CDD measures. Enhanced CDD measures must always be applied for business relationships or transactions involving high-risk countries or with politically exposed persons and for cross-border correspondent relationships.

For the financial sector, examples of such simplified or enhanced measures are given in CSSF Regulation No. 12-02.

4.3 What due diligence requirements apply in relation to ultimate beneficial owners?

Professionals must identify the ultimate beneficial owners of their clients and take reasonable measures to verify their identity by using information or data obtained from reliable and independent sources. They must obtain the surname(s), first name(s), nationality(ies), date and place of birth as well as the full postal address of the main residence of the beneficial owners and, where relevant, the official national identity number.

Although professionals may use the recently established register of beneficial owners (Registre des bénéficiaires effectifs) in Luxembourg and foreign equivalents, the AML Law states that they shall not rely exclusively on such central registers. They must take all reasonable measures based on their risk assessment in order to ensure that the real identity of the beneficial owner is known.

4.4 Which books and records requirements have relevance in the AML context? What privacy laws apply?

The AML Law sets out specific recordkeeping requirements. Professionals must retain a copy of the documents, data, and information required to comply with their customer due diligence requirements, account files, business correspondence, results of analyses they have undertaken, the supporting evidence and records of transactions, and the measures taken to identify beneficial owners for a period of five (5) years after the end of a business relationship or the date of an occasional transaction. This retention period may be extended by a further period of five (5) years by supervisory authorities.

The processing of personal data is always subject to applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended (the GDPR). Before establishing a business relationship or carrying out an occasional transaction, professionals must inform new customers about their professional obligations under the AML Law and the related need to process the customers' personal data.

The AML Law foresees that professionals must restrict or defer the right of data subjects to access their personal data where this is necessary to allow the professionals, the FIU or relevant supervisory or regulatory authorities to fulfil their tasks or to avoid obstructing any investigations.

4.5 What other compliance best practices should a company implement to mitigate the risk of AML violations?

The AML Law requires professionals to adopt certain measures to ensure compliance with AML obligations, including adequate resourcing, internal reporting channels, and training for staff and management for instance. For certain sectors, specific regulations or guidelines (such as CSSF Regulation No. 12-02 for the financial sector) provide additional details and guidance.

Professionals should primarily ensure that their management is aware of money laundering and terrorism financing risks and promotes a culture of compliance, and that their staff are sufficiently knowledgeable about such risks in the context of their professional activities to detect and report them. Professionals should monitor AML-related developments and ensure their staff are kept up to date, and design certain processes to ensure compliance. These include, for instance, process to address queries from competent authorities, internal escalation procedures, termination procedures for client relationships, etc.

4.6 Are companies obliged to report financial irregularities or actual or potential AML violations?

Professionals, their management, and their employees are required to inform the FIU when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorism financing is being committed or has been committed or attempted. The reporting obligation therefore applies to both actual and potential AML violations.

The AML Law provides that all suspicious transactions (including attempted suspicious transactions) must be reported, regardless of the amount of the transaction. Where a financial irregularity results in a transaction being suspicious, it must be reported.

The AML Law further requires professionals to have measures in place for employees to report internally breaches of professional obligations with respect to AML.

4.7 Does failure to implement an adequate AML programme constitute a regulatory and/or criminal violation in your jurisdiction?

The failure to implement policies, controls and procedures to mitigate and manage effectively the risk of money laundering and terrorist financing, and more generally the failure to comply with the professional obligations set out in the AML Law constitutes a breach of applicable AML regulations and, potentially, a criminal offence under the AML Law.

As a consequence of such breach, the supervisory authorities and self-regulatory bodies may impose administrative sanctions and take other administrative measures with respect to the professionals subject to their supervision as well as with respect to the members of their management or other persons responsible for the non-compliance by the professionals with their obligations.

The breach will be considered a criminal offence if the person responsible for the breach knowingly contravened the relevant obligation(s) under the AML Law.

5 Enforcement

5.1 Can companies that voluntarily report AML violations or cooperate with investigations benefit from leniency in your jurisdiction?

Cooperation with competent authorities may indeed alleviate the potential sanctions faced by a company. The AML Law states that supervisory authorities and self-regulatory bodies shall take into due consideration, among others, the level of cooperation of the natural or legal person held responsible for a breach of the AML Law. Although cooperation or voluntarily reporting of breaches of the AML Law to the responsible authority or body does not entail a full exoneration it will very likely help the entity responsible for the breach to obtain a reduced fine.

Recent published administrative sanctions imposed by the CSSF in relation to AML breaches for instance show that the CSSF took into consideration the cooperation and remedial actions already undertaken by the breaching entities and their management.

The Luxembourg Criminal Code (Code pénal) also foresees that courts may take into account mitigating factors when determining the sentence to be applied. Such mitigating factors are not defined by law and a judge may therefore consider any factors relating to the offence or the company in order to potentially impose a lower sentence.

5.2 Can the existence of an AML compliance programme constitute a defence to charges of AML violations?

Professionals are obliged to implement AML policies and procedures aligned with the AML Law and failing to do so constitutes a breach of AML obligations. Having an AML compliance programme is expected, and its existence, completeness, and effectiveness will be assessed when reviewing alleged AML violations. The implementation of measures not formally required or more restrictive than those envisaged under the AML Law could be considered by competent authorities as a mitigating circumstance that could reduce the amount of the sanctions to be imposed (if any). The existence of an AML compliance programme does not prevent the possibility of AML violations taking place and does not per se protect professionals subject to AML obligations from violations and sanctions.

5.3 What other defences are available to companies charged with AML violations?

When deciding on the sanctions to be imposed to a professional that has breached applicable AML obligations the competent supervisory authorities and self-regulatory bodies will take into account all circumstances considered relevant for the specific case at hand and, in particular:

  • the gravity and duration of the breach;
  • the existence of policies, procedures, and controls;
  • the degree of responsibility for the relevant breach;
  • past breaches and sanctions imposed on the professional;
  • the financial situation of the professional and whether high or excessive fine could jeopardise its subsistence;
  • the losses caused by the breach and any other consequences resulting therefrom; and/or
  • the level of cooperation of the professional with competent authorities.

The severity of the breach and its consequences therefore play a role, and professionals may also improve the outcome of any potential sanctions procedure by proactively collaborating with authorities and taking timely remedial actions.

5.4 Can companies negotiate a pre-trial settlement through plea bargaining, settlement agreements or similar?

Since 2015, individuals and companies subject to criminal proceedings can enter into an agreement with the Public Prosecutor. This is called an "agreed judgment" (jugement sur accord). Either party to the criminal proceedings may propose an agreement to the other party at any point in time during the proceedings, as long as the court has not yet rendered a judgment. Only offences punishable by a prison sentence of up to give (5) years are eligible. Money laundering offences fall within this category and can therefore be subject to an agreed judgment.

The agreement must in particular include a summary of the proceedings, a description of the facts, their qualification under criminal law, a description of any mitigating circumstances, and the proposed sanction. If the agreement is signed by the parties, the criminal court must approve it. The agreement entails an admission of guilt.

5.5 What penalties can be imposed for violations of the AML legislation? How are these determined? Can non-exhaustive penalties be imposed for such violations (eg, exclusion from public procurement, exclusion from entitlement to public benefits or aid, disqualification from the practice of certain commercial activities, judicial winding up)?

Under the Luxembourg Criminal Code (Code pénal) AML offences are punishable by a fine of between EUR 1250 and EUR 1,250,000 and/or imprisonment for one (1) to five (5) years. The minimum prison sentence is increased to three (3) years if the offence is committed by a professional subject to the AML Law in the context of his/her/its professional activities. The penalties can be doubled if the offence is committed again within five (5) years of a conviction. AML offences also entitle the courts to impose certain prohibitions on the convicted person, for a duration of five (5) to ten (10) years. These include, for instance, the prohibition to teach or be employed in an educational institution, the prohibition to hold public office or to be employed as civil servant, or the prohibition to act as an expert.

The breach by a professional subject to the AML Law of the professional obligations set out in the AML law is punishable by a fine of between EUR 12,500 and EUR 5,000,000.

The maximum amount of the fines incurred under criminal law are doubled if the offence was committed by a legal person. This increased amount is multiplied by five (5) for specific offences committed by legal persons, including in the case of terrorism financing or money laundering.

Legal persons convicted of AML offences may also be excluded from public procurement. Judicial winding up can be imposed where the legal person has been created or diverted from its purpose to commit the offences.

In addition to criminal sanctions, violations of AML legislation are also subject to administrative sanctions which include, in particular, warnings, reprimands, prohibitions from performing activities, withdrawals, of authorisation, and fines.

5.6 Can funds, property and/or proceeds of AML and/or financial crime be subject to asset freezing/confiscation/forfeiture or victim compensation laws? If so, under what circumstances and what types of funds or property may be confiscated/forfeited? Can such actions be taken if there is no criminal conviction?

Yes. Article 31 of the Luxembourg Criminal Code (Code pénal) provides that a "special confiscation" (confiscation spéciale) is always ordered for crimes and for certain specific offences, which include money laundering offences. The confiscation applies to property (i) which forms the object or product of the offence or constitutes a pecuniary advantage from such offence (including income from such property), (ii) used or intended for use in the commission of the offence, (iii) substituted for the property referred to in point (i) (including the income from the substituted property), (iv) owned by the convicted person which has the same monetary value as the property referred to in point (i), if that property cannot be found for confiscation, and (v) belonging to the convicted person, where that person has been unable to justify the property's origin. The confiscation may cover assets of any kind, whether tangible or intangible, movable or immovable, as well as documents or instruments evidencing ownership of such assets or rights thereto. A confiscation spéciale can take place even in case of acquittal or where there is no criminal conviction for other reasons.

5.7 What is the statute of limitations for prosecuting AML offences in your jurisdiction?

According to Article 638 of the Luxembourg Code of Criminal Procedure (Code de procédure pénale), the statute of limitations for the money laundering offences defined in the Luxembourg Criminal Code (Code pénal) is five (5) years.

6 Alternatives to prosecution

6.1 What alternatives to criminal prosecution are available to enforcement agencies that find evidence of AML violations?

AML offences can be sanctioned administratively by supervisory authorities (or self-regulatory organisations) and/or criminally prosecuted. There are no other alternatives.

In theory, in the context of criminal prosecution, the State Prosecutor has the right, prior to his/her decision, to decide to resort to mediation proceedings if it appears to him her:

  • that such a measure is likely to ensure compensation for the damage caused to the victim of an offence;
  • that such a measure is likely to put an end to the disturbance resulting from the offence; or
  • that such proceedings are likely to contribute to the rehabilitation (reclassement) of the person having committed the offence.

Such mediation proceedings are however unlikely to be used in the context of an AML offence.

In the context of administrative sanctions, supervisory authorities and self-regulatory organisations may adapt the severity of their sanctions based on a number of factors.

6.2 What procedures are involved in concluding an investigation in this way?

N/A.

6.3 What factors will determine whether such an alternative to prosecution is to be offered by an enforcement agency to those who have been involved in AML violations?

N/A.

6.4 How common are these alternatives to prosecution?

N/A.

6.5 What reasons, if any, could lead to an increase in the use of such alternatives?

N/A.

7 Private AML enforcement

7.1 Are private enforcement actions for AML offences available in your jurisdiction? If so, where can they be brought and what process do they follow?

Luxembourg law does not foresee private enforcement actions for AML offences. The AML law includes administrative enforcement and enforcement by self-regulatory bodies, as well as criminal liability provisions, but does not include private enforcement measures. Persons who have suffered a damage as a result of an AML offence may make a claim under the general principles of tort (responsabilité civile) or contractual liability (responsabilité contractuelle), for instance where a contract includes a representation or warranty that a party shall comply with AML obligations but fails to do so.

7.2 What types of relief may be sought and what types of relief are most commonly awarded? How is the relief awarded determined?

N/A.

7.3 Can the decision in a private enforcement action be appealed? If so, to which reviewing authority?

N/A.

8 AML, cyber and crypto-assets

8.1 How does the AML regime dovetail with other cyber law in your jurisdiction?

Whereas Luxembourg recognises cybercrime as an emerging and evolving threat and views the use of the internet and online payments for instance as risk factors (especially since Luxembourg is home to many data centres and leading technology companies), there are no AML rules dedicated to the cyber sphere, or cyber laws specifically targeting money laundering or terrorist financing risks. Professionals subject to the AML Law must comply with applicable professional obligations regardless of their business model, and their exposure to cyber-related risk is an additional risk factor to take into account in their money laundering and terrorist financing risk assessment.

As far as crypto-assets are concerned, in March 2020 Luxembourg introduced a registration requirement for "virtual asset service providers" established or providing services in Luxembourg, and included the concepts of "virtual currency", "virtual asset", and "custodian wallet service" for instance in the AML Law. In December 2020 the Luxembourg Ministry of Justice also published a ML/TF Vertical Risk Assessment on Virtual Asset Service Providers which professionals are expected to take into account when designing their AML compliance programmes.

While complying with AML regulations professionals must also ensure compliance with data protection regulations.

8.2 What specific considerations, concerns and best practices should companies be aware of with regard to AML prevention in the cyber sphere?

The latest version of the Luxembourg National Risk Assessment of Money Laundering and Terrorist Financing (published on 15 September 2020) identifies cybercrime and online extortion as two emerging and evolving threats for Luxembourg, in particular since the outbreak of the COVID-19 pandemic. Companies operating in the cyber sphere or potentially confronted to money laundering and terrorist financing risks linked to the cyber sphere should ensure their AML risk assessments take such risks into account and their staff are appropriately trained to recognise them. In addition, companies may want to invest in appropriate technologies and infrastructure to improve due diligence and monitoring of transactions. Regulated businesses, such as financial sector entities, should also ensure they comply with applicable cybersecurity regulations and guidelines. In terms of internal governance, the AML compliance teams should collaborate with the IT/cybersecurity teams where relevant.

8.3 Does the AML regime extend to crypto-asset activity and if so, how?

Yes. The AML Law requires "virtual asset service providers" (VASPs) to be registered with the CSSF. VASPs include persons providing one or more of the following services:

  • the exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies;
  • the exchange between one or more forms of virtual assets;
  • the transfer of virtual assets;
  • the safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service; and
  • the participation in and provision of financial services related to an issuer's offer or sale of a virtual asset.

The request for registration consists in an application form with supporting documents. The registration is subject to the following conditions:

  • at least two (2) persons must be responsible for the management;
  • the beneficial owner(s) and managers must be of good repute and have adequate professional experience (fit & proper assessment);
  • the VASP must describe its activities; and
  • the VASP must have performed an AML risk assessment and have in place appropriate procedures and processes to monitor and mitigate AML risks and to comply with AML obligations.

Although VASPs are not yet subject to an authorisation requirement and prudential supervision (such as banks or investment firms for instance), they are subject to the AML Law and must comply with all AML obligations.

The registration requirement applies to VASPs established in Luxembourg and foreign VASPs providing services in Luxembourg.

9 Trends and predictions

9.1 How would you describe the current AML enforcement landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Luxembourg authorities are currently particularly sensitive to AML compliance by all supervised institutions, in particular in light of the FATF visit to Luxembourg which took place in November 2022.

The CSSF is particularly focused on VASPs. Since the adoption of the registration requirement for VASPs in March 2020, only 9 VASPs have been registered. The CSSF has reached out to many local and foreign VASPs to enquire about their registration status and intentions with respect to their activities in Luxembourg and takes the time to carefully assess the AML compliance of applicants for registration.

In terms of legislative developments, amendments were made to the AML Law by an act of 29 July 2022. In addition, professionals will need to anticipate the consequences of the AML/CFT package published by the European Commission on 20 July 2021, which includes (i) a proposal for a regulation on AML/CFT, containing directly applicable rules on customer due diligence and beneficial ownership for instance, (ii) a proposal for a sixth AML/CFT directive, (iii) proposed revisions to Regulation 2015/847/EU on transfers of funds, and (iv) a proposal for the establishment of a new EU AML/CFT authority.

9.2 Has your jurisdiction's AML regime been evaluated by an international organisation, such as the Financial Action Task Force (FATF), the Council of Europe (Moneyval) or the International Monetary Fund; and if so, when?

Luxembourg is a member jurisdiction of the FATF. The last FATF visit to Luxembourg took place in May 2009, and the relevant Mutual Evaluation Report was published on 19 February 2010. This was followed by a 6th Follow-up Report on the Mutual Evaluation of Luxembourg in February 2014. The FATF came to Luxembourg for a new evaluation in November 2022.

9.3 Does your jurisdiction meet the recommendations of the Financial Action Task Force; and if not, what are the barriers to meeting these?

The FATF evaluated Luxembourg in 2010 when material deficiencies were identified. At that time, Luxembourg was rated partially compliant or non-compliant on 39 Recommendations. However, since 2010 Luxembourg has amended its AML Law on multiple occasions to comply with EU directives and the FATF Recommendations. In its 6th Follow-Up Report on Mutual Evaluation of Luxembourg, dated February 2014, the FATF noted that Luxembourg had taken sufficient measures to be removed from the regular follow-up process. Since 2014, Luxembourg has taken additional measures to strengthen its AML framework, in particular to transpose the provisions of AMLD4 and AMLD5. While doing so, Luxembourg chose to go beyond the requirements of AMLD4 and AMLD5 to ensure compliance with the FATF Recommendations. For instance, whereas AMLD5 introduced a registration requirement for custodian wallet providers and providers of exchange services between virtual currencies and fiat currencies, Luxembourg went beyond those requirements and aligned its framework for virtual asset service providers to the FATF requirements.

By way of a Law of 29 July 2022, Luxembourg further amended the AML Law to ensure appropriate interpretation and alignment with the drafting of the FATF Recommendations.

9.4 What noteworthy technology developments have you observed in your jurisdiction over the past 12 months in the growth of regtech and suptech solutions, as well areas where blockchain and digital assets or online-based communities are used as an enabler (eg, money laundering using video games or online forums)?

There are several regtechs in Luxembourg which have been active for several years. These include, for instance, AlgoReg (a company providing KYC solutions such as automated ID verification, watchlist screening, and AML risk scoring), Scorechain (which provides AML solutions for crypto assets), and i-Hub, a regulated business operating a KYC repository for ongoing due diligence for professionals subject to the AML Law.

We have not observed any noteworthy developments over the last 12 months but regtech in general and blockchain-based AML/KYC solutions in particular remain a hot topic. In February 2022 the University of Luxembourg's Centre for Security, Reliability and Trust (SnT) launched an initiative called the "Finnovation Hub" with the support of the Ministry of Finance. Although not dedicated to AML, the purpose of this initiative is to promote research and develop technologies for the Luxembourg financial sector, in particular to address challenges such as regulatory compliance and fraud detection. This initiative may lead to new solutions for AML and KYC in the future.

10 Tips and traps

10.1 What are your top tips for the smooth implementation of a robust AML compliance programme and what potential sticking points would you highlight?

The AML requirements in Luxembourg are not fundamentally different from those in similar jurisdictions, especially other EU jurisdictions.

A key point of attention however, especially for new businesses wishing to establish themselves in Luxembourg, is the requirement to appoint two distinct individuals for AML compliance roles, as opposed to a single AML Compliance Officer or "Money Laundering Reporting Officer" (MLRO). The AML Law distinguishes between the appointment of a compliance officer and the appointment, at the level of the management body or authorised management, of a person responsible for compliance with the AML obligations. The compliance officer (referred to in French as responsable du contrôle or "RC") is in charge of the day-to-day compliance with AML obligations and the implementation of relevant policies and procedures, whereas the person responsible for compliance (referred to in French as the responsable du respect or "RR") is involved in specific cases (such as the authorisation of the establishment of a business relationship with politically exposed persons) and serves as escalation point. Whereas for some businesses it can be argued that the RC is required only if proportionate to the nature and size of the relevant business, the distinction between the two roles is not optional in the financial sector.

CSSF Regulation No. 12-02 details the requirements attached to the two roles. It is important to note that whereas both roles are at different levels, they need to have relevant professional experience and knowledge of the Luxembourg AML framework which sometimes leads to issues when newly established financial sector businesses are designing their governance framework and local staffing.

10.2 What are the key threats and trends that you have seen in your jurisdiction with respect to money-laundering techniques during the COVID-19 pandemic?

Concerning the financial sector specifically, in April 2020 the CSSF published Circular 20/740 on financial crime and AML/CFT implications during the COVID-19 pandemic which identified cybercrime, fraud, bribery and corruption related to government support schemes, trafficking in counterfeit medicines and other goods, robbery or theft and insider trading and market manipulation as the main emerging ML/TF threats from COVID-19. In terms of vulnerabilities, the Circular identifies several vulnerabilities that may be exploited by emerging ML/TF threats, including online payment services, clients in financial distress, collateralised lending (including mortgages), credit backed by government guarantees, distressed investment products, and delivery of aid through non-profit organisations.

The Luxembourg national risk assessment of money laundering and terrorist financing, which was amended in September 2020, reflects the same threats and vulnerabilities.

10.3 Are your jurisdiction's relevant AML legislative and rulemaking instruments available in online; and if so, are they publicly available and in English?

European Union (EU) directives and regulations are available online in the official languages of the EU via the EUR-Lex portal.

Luxembourg laws and regulations are published in the Luxembourg Official Gazette (Journal official du Grand-Duché de Luxembourg) which is available online. Publications are in French.

Certain supervisory authorities provide unofficial consolidated versions of the main laws and regulations in English. Most AML-related laws and regulations are available in English on the website of the CSSF. The CSSF also publishes circulars, sanctions, communiqués, sectoral assessments, newsflashes, in the English language, as well as its annual report.

The Luxembourg law of 13 January 2019 establishing the Beneficial Owner Register (RBE) is available in English on the website of the RBE.

Certain law firms also provide courtesy translations of Luxembourg laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.