Luxembourg: Anti-Money Laundering Comparative Guide – Legal And Enforcement Framework

1. Legal and enforcement framework

1.1. Which legislative and regulatory provisions constitute the anti-money laundering, counter-terrorist financing and general financial crime prevention (collectively, 'AML') regime in your jurisdiction, from a regulatory (preventive/sanctions) and enforcement (civil/criminal penalties) perspective? Are there any legislative and regulatory requirements that apply below the national level (ie, at a state or regional level)?

The main source for AML in Luxembourg is the Luxembourg law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the AML Law) which sets out who is subject to AML regulations and details the applicable professional obligations.

The offence of "money laundering" is defined in the Luxembourg Criminal Code (Code pénal) and the Luxembourg law of 19 February 1973 on the sale of medicinal substances and the fight against drug addiction, as amended. The offence of "terrorist financing" is also defined in the Luxembourg Criminal Code.

The AML Law is complemented by the Grand-ducal Regulation of 1 February 2010 providing details on certain provisions of the AML Law, as amended, and several regulations and circulars issued by competent regulatory authorities. These include for instance CSSF Regulation No. 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing for the financial sector and CAA Regulation No. 20/03 of 30 July 2020 relating to the fight against money laundering and terrorist financing for the insurance sector, each as amended.

International financial sanctions are governed by the Law of 19 December 2020 concerning the implementation of restrictive measures in financial matters.

1.2. Which bilateral and multilateral instruments on AML have effect in your jurisdiction?

Luxembourg is a Member State of the European Union (EU) and is therefore bound by EU regulations and directives relating to AML.

The AML Law implements Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD 4), as amended by Directive (EU) 2018/843 (AMLD 5, and AMLD 4 as amended by AMLD 5 being referred to as AMLD hereinafter) and the Luxembourg AML framework is therefore largely influenced by EU harmonisation efforts in this area. EU instruments also include Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and Regulation (EU) 2018/1672 of the European Parliament and of the Council of 23 October 2018 on controls on cash entering or leaving the Union.

Luxembourg is also a member of the Organisation for Economic Co-operation and Development (OECD) and a member jurisdiction of the Financial Action Task Force (FATF) and expected to comply with the FATF Recommendations.

1.3. Which public sector bodies and authorities are responsible for enforcing the AML laws and regulations? What powers do they have?

The AML Law lists three supervisory authorities which oversee the compliance by the professionals they supervise with AML obligations:

• the Commission de Surveillance du Secteur Financier (CSSF), which is responsible for ensuring AML compliance by credit institutions, investment firms, local professionals of the financial sector (such as corporate domiciliation agents, registrar agents, etc.), payment institutions, electronic money institutions, tied agents, securitisation undertakings (in certain cases), undertakings for collective investment, management companies, alternative investment fund managers, certain pension funds and other financial sector entities falling under its supervision;
• the Commissariat aux Assurances (CAA), which is responsible for ensuring AML compliance by insurance and reinsurance undertakings, insurance intermediaries, other professionals of the insurance sector and certain pension funds; and
• the Administration de l'Enregistrement, des Domaines et de la TVA (AED), which is responsible for ensuring AML compliance by non-financial sector entities not covered by the other public sector bodies and authorities mentioned above or the self-regulatory organisations. These include notably real estate agents, real estate developers, tax advisers, certain trust and company service providers, providers of gambling services, operators in a free zone, certain persons trading in goods, persons trading or acting as intermediaries in the trade of works of art (including when this activity is carried out by art galleries and auction houses), and persons storing, trading or acting as intermediaries in the trade of works of art when this activity is carried out by free ports.

The supervisory authorities may:

• have access to any document;
• request information from any person;
• carry out on-site inspections;
• obtain recordings of telephone and electronic communications;
• require the cessation of any practice;
• request the freezing or sequestration of assets;
• impose the temporary prohibition of professional activities;
• require statutory auditors to provide information or to perform on-site investigations;
• refer information to the State Prosecutor for criminal prosecution;
• suspend the members of an institution's management body;
• suspend the exercise of voting rights in a supervised entity; and
• suspend the pursuit of the business of the supervised entity.

The supervisory authorities may impose sanctions including warnings, reprimands, public statements, withdrawals or suspension of authorisations, temporary bans from exercising activities, and administrative fines (of maximum twice the amount of the benefit derived from the breach or EUR 1 million). There are additional sanctions for specific cases or entities (for instance fines of up to EUR 5 million or 10% of the total annual turnover for banks).

The Cellule de Renseignement Financier (CRF) – the Luxembourg Financial Intelligence Unit (FIU) – receives and analyses suspicious transaction reports and suspicious activity reports. The State Prosecutor is responsible for prosecuting criminal offences.

1.4. Are there any self-regulatory organisations or professional associations? What powers do they have?

The AML Law includes the following self-regulatory organisations which are responsible for ensuring AML compliance by the professionals falling under their supervision:

• the Institut des réviseurs d'entreprises (for statutory auditors (réviseurs d'entreprises) and approved statutory auditors (réviseurs d'entreprises agréés));
• the Ordre des experts-comptables (for accountants);
• the Chambre des Notaires (for notaries);
• the Ordre des avocats (for lawyers); and
• the Chambre des huissiers (for bailiffs).

The self-regulatory organisations may:

• have access to any document;
• request information from any person;
• carry out on-site inspections;
• obtain recordings of telephone and electronic communications;
• require the cessation of any practice;
• request the freezing or sequestration of assets;
• impose the temporary prohibition of professional activities;
• require statutory auditors to provide information or to perform on-site investigations; and
• refer information to the State Prosecutor for criminal prosecution.

The self-regulatory organisations may impose sanctions including warnings, reprimands, public statements, temporary bans from exercising activities, temporary suspension of the right to practice the relevant profession or lifelong bans, and administrative fines (of maximum twice the amount of the benefit derived from the breach or EUR 1 million).

1.5. What is the general approach of the financial services regulators in enforcing the AML laws and regulations?

Financial sector regulators – in particular the CSSF and the CAA – adopt regulations and circulars to complement the general measures described in the AML Law. These include additional details about, for instance, the duties and responsibilities of AML compliance officers, the documentation to be collected during customer due diligence, simplified or enhanced due diligence measures, the content of policies, and provide guidance, for instance on the regulators' expectations with respect to the design of an AML risk analysis.

Financial sector regulation is also designed in a way that ensures regular updates on AML matters. Fund managers, for instance, are expected to fill out a "market entry form" (MEF) not only when they are being set up, but also in case of license extension, merger, or entry of a new qualifying shareholder in the shareholding structure of the manager. This MEF includes AML-related data points (and for instance requires the fund managers to ensure that their shareholding structure does not present any risks from an AML perspective).

Regulators rely on annual AML reports from supervised entities, but can also organise market surveys, ask questions within the remit of their supervisory powers and, when deemed relevant, perform on-site AML inspections.

Certain large entities have regular meetings with the FIU to discuss reports.

1.6. What are the statistics regarding past and ongoing AML procedures in your jurisdiction?

Statistics about AML procedures can be found in the annual report of the CRF and in the annual reports of supervisory authorities and self-regulatory bodies.

According to its 2020 annual report, the CRF received 40,782 suspicious transaction reports in 2020, including 40,328 relating to money laundering and 454 relating to the financing of terrorism. It also issued blocking orders for an aggregate amount of EUR 223,924,013.14. The annual report provides more granularity, showing for instance that banks submitted 2,503 reports in 2020 whereas online service providers (including payment institutions, electronic money institutions, virtual asset service providers and retail banks providing online services) submitted 26,254 reports.

For the financial sector, the latest annual report of the CSSF states that the CSSF performed 35 on-site inspections relating to AML matters. The most significant shortcomings identified related to the efficiency of name matching tools, deficiencies in transaction monitoring, lack of enhanced due diligence on higher risk clients, delays in the periodical review of customers, and failures to report.

In 2021 the CSSF also imposed 16 AML-related fines on financial sector entities including banks, investment firms, investment fund managers, payment institutions, and other professionals of the financial sector, with the amount of the fines ranging from EUR 5,000 to EUR 1,320,000.

1.7. What reporting activities exist for reporting suspicious activities and/or transactions (SARs)? Are there any specific powers to identify the proceeds of crime or to require an explanation as to the source of funds?

The persons subject to the AML Law (hereinafter referred to as the professionals), their directors, and their employees are required to promptly inform the CRF when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted.

The reporting obligation covers all types of transactions (including attempted suspicious transactions) regardless of their amounts and requires the filing of all supporting information and documents having prompted the report.

Generally, the SAR is filed by the person appointed as responsible for compliance with applicable AML obligations within the relevant professional. Filings are made via an online platform (goAML).

As part of their customer due diligence measures professionals may request from their customers and potential customers information on the source of their funds and wealth.

When the relevant business relationship or transaction involves high-risk countries, obtaining such information in relation to the customer and its beneficial owner(s) is compulsory; similarly, when entering into a business relationship or transaction with politically exposed persons the professionals shall take reasonable measures to establish the source of wealth and source of funds involved in the transaction.

1.8. Is there a central authority for reporting (ie, a Financial Intelligence Unit (FIU) responsible for assessing SARs reported from relevant entities subject to AML requirements)? Does this authority work internationally?

The national authority responsible for receiving and analysing suspicious transaction reports and other information regarding suspicious facts that might amount to money laundering, associated predicate offences, or terrorism financing in Luxembourg is the Financial Intelligence Unit (Cellule de Renseignement Financier or CRF).

The CRF may exchange, spontaneously or upon request, with a foreign FIU of whatever type, any information and supporting documents that may be relevant for the processing or analysis of information related to money laundering, associated predicate offences, or terrorism financing and the natural or legal person(s) involved.

The CRF may only refuse to exchange information and supporting documents with an FIU from other EU Member States in exceptional circumstances (where the exchange could be contrary to fundamental principles of national law). The CRF may also refuse to exchange information or documentation with a FIU from a third country.

The CRF and Europol may also exchange all information that fall within Europol's missions as referred to in Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol).

The CRF is also responsible for disseminating, spontaneously or upon request, to the Luxembourg competent authorities and self-regulatory bodies and to the judicial authorities, the result of its analyses as well as any other relevant information, when there are reasonable grounds to suspect money laundering, an associated predicate offence or terrorist financing.

1.9. What relevant public or private corporate or other registers exist to assist with conducting and/or validating AML information, ultimate beneficial owners etc; and what details must be disclosed?

The main registers available to professionals to assist them in their KYC activities are the Trade and Companies Register (Registre de commerce et des sociétés) (RCS), the Beneficial Owner Register (Registre des bénéficiaires effectifs) (RBE) and the Register of Fiduciary Contracts and Trusts (Registre des fiducies et des trusts) (RFT).

The RCS is governed by the Luxembourg law of 19 December 2002 on the Trade and Companies Register and the accounting and annual accounts of companies, as amended (the RCS Law), and is not primarily dedicated to AML/CFT. The RBE and the RFT where introduced by the Luxembourg law of 13 January 2019 establishing the Beneficial Owner Register (the RBE Law) and the Luxembourg law of 10 July 2020 establishing a Register of Fiduciary Contracts and Trusts (the RFT Law), respectively, for the purposes of transposing the provisions of Articles 30 and 31 of AMLD.

The RFT is maintained by the AED, whereas the RCS and the RBE are maintained by an economic interest grouping (groupement d'intérêt économique) called "Luxembourg Business Registers".

All the entities listed in Articles 1(2) to (16) of the RCS Law – meaning all legal persons that have to register with the RCS, including notably most commercial companies, foundations, and nonprofit organisations – must provide information to the RBE. Likewise, fiducies and express trusts must provide information to the RFT.

The RCS allows professionals to obtain information about corporates and to collect documentation such as corporate register extracts, articles of association, or annual accounts for instance. The RFT contains information about fiducies and express trusts.

The RBE and the RFT allow the collection of beneficial ownership information for all corporates registered with the RCS and the entities registered with the RFT. The information about beneficial owners to be provided to the RBE and the RFT includes their names, first names, nationality(ies), date and place of birth, country of residence, address, personal identification number, and nature and extent of the interests held in the relevant legal entities.

1.10. How do such registers interoperate with one another and do they do so internationally?

National authorities as defined in the RBE Law and the RFT Law are entitled to obtain access to the information included in the RBE and RFT. Under the AML Law, supervisory authorities and self-regulatory organisations are required to cooperate with their foreign counterparts and the European Supervisory Authorities meaning beneficial ownership and other corporate information may be shared between authorities internationally. In addition, in accordance with Articles 30(10) and 31(9) of AMLD, the RBE and the RFT must be interconnected via the European Central Platform established by Directive (EU) 2017/1132.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.