RegTech Know-How Series #5

Luxembourg fund industry players, in particular investment fund managers and regulated funds, have been the focus of several recent regulatory developments to combat money laundering and terrorist financing (AML/CFT).  

The need for sector-specific AML/CFT measures is partly due to the particularities of collective investment structures, which typically involve a number of actors (notably investment fund managers, intermediaries, investors, and delegates such as transfer agents/registrars and portfolio managers). This results in the necessity of AML/CFT controls at several levels, including Know-Your-Customer (KYC), Know-Your-Intermediary/Know-Your-Distributor (KYI/KYD) and Know-Your-Asset (KYA) processes, while also ensuring appropriate supervision of delegates.   

For fund industry players, the challenge is to ensure that this multi-level diligence is carried out both thoroughly and efficiently.  

In this article, we take a look at: 

1. The key recent AML/CFT evolutions relating to the Luxembourg fund industry, 
2. The resulting operational challenges for relevant players and how digital platforms and toolsets can help, with a focus on KYC and KYI/KYD processes.

Investment funds and their investment fund managers (where applicable) are required to apply due diligence measures to their investors, intermediaries, delegates, and investments. These include core AML/CFT obligations such as initial identity verification and due diligence, name screening, PEP checks, and ongoing monitoring.

The AML/CFT framework applicable to the financial industry, as mentioned above, has been reinforced in recent years, notably as regards the investment fund sector.

Key recent Luxembourg AML/CFT texts relevant to the fund industry are the following:

• Luxembourg laws and Grand Ducal Regulations: all undertaking for collective investments (UCIs) and investment fund managers (IFMs)
• CSSF Circulars/Regulations: entities under the CSSF’s scope of supervision. In the case of a fund regulated by the CSSF, this applies directly to both the fund and (if applicable) its IFM. However, unregulated funds may also be subject to indirect supervision by the CSSF through their IFM. In fact, in a thematic review carried out in 2020 on AML/CFT controls applied to unregulated AIFs by the IFM, the CSSF found that the indirect supervision on the unregulated AIFs through supervision of their IFMs “works well in practice”, with “no divergence in terms of application of AML/CFT procedures and controls between regulated funds and unregulated AIFs”.

1 – Multi-layered due diligence obligations due to third parties involved in fund structures:

As mentioned, the number of parties typically involved in fund structures leads to challenges in ensuring compliance with due diligence obligations at all levels.

Due diligence obligations differ depending on the set-up, notably on the two following points:

• Whether the UCI/IFM has a direct relationship with end-investors or goes through intermediaries:

Where the fund has direct investors subscribing to fund interests for their own benefit, full KYC checks must be applied to each investor (which may be a moral or physical person).

In the case of distribution of fund interests through intermediaries, the UCI/IFM can generally rely on the intermediary’s due diligence on end-investors. However, this requires that the UCI/IFM itself strictly controls the intermediary. CSSF Regulation 20-05 introduced the obligation of a two-tiered due diligence approach:

1. First, the intermediary, the persons representing it and its beneficial owners must be identified and verified according to a risk-based approach.
2. Second, the UCI/IFM must implement enhanced due diligence (EDD) measures on the business relationship in order to assess the robustness of the intermediary’s AML/CFT control framework.

The UCI/IFM must have a general sense of the type of investors behind the intermediary, even if it does not typically need to redo KYC checks on the end-investors: the distribution model should be well understood.

• Whether the UCI/IFM externalises obligations to delegates:

If a UCI/IFM appoints delegates such as registrar and transfer agents, portfolio managers and investment advisors, it bears full responsibility for their compliant application of AML/KYC controls. The UCI/IFM must carry out a risk assessment in respect of the delegate and conduct appropriate due diligence measures, as well as regular and ad-hoc compliance checks (e.g. sampling).

Regulation 20-05 requires that the obligations of each party concerning AML/CFT monitoring be clearly defined in the delegation/outsourcing agreement. Special consideration must be given to the delegates’ obligation to make available any information necessary for the performance of due diligence and ongoing monitoring, as the UCI/IFM retains full ultimate responsibility for ensuring that AML/CFT requirements are met.

2- Governance obligations encompassing both the UCI and IFM (where one is appointed):

In all cases, the ultimate responsibility regarding compliance remains with the board of directors (or equivalent body) of the UCI/IFM.

The AML/CFT controls of the UCI tend to be delegated to the IFM where one is appointed. Indeed, since the entry into force of Regulation 20-05, each UCI and each IFM is required to appoint a person responsible for compliance with the AML/CFT obligations at the level of the authorised management or the board of directors, called the ‘person responsible for compliance’ (the RR), as well as a ‘person responsible for the control of compliance’ (the RC). At the level of the UCI, the RC role can be delegated to a third party e.g. staff member representing the IFM – so in practice, many UCIs are delegating to their IFM the role of RC.

However, the RC must have permanent access to all internal documents and systems required to perform his/her duties. Meanwhile, the RR (at both UCI and IFM level) must have sufficient knowledge of the investments and distribution strategy of the fund and of applicable AML/CFT legislation. It follows that an adequate governance and communication process between UCIs and IFMs is important.

Moreover, since the publication of Circular 21/788 (which came into force in December 2021), all IFMs and all UCIs supervised by the CSSF (and not managed by an IFM) must use their existing approved statutory auditor (réviseur d’entreprises agréé) or, where they are not legally required to have one, appoint one for the purpose of drawing up the annual AML/CFT external report. This must be done within six months after the closing of the annual accounts of the entity.  An important addition is that the auditor is also required to carry out sample testing, meaning that a robust, auditable record of AML/CFT checks is crucial.

As highlighted above, one of the key challenges faced by UCIs/IFMs is to manage the multi-layered nature of AML/KYC checks across the fund structure.

In doing so, it is of particular importance to clearly define the role of each party involved and ensure sufficient interaction between them to avoid common pitfalls, such as over-delegation without effective supervision on the one hand, and implementation of overly time-consuming controls on the other.

This includes notably: the use of appropriate communication channels; a suitable platform for centralising and accessing information; the implementation of a streamlined and robust tool for uploading, storing and archiving documentation; and the maintenance of an easily exportable audit trail.

Case study

In the above case study:

• The UCI is set up as a RAIF (Luxembourg Reserved Alternative Investment Fund) which is a non-supervised AIF (in this case incorporated as a société anonyme). It is not directly supervised by the regulator but is indirectly supervised  by its authorised external AIFM (Alternative Investment Fund Manager).
• The RAIF, in this set up, is handling AML/CFT controls through its AIFM (most likely in this situation, the role of RC would be delegated to a staff member of the AIFM).
• Fund distribution is done both directly and through distributors and other intermediaries. The AIFM may delegate all or part of the AML/KYC checks to the fund administrator, acting in this case as transfer agent and registrar.
• Meanwhile, investments are carried out with the help of a portfolio manager to whom the AIFM delegates KYA checks.

There are a number of AML/CFT angles to the above set-up, including Know-Your-Transaction and Know-Your-Assets processes to implement. For the purposes of this article, we focus on the ‘top-level’ layer of diligence: namely, KYC and KYI/KYD verifications, highlighting some key challenges.

The first challenge in the above set-up is that of establishing efficient and adapted communication streams between the different parties involved, using the right channels and ensuring centralisation and traceability of responses. This includes communication between the RAIF and the AIFM; the AIFM and its delegates (fund administrator, portfolio manager); and the AIFM and investors/intermediaries.

• A centralised communication platform can enable the AIFM to both send and request information, as well as keep track of communication streams and status of responses.
• The ability to use different communication channels depending on what is most appropriate (e.g. text message; email; paper mail; communication directly through accessing the central platform) is key to ensuring effective information flows, especially as the “appropriate” channel may differ depending on the party (e.g. a physical investor may prefer to receive an SMS or paper mail, whereas email communications generated for intermediaries can be more adapted).
• This also allows the creation of user profiles who can connect to the platform, notably for the RR and RC.

If all or part of KYC/KYI checks are carried out directly by the AIFM

Managing KYC over direct investors whilst simultaneously performing two-tier due diligence on intermediaries, as in the case study at hand, can increase complexity as it means running two distinct AML/CFT processes in parallel.

In addition to clear internal policies, it is important to have well-implemented workflows in each case. This can include, for instance, the automatic generation of customised due diligence questionnaires depending on whether the counterparty is a direct investor or an intermediary (which in any case can also be made more granular to be tailored to their typology), as well as the configuration of interfaces to generate validation requests (e.g. from the RC or management of the AIFM and/or RAIF) where appropriate.

It can also be very helpful to centralise all the information obtained in order to have a holistic overview of the entire AML/CFT risk of the investor base.

If all or part of KYC/KYI checks are delegated to the fund administrator:

In the above case study, the AIFM may also choose to delegate all or part of KYC/KYI verifications to the fund administrator acting as transfer agent/registrar– which makes sense due to the fact that in its role as transfer agent/registrar it manages the list of investors and is therefore in a good position to carry out name screening, PEP checks, and similar controls.

In this case, the challenge for the AIFM is to exercise effective supervision and control over this third-party delegate, which is considered by applicable legislation as an outsourcing.

In addition to setting up internal procedures, well-implemented workflows and adapted communication streams are important for the monitoring of third-party outsourcing. A centralised platform can also be used to:

• Enable the transfer agent/registrar to upload any documentation requested by the AIFM directly on the platform;
• Generate requests to the transfer agent/registrar, which may include periodic reminders or tasks;
• Streamline the process of generating and obtaining feedback on sampling requests.

As highlighted by the CSSF in a presentation in relation to Circular 20/740 on financial crime and AML/CFT implications during the COVID-19 pandemic, non-face-to-face entering into business relationships is already “common practice”. This puts the fund industry in a strong position to implement compliant remote customer onboarding, including digital KYC checks.

In a case scenario such as the above, the AIFM can leverage this industry head-start to implement robust digital tools for verifying the adequacy of KYC/KYI documentation, whilst maximising efficiency.

A variety of tools and processes can be implemented through a centralised digital platform, including electronic signature or eSEALs to certify the authenticity of documents, SMS-OTP (“One Time Password”) validation, and API connection to blacklist/sanction list name-check solutions, as well as dedicated tools to enable remote identification.

• For more details and how remote customer onboarding can be used, read: Remote customer identification for Luxembourg-regulated companies: how and why? – Finologee.

According to Circular CSSF 21/788, as detailed above, an approved statutory auditor must draw up each IFM/UCI’s AML/CFT external report on an annual basis, including performing sample testing. The Circular specifies that the report has one of its two sections “dedicated to sample testing or specific work to be performed by the external AML/CFT expert”, with the scope of the samples determined on the basis of  risk-based approach.

In addition, the Law of 12 November 2004 imposes on all funds professionals within its scope the obligation to retain documents, data and information on AML/CFT checks carried out and to make them available to the Luxembourg authorities without delay, for at least five years after the termination of the business relationship with their customer or after the date of an occasional transaction.

Having an easily accessible and secure electronic archive of all AML/KYC checks through digital tracing/storage is a powerful and efficient means to comply with these obligations.

If you are a UCI, an IFM, or another fund industry player subject to AML/CFT obligations, Finologee’s KYC Manager product can help put in place the above, which are just some examples of what we can build together.

Please get in touch with our team if you would like additional information, or a product demo: info@finologee.com – (+352) 27 75 08-1 or contact us on www.finologee.com.