RegTech Know-How Series #5
AML/CFT obligations and the Luxembourg fund industry: using digital platforms to streamline compliance
Luxembourg fund industry players, in particular investment fund managers and regulated funds, have been the focus of several recent regulatory developments to combat money laundering and terrorist financing (AML/CFT).
The need for sector-specific AML/CFT measures is partly due to the particularities of collective investment structures, which typically involve a number of actors (notably investment fund managers, intermediaries, investors, and delegates such as transfer agents/registrars and portfolio managers). This results in the necessity of AML/CFT controls at several levels, including Know-Your-Customer (KYC), Know-Your-Intermediary/Know-Your-Distributor (KYI/KYD) and Know-Your-Asset (KYA) processes, while also ensuring appropriate supervision of delegates.
For fund industry players, the challenge is to ensure that this multi-level diligence is carried out both thoroughly and efficiently.
In this article, we take a look at:
- The key recent AML/CFT evolutions relating to the Luxembourg fund industry,
- The resulting operational challenges for relevant players and how digital platforms and toolsets can help, with a focus on KYC and KYI/KYD processes.
Sector-specific AML/CFT risks
The Luxembourg fund industry faces inherent AML/CFT risks. Earlier this year, the CSSF updated its sub sector ML/TF risk assessment for the collective investment sector, maintaining its overall high-risk rating. In its initial 2020 risk assessment, it highlighted that the sector is mainly exposed to money laundering crimes such as fraud, tax crimes, corruption, bribery, insider trading and market manipulation, with the risk for terrorism financing being lower due to its nature (notably as fund investments are often medium/long term, whereas terrorism financing typically involves easily redeemable funding).
Meanwhile, the COVID-19 pandemic, as well as the geopolitical crisis which marked the beginning of 2022, gave rise to new, specific AML threats from criminal groups and difficulties in applying existing due diligence practices.
The cumulative impact of the above is a growing emphasis on security and AML/CFT processes, reflected notably by reinforced regulatory obligations.
1. Overview of key recent AML/CFT evolutions relating to the fund industry
Investment funds and their investment fund managers (where applicable) are required to apply due diligence measures to their investors, intermediaries, delegates, and investments. These include core AML/CFT obligations such as initial identity verification and due diligence, name screening, PEP checks, and ongoing monitoring.
What are the key recent regulatory AML/CFT developments?
The AML/CFT framework applicable to the financial industry, as mentioned above, has been reinforced in recent years, notably as regards the investment fund sector.
Key recent Luxembourg AML/CFT texts relevant to the fund industry are the following:
|Law of 25 March 2020 amending the law of 12 November 2004 on the fight against money laundering and terrorist financing||
Implementation in Luxembourg law of the 5th anti-money laundering Directive, including the following measures having a substantial impact on the fund sector:
|Grand Ducal Regulation of 14 August 2020 amending the Grand Ducal Regulation of 1 February 2010||Clarifies obligations on ongoing customer due diligence measures on existing customers as well as when to apply enhanced due diligence|
|CSSF Regulation 20-05 of 14 August 2020 amending CSSF Regulation 12-02 on the fight against money laundering and terrorist financing||
|Circular CSSF 20/740||Guidance on AML/CFT implications of the COVID-19 pandemic|
|Circular CSSF 20/744||Update of guidance on the extension of the offence of money laundering to aggravated tax fraud and tax evasion and applicable AML/CFT obligations to provide for new indicators to be taken into account in the context of collective investment activities|
|CSSF Circular 21/782||Adoption of the revised guidelines by the EBA on ML/TF risk factors including sectoral guidelines for providers of investment funds|
|Circular CSSF 21/788||Obligation for all investment fund managers (and regulated UCIs not managed by an IFM) to appoint an approved statutory auditor to prepare a CSSF AML/CFT external report annually, clarifying of content, including sample testing|
Who is subject to the above AML/CFT obligations within fund structures?
- Luxembourg laws and Grand Ducal Regulations: all undertaking for collective investments (UCIs) and investment fund managers (IFMs)
- CSSF Circulars/Regulations: entities under the CSSF’s scope of supervision. In the case of a fund regulated by the CSSF, this applies directly to both the fund and (if applicable) its IFM. However, unregulated funds may also be subject to indirect supervision by the CSSF through their IFM. In fact, in a thematic review carried out in 2020 on AML/CFT controls applied to unregulated AIFs by the IFM, the CSSF found that the indirect supervision on the unregulated AIFs through supervision of their IFMs “works well in practice”, with “no divergence in terms of application of AML/CFT procedures and controls between regulated funds and unregulated AIFs”.
Good to know:
Fund managers are of particular importance to AML/CFT compliance. The CSSF, in its ML/TF risk assessment, specifically targets IFMs “considering their specific AML/CFT roles and responsibilities”.
What are the main sector-specific obligations which apply to the fund industry?
1 – Multi-layered due diligence obligations due to third parties involved in fund structures:
As mentioned, the number of parties typically involved in fund structures leads to challenges in ensuring compliance with due diligence obligations at all levels.
Due diligence obligations differ depending on the set-up, notably on the two following points:
- Whether the UCI/IFM has a direct relationship with end-investors or goes through intermediaries:
Where the fund has direct investors subscribing to fund interests for their own benefit, full KYC checks must be applied to each investor (which may be a moral or physical person).
In the case of distribution of fund interests through intermediaries, the UCI/IFM can generally rely on the intermediary’s due diligence on end-investors. However, this requires that the UCI/IFM itself strictly controls the intermediary. CSSF Regulation 20-05 introduced the obligation of a two-tiered due diligence approach:
- First, the intermediary, the persons representing it and its beneficial owners must be identified and verified according to a risk-based approach.
- Second, the UCI/IFM must implement enhanced due diligence (EDD) measures on the business relationship in order to assess the robustness of the intermediary’s AML/CFT control framework.
The UCI/IFM must have a general sense of the type of investors behind the intermediary, even if it does not typically need to redo KYC checks on the end-investors: the distribution model should be well understood.
- Whether the UCI/IFM externalises obligations to delegates:
If a UCI/IFM appoints delegates such as registrar and transfer agents, portfolio managers and investment advisors, it bears full responsibility for their compliant application of AML/KYC controls. The UCI/IFM must carry out a risk assessment in respect of the delegate and conduct appropriate due diligence measures, as well as regular and ad-hoc compliance checks (e.g. sampling).
Regulation 20-05 requires that the obligations of each party concerning AML/CFT monitoring be clearly defined in the delegation/outsourcing agreement. Special consideration must be given to the delegates’ obligation to make available any information necessary for the performance of due diligence and ongoing monitoring, as the UCI/IFM retains full ultimate responsibility for ensuring that AML/CFT requirements are met.
2- Governance obligations encompassing both the UCI and IFM (where one is appointed):
In all cases, the ultimate responsibility regarding compliance remains with the board of directors (or equivalent body) of the UCI/IFM.
The AML/CFT controls of the UCI tend to be delegated to the IFM where one is appointed. Indeed, since the entry into force of Regulation 20-05, each UCI and each IFM is required to appoint a person responsible for compliance with the AML/CFT obligations at the level of the authorised management or the board of directors, called the ‘person responsible for compliance’ (the RR), as well as a ‘person responsible for the control of compliance’ (the RC). At the level of the UCI, the RC role can be delegated to a third party e.g. staff member representing the IFM – so in practice, many UCIs are delegating to their IFM the role of RC.
However, the RC must have permanent access to all internal documents and systems required to perform his/her duties. Meanwhile, the RR (at both UCI and IFM level) must have sufficient knowledge of the investments and distribution strategy of the fund and of applicable AML/CFT legislation. It follows that an adequate governance and communication process between UCIs and IFMs is important.
Moreover, since the publication of Circular 21/788 (which came into force in December 2021), all IFMs and all UCIs supervised by the CSSF (and not managed by an IFM) must use their existing approved statutory auditor (réviseur d’entreprises agréé) or, where they are not legally required to have one, appoint one for the purpose of drawing up the annual AML/CFT external report. This must be done within six months after the closing of the annual accounts of the entity. An important addition is that the auditor is also required to carry out sample testing, meaning that a robust, auditable record of AML/CFT checks is crucial.
Good to know: “Know-Your-Assets” obligations
It is also worth mentioning the KYA obligation for investments, formalised by Regulation 20-05. This requires professionals to analyse the ML/FT risk associated with an investment and take appropriate due diligence measures. The outcome of this assessment must be formalised and reviewed annually or in case of a trigger event.
KYA is particularly important in the case of funds that have a wide range of authorised investments and may be less complex in the case of funds investing mainly in low-risk assets such as listed companies on regulated markets.
2. Operational challenges and how digitalisation can streamline compliance
As highlighted above, one of the key challenges faced by UCIs/IFMs is to manage the multi-layered nature of AML/KYC checks across the fund structure.
In doing so, it is of particular importance to clearly define the role of each party involved and ensure sufficient interaction between them to avoid common pitfalls, such as over-delegation without effective supervision on the one hand, and implementation of overly time-consuming controls on the other.
This includes notably: the use of appropriate communication channels; a suitable platform for centralising and accessing information; the implementation of a streamlined and robust tool for uploading, storing and archiving documentation; and the maintenance of an easily exportable audit trail.
In the above case study:
- The UCI is set up as a RAIF (Luxembourg Reserved Alternative Investment Fund) which is a non-supervised AIF (in this case incorporated as a société anonyme). It is not directly supervised by the regulator but is indirectly supervised by its authorised external AIFM (Alternative Investment Fund Manager).
- The RAIF, in this set up, is handling AML/CFT controls through its AIFM (most likely in this situation, the role of RC would be delegated to a staff member of the AIFM).
- Fund distribution is done both directly and through distributors and other intermediaries. The AIFM may delegate all or part of the AML/KYC checks to the fund administrator, acting in this case as transfer agent and registrar.
- Meanwhile, investments are carried out with the help of a portfolio manager to whom the AIFM delegates KYA checks.
There are a number of AML/CFT angles to the above set-up, including Know-Your-Transaction and Know-Your-Assets processes to implement. For the purposes of this article, we focus on the ‘top-level’ layer of diligence: namely, KYC and KYI/KYD verifications, highlighting some key challenges.
Challenge 1: Establishing efficient communication channels between parties involved
The first challenge in the above set-up is that of establishing efficient and adapted communication streams between the different parties involved, using the right channels and ensuring centralisation and traceability of responses. This includes communication between the RAIF and the AIFM; the AIFM and its delegates (fund administrator, portfolio manager); and the AIFM and investors/intermediaries.
How digitalisation can help:
- A centralised communication platform can enable the AIFM to both send and request information, as well as keep track of communication streams and status of responses.
- The ability to use different communication channels depending on what is most appropriate (e.g. text message; email; paper mail; communication directly through accessing the central platform) is key to ensuring effective information flows, especially as the “appropriate” channel may differ depending on the party (e.g. a physical investor may prefer to receive an SMS or paper mail, whereas email communications generated for intermediaries can be more adapted).
- This also allows the creation of user profiles who can connect to the platform, notably for the RR and RC.
A digital platform can be used as the central point for generating and tracking communications through several channels such as text, paper, and email, through properly implemented APIs.
Challenge 2: Ensuring an effective KYC/KYI process when using multiple distribution channels
If all or part of KYC/KYI checks are carried out directly by the AIFM
Managing KYC over direct investors whilst simultaneously performing two-tier due diligence on intermediaries, as in the case study at hand, can increase complexity as it means running two distinct AML/CFT processes in parallel.
How digitalisation can help:
In addition to clear internal policies, it is important to have well-implemented workflows in each case. This can include, for instance, the automatic generation of customised due diligence questionnaires depending on whether the counterparty is a direct investor or an intermediary (which in any case can also be made more granular to be tailored to their typology), as well as the configuration of interfaces to generate validation requests (e.g. from the RC or management of the AIFM and/or RAIF) where appropriate.
It can also be very helpful to centralise all the information obtained in order to have a holistic overview of the entire AML/CFT risk of the investor base.
Intermediaries are not all equal. Using a global distributor which is part of the same financial group as the UCI or AIFM will, of course, not trigger the same AML/CFT process as using a previously unknown intermediary. Having a multi-view platform which allows for initial/ad-hoc KYI verifications, while being able to have pre-approved distributors which have already passed KYD controls, can be very helpful in managing this aspect.
If all or part of KYC/KYI checks are delegated to the fund administrator:
In the above case study, the AIFM may also choose to delegate all or part of KYC/KYI verifications to the fund administrator acting as transfer agent/registrar– which makes sense due to the fact that in its role as transfer agent/registrar it manages the list of investors and is therefore in a good position to carry out name screening, PEP checks, and similar controls.
In this case, the challenge for the AIFM is to exercise effective supervision and control over this third-party delegate, which is considered by applicable legislation as an outsourcing.
How digitalisation can help:
In addition to setting up internal procedures, well-implemented workflows and adapted communication streams are important for the monitoring of third-party outsourcing. A centralised platform can also be used to:
- Enable the transfer agent/registrar to upload any documentation requested by the AIFM directly on the platform;
- Generate requests to the transfer agent/registrar, which may include periodic reminders or tasks;
- Streamline the process of generating and obtaining feedback on sampling requests.
Challenge 3: Ensuring robust and efficient remote AML/CFT checks
As highlighted by the CSSF in a presentation in relation to Circular 20/740 on financial crime and AML/CFT implications during the COVID-19 pandemic, non-face-to-face entering into business relationships is already “common practice”. This puts the fund industry in a strong position to implement compliant remote customer onboarding, including digital KYC checks.
In a case scenario such as the above, the AIFM can leverage this industry head-start to implement robust digital tools for verifying the adequacy of KYC/KYI documentation, whilst maximising efficiency.
How digitalisation can help:
A variety of tools and processes can be implemented through a centralised digital platform, including electronic signature or eSEALs to certify the authenticity of documents, SMS-OTP (“One Time Password”) validation, and API connection to blacklist/sanction list name-check solutions, as well as dedicated tools to enable remote identification.
- For more details and how remote customer onboarding can be used, read: Remote customer identification for Luxembourg-regulated companies: how and why? – Finologee.
Challenge 4: Storage and maintenance of an audit trail
According to Circular CSSF 21/788, as detailed above, an approved statutory auditor must draw up each IFM/UCI’s AML/CFT external report on an annual basis, including performing sample testing. The Circular specifies that the report has one of its two sections “dedicated to sample testing or specific work to be performed by the external AML/CFT expert”, with the scope of the samples determined on the basis of risk-based approach.
In addition, the Law of 12 November 2004 imposes on all funds professionals within its scope the obligation to retain documents, data and information on AML/CFT checks carried out and to make them available to the Luxembourg authorities without delay, for at least five years after the termination of the business relationship with their customer or after the date of an occasional transaction.
How digitalisation can help:
Having an easily accessible and secure electronic archive of all AML/KYC checks through digital tracing/storage is a powerful and efficient means to comply with these obligations.
“Know-Your-Assets” verifications can be comparable to KYC flows when dealing with assets involving moral and physical persons (e.g. purchase of shares in a company), with the added complexity that the assets themselves must be verified on a risk-based approach. This may include their nature, taking into account risk-mitigating factors (e.g. the fact that assets are traded on a regulated market or issued by a listed company) and risk-increasing factors (e.g. purchasing unlisted assets, issuers in high-risk countries, etc.).
- A few general observations on the potential of digital tools in facilitating these verifications:
- The above considerations for ensuring robust remote AML/CFT checks apply similarly to assets’ due dilligence, which typically cannot be done in person, even when physical persons (e.g. company Ultimate Beneficial Owners (UBOs)) are involved.
- Centralising the ‘top’ (investor) due diligence and ‘bottom’ (investment) due diligence on one platform can be a valuable tool for streamlining processes, particularly when both must be carried out simultaneously.
- Considerations above relating to delegation/outsourcing to a transfer agent/registrar also generally apply to outsourcing asset management to a portfolio manager (or other third-parties exercising a similar role).
How we can work with you to optimise your AML/CFT processes:
If you are a UCI, an IFM, or another fund industry player subject to AML/CFT obligations, Finologee’s KYC Manager product can help put in place the above, which are just some examples of what we can build together.