The Commission de Surveillance du Secteur Financier (CSSF) has announced that, in fulfilling its statutory tasks of supervisory authority, the CSSF verifies on a continuous basis compliance by supervised entities with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) laws and regulations through a number of ways, including off-site (desk-based) reviews, external auditors performing an annual audit and reporting to the CSSF by way of a long-form report, including a chapter on AML/CFT, reports by compliance officers and internal auditors, and on-site inspections carried out by the CSSF.

The CSSF has been conducting AML/CFT on-site missions within the financial sector on a regular basis since 2000. Since 2010 alone, the CSSF AML/CFT on-site-team has conducted 252 specific AML/CFT missions, and imposed sanctions in case of serious breaches of AML/CFT rules and/or deficient controls in this area.

The CSSF took note of the so-called “Panama Papers”, published in April 2016, and started to perform a comprehensive review of corporate accounts, whether or not related to Mossack Fonseca or Panama, and more particularly to verify the respect of "know your customer" and "know your transaction" obligations. This specific review primarily covered a large number of banks and was broadened in 2017 to also include investment firms and other professionals in the financial sector.

More specifically, the CSSF decided in 2016 to appoint external auditors to carry out procedures in relation to offshore structures in a large number of banks. In 2016, the CSSF sent a questionnaire to all 73 banks active in private wealth management. Further to a desk-based review of the responses, an on-site review was performed at the 30 banks holding 80% of all corporate accounts related to offshore structures. A large sample representing 20% of all corporate accounts related to offshore structures was verified.

The on-site review procedures concerning banks were initially performed by the external auditors in order to enable the CSSF to identify non-compliance with the requirements of the Law of 12 November 2004 on the fight against money laundering and financing of terrorism, the Grand-ducal regulation of 1 February 2010 providing details on certain provisions of the Law of 12 November 2004 and the CSSF Regulation 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as applicable. The review procedures mainly covered the four following aspects:

1. Due diligence procedural measures applied by the banks to offshore structures;

2. Risk-based approach established by the auditors for sampling purposes;

3. Know Your Customer (KYC) documentation and information testing on a sample of offshore structures;

4. Know Your Transactions (KYT) information and documentation testing on a sample of offshore structures.

More specifically, the auditors summarised in their reports the due diligence measures applied to offshore structures and reported any non-compliance with the requirements of the laws and regulations mentioned above. For the sample of offshore structures selected, the auditors verified that KYC documents and information were present in the account opening files or could be obtained through inquiries with staff members of the bank to support amongst others: the reason why the offshore structures had been set up, the information on the origin of funds, and the identification of the client, its representative(s) or of the ultimate beneficial owner. For the sample of offshore structures selected and based on the lists received by the auditors of all transactions since the opening or for the past 10 years of all accounts linked to the offshore structures, the auditors, by applying a risk-based approach, selected a sample of transactions and performed a certain number of controls. As regards the specifically chosen sample of investment firms and other professionals in the financial sector, the CSSF performed itself in 2017 a similar comprehensive review of corporate accounts, more particularly verifying the respect of "know your customer" and "know your transaction" obligations by those supervised entities.

All these verifications showed that adherence to Luxembourg laws and regulations applicable to them at the relevant moments in time was the norm for a large majority of supervised entities reviewed. Where the CSSF found medium or severe breaches, it followed up through letters sent to the supervised entities concerned and where appropriate, through further on-site reviews performed by the CSSF during the year 2017.

In accordance with the rule of law and the right to be heard, the CSSF then granted the supervised entities concerned the right to submit any comments in relation to the findings and the CSSF’s analysis thereof. Taking account of the comments and responses submitted by the supervised entities, the CSSF decided on the appropriate measures to be taken. In some cases, where few minor breaches were found, the CSSF gave injunctions that have immediately been complied with by the relevant supervised entity.

In other cases, where several medium or even severe breaches were found and objectively established, the CSSF decided to impose administrative sanctions. Sanctions have thus been imposed on 9 supervised entities (including 4 banks) in the form of a fine, its amount depending on the severity of the breaches. The total of these fines amounts to €2,012,000. The organisations fined included the following:

1. Banks (in alphabetical order)
• CA Indosuez Wealth (Europe)
• DNB Luxembourg S.A.
• Nordea Bank S.A.
• Novo Banco S.A., Succursale de Luxembourg

2. Other supervised entities (in alphabetical order)
• Experta Corporate and Fund Services S.A., Luxembourg (formerly Experta Corporate and Trust Services S.A.)
• Link Corporate Services S.A. (formerly Capita Fiduciary S.A.)
• Maitland Luxembourg S.A.
• Pure Capital S.A.
• Victory Asset Management S.A.

It should be noted that grievances identified by the CSSF during its analysis related to the less recent past, that all supervised entities under review fully cooperated with the CSSF and that all entities eventually sanctioned launched a process of compliance within their respective internal governance, as requested by the CSSF. These positive initiatives have been taken into account by the CSSF when determining the amount of the fine.

The CSSF has stressed that it will continue to firmly request and enforce the principle that Luxembourg banks, investment firms and other professionals in the financial sector thoroughly follow the professional obligations in the future, specifically with regards to the prevention of money laundering (including all elements relating to newly introduced primary offences) and will draw the appropriate consequences if they fail to do so, as was the case in the past.