AML/KYC 2018, between the saint grail and the magician’s hat

Published on 02/04/2018

After months of anticipation, the implementation of the 4th AML European Directive (AML Directive) is finally materialising in Luxembourg as the drafted laws come into force.

The consultation process  of project 7128 came to an end and with it an unanimous vote of the first set of rules implementing the AML Directive, which was published on February 14, 2018, while further pieces of the comprehensive effort to implement the AML Directive are still ongoing in parliament.

This new framework is composed of several modifications which started with the joint circular from the Luxembourg’s Financial Services commission (CSSF) and the Financial Investigation Unit (CRF) 17/650, and  is now enforced by the modification of the 2004 law,  materialising one of the most important changes that the financial sector has experienced in Luxembourg in the last couple of years.

Some of those changes come as part of an international campaign for the inclusion of further transparency rules and deeper coordination in regards to international cooperation as is the case of the inclusion of tax crimes as predicated offences (tax evasion and aggravated tax fraud).

In addition, new rules of risk scoring, risk assessment and KYC are implemented in order to ensure tax transparency and compliance with the application of an objective Risk Based Approach in a larger effort to fight against criminality and unlawful practises.

Other material changes include the fine tuning of the definitions of ultimate beneficial owner and politically exposed person, together with the inclusion of some registers of ultimate beneficial owners (for corporate and incorporated entities, and legal arrangements) which will allow access to beneficial ownership information under certain conditions.

As a response to such relevant and continuous changes, several Obliged entities have been searching for the saint grail of Customer Due Diligence, to transform what has become a very manual and time consuming exercise into a more client friendly and fluid communication between the Obliged entities and their clients.

In this quest, several Obliged entities are looking at different solutions ranging from the use of blockchain technology to transfer the data based on audit trails; from the reengineering of departments to prevent the duplication of work, to the creation of dedicated entity (licenced) in order to generate a more holistic task force meant to deal on centralised and mutualised basis with the developing KYC and AML requirements common to all Obliged searching for a standardisation of procedures.

These initiatives seem to have some goals in common: standardisation of requirements (including market practise), avoidance of duplication of work, and, creating a specialised undertakings which take AML/CTF as core business in order to generate further specialisation.

All such efforts come in a moment where the interconnection between technology and knowledge has become pivotal to the market as a reaction of the multijurisdictional implementation of a number of EU legal texts (GDPR, AML, CTF, Payments, Cyber security…), moreover, when compliance continues to become more and a challenging environment for isolated implementation of requirements.

In this new landscape, profitability seem to be more and more difficult to achieve while regulations require a much in depth understanding of supporting functions adding, further potential cost and slowing down the decision making process and therefore impacting efficiency  in the global markets.

End users expect speed and flexibility while regulators struggle to define rules which allow new technologies to gain space while enhancing security and protecting the public.

A clear example of such complexity and conflicting implementation can be seen in the newly published amendment to the Luxembourg AML framework, according to which, professionals shall continue keeping copies of due diligence records, (as part of the rules set in the AML Directive art.40 and Art 3 (6) a) of the 14 Feb 2018 Law (New AML Law), while contrary to the 4th AML directive, only evidence of transactional documents are to be retained (such as subscriptions forms, account opening forms, transfer and payment orders, etc.).

Is to be noted that the  4th AML Directive defines that copies of KYC/AML documents are to be kept, while originals (or similar) should be maintained for transactional matters.

With the aforementioned difference of wording, Luxembourg Obliged entities may face the challenge of following local regulation (and therefore retaining simple copies in both cases) or apply the EU definition (keeping only copies for KYC/AML and originals (or equivalent) for documents related to the business relationship.

As seen above, in this dynamic environment, the Luxembourg parliament debated and accepted the amendment to the 2004 law, including some significant and long expected changes, as it was the case for the role of self-regulatory bodies and some unexpected changes in matters such as the  aforementioned rules for record keeping.

In cases like mentioned, it is essential/crucial for each Obliged entity to determine (as part of its assessment) which standard to follow, how to better utilise resources in order to prioritise changes and what the impact could be in terms of organisational change when applying the rules and controls in a more technical/complex way.

With a further specialisation and the addition of higher standards in terms of the professional obligation applicable to all obliged entities, the EU is looking to generate a more secured and standardised market.

Unfortunately, the result of such efforts seems to be drifting the compliance function into a more “magician” approach where requirements appear to vary for unknown reasons and the communication between the business and compliance appears to become an encrypted code which none of the receivers follow or understand.

I have collected in the past couple of years the testimony of frustration from client facing teams in regards to the lack of a defined standard and the conflicting approach to cases which often end up with frustration at the client and at the collector of the information as both seem to be simple spectators of how compliance takes “out of the hat” a new trick at each time.

By achieving standardisation and efficiency, as well as a common understanding, clients and Obliged entities will benefit from more transparency and an improved client experience breaking the current mysterious approach of keeping compliance analysis and decisions as some sort of magic trick which secrets cannot be revealed.

This is where the search for the saint grail faces complexity to then transform uncertainty into specialisation, magical recipes into transparency and duplication in mutualisation by adding technology to the equation and a grasp of task allocation.

In summary, it is time to conclude the era of the mystery of compliance and embrace compliance 2.0.


Jaime Prieto, Head of Risk and Compliance, MLRO

i-Hub S.A.