On 22 April 2022, the CSSF published CSSF circular 22/807 amending the CSSF circular 12/552 on central administration, internal governance and risk management to take account of amended or new guidelines issued by EBA and/or ESMA.

Credit institutions^[1] have until 30 June 2022 to implement the new requirements^[2].

Implications for the management body and the internal control functions

Organisation and responsibilities of the supervisory body

• the supervisory body must approve and lay down in writing guiding principles regarding equality and non-discrimination. In this context, the supervisory body (or the nomination committee) shall improve the representation of under-represented gender among the staff members exercising managerial responsibilities within the meaning of Commission Delegated Regulation (EU) 2021/923;
• when laying down the risk strategy, it shall ensure that it includes a framework for the monitoring and mitigation of all risks including forthwith those triggered by the macroeconomic environment;
• when overseeing the authorised management, it must ensure that the business model, the internal governance framework and the risk management framework take into account all risks and all relevant risk factors including AML/CTF risks, risks related to the provision of investment services as well as ESG risks, which may have an impact on prudential risks;
• it must ensure that the credit institution engages actively with, and dedicates sufficient resources to risk topics;
• it aims at avoiding that decisions within the supervisory body are dominated by one member or a small group of members;
• it ensures that the majority of its meetings takes place at the Luxembourg seat of the credit institution with a majority of members being physically present;
• regarding specialised committees that may assist the supervisory body, it is specified that they may require any document or information that they deem useful for the purpose of their mission, including information related to AML/CTF matters.

Responsibilities of the authorised management

• the authorised management must ensure that the policies of the credit institution are gender neutral and guarantee fair treatment and equal opportunities for all staff members (in particular, such policies should facilitate the reintegration of staff after maternity, paternity of parental leave);
• as set out in the CSSF regulation 12-02, it must appoint one of its members as responsible for compliance with AML/CTF obligations.

Organisation and responsibilities of the internal control functions

• irrespective of the specific responsibilities of the compliance function in that field, all internal control functions must contribute to the fight against money laundering and terrorist financing;
• based on the proportionality principle, the Chief Compliance Officer may be assisted by an AML Compliance officer or a dedicated team reporting to him/her;
• the annual report to be addressed annually to the CSSF by the Chief Compliance Officer must include a specific section on the implementation status of the AML/CTF compliance monitoring plan.

Certain internal governance and internal control arrangements need to be reviewed

Internal governance arrangements

• generally, the arrangements must be compliant with legal and regulatory requirements including those applicable in the fields of AML/CTF or the provision of investment services;
• the code of conduct must include examples of acceptable and non-acceptable professional behaviours and practices, including with regard to AML/CTF.

Internal control framework

• the framework must include processes and procedures to prevent fraud and ensure compliance with AML/CTF obligations (including staff information and staff training).

Complex structures and non-standard or potentially non-transparent activities

• a credit institution must not create or maintain opaque or unduly complex structures with no clear economic justification or legal objectives or structures that could be seen as being created for purposes linked to financial crime;
• the internal audit function shall regularly review the economic justification and the purpose of such structures on a risk-based approach;
• complex structures and non-standard or potentially non-transparent activities shall be subject to an in-depth analysis and ongoing monitoring of risks, in particular, those associated with financial crime and AML/CTF. The criteria to be taken into consideration for such an analysis are now detailed^[3]. The same analysis should be performed in case of non-standard or non-transparent activities carried out on behalf of clients (such as for instance the provision of fiduciary services).

Transactions with related parties^[4]

• specific decision and monitoring frameworks must be set out;
• for loans specifically granted to members of the management body and their related parties, precise documentation requirements kick in^[5]. Such information must be kept up-to-date and provided to the competent authority upon request;

• additional requirements apply for loans in excess of EUR 200.000,00.

Credit institutions ought to start immediately the review of their internal governance and internal control arrangements

The new requirements will be applicable as of 30 June 2022.

^{[1] The revised CSSF circular 12/552 applies to Luxembourg credit institutions and their branches, Luxembourg branches of third-country credit institutions, Luxembourg branches of EU credit institutions in respect of the areas for which the CSSF retains oversight responsibility and partly to professionals carrying out lending operations (the potential impact of the amendments on this category of professionals is out of scope of this eAlert).
[2] This eAlert considers the key points of actions but should not constitute an exhaustive analysis of the changes triggered by the CSSF circular 22/807.
[3] As further detailed in point 166 of the CSSF circular 12/552.
[4] The concept of related party has been broadened in the definition in Chapter 1, point 1, paragraph 7 of the CSSF circular 12/552.
[5] As further detailed in point 179 of the CSSF circular 12/552.}