Summary of impacts on reporting – Law of 25 March 2020 establishing a central electronic data retrieval system related to payment accounts and bank accounts identified by IBAN and safe-deposit boxes held by credit institutions in Luxembourg
REGULATORY ASPECTS OF THE LAW
THIS SECTION SUMMARIZES MAIN IMPACTS TO BE MANAGED FOR THE NEW REPORTING TO BE IMPLEMENTED BY CREDIT INSTITUTIONS AND PAYMENT INSTITUTIONS IN LUXEMBOURG
HIGH LEVEL CHRONOLOGY
- The 1st version of the Bill has been published under n°7512 as of 23/12/2019.
- The purpose of the bill was to complete the transposition of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 (hereinafter: “5th Directive”) on the prevention of the use of financial system for the purposes of money laundering or terrorist financing.
- Article 32a of Directive (EU) 2015/849 provides that Member States must put in place centralized automated mechanisms, such as central registers or central electronic data retrieval systems, allowing identification, in a timely manner , of any natural or legal person who holds or controls payment accounts and bank accounts identified by an IBAN number, within the meaning of Regulation (EU) No 260/2012 of the European Parliament and of the Council, as well as safes held by a credit institution established in their territory. Such systems are indeed effective means of obtaining timely and unfragmented access to information on the identity of holders of bank accounts and payment accounts as well as of safes, their agents and their representatives. beneficial owners.
- The bill has been subject to approval and published in the Memorial A n°193 as of the Law of 25 March 2020 (hereinafter “the Law”), It is therefore proposed to set up a central electronic system for retrieving the aforementioned data from the Financial Sector Supervisory Commission (hereinafter “CSSF”). This central electronic data retrieval system would allow authorized persons within national authorities to search for data as part of their missions and investigations in the fight against money laundering and the financing of terrorism.
OBLIGATIONS OF PROFESSIONALS
- The central electronic data retrieval system draws data from files of professionals subject to this law in order to report the results of the research in the form of an overview. This therefore involves providing for rules for creating a data file within professionals subject to this law as well as rules for creating and accessing a central electronic data retrieval system within the CSSF.
- Chapter 2 of the Law provides the rules applicable to the creation of a data file and the conservation of this data on the holders of bank accounts, payment accounts and safes by professionals.
- The definition of “professionals” covers any person offering payment account or bank account maintenance services identified by an IBAN number, within the meaning of Regulation (EU) 260/2012 of the European Parliament and of the Council of March 14, 2012 establishing technical and commercial requirements for transfers and direct debits in euros and amending Regulation (EC) No 924/2009, hereinafter referred to as “Regulation (EU) No 260/2012”. This broad definition is in fact not limited only to credit institutions and must be interpreted in relation to the activity of the professional. Regarding safes, only credit institutions are covered by the notion of professional. In addition, not only all persons established in Luxembourg are covered, but also branches of Luxembourgers or foreigners established in Luxembourg.
- Article 2 provides in a first paragraph for the creation by professionals of a data file allowing the timely identification of any natural or legal person who holds or controls payment accounts or bank accounts identified by a IBAN number within the meaning of Regulation (EU) No 260/2012, as well as safes, if any, kept within such professionals.
DATA REPORTING OBLIGATIONS
- This file should contain a certain amount of information listed in this paragraph. This list corresponds to the information that must be available according to Article 32a, paragraph 3 of Directive (EU) 2015/849. Concerning the persons claiming to act on behalf of a client who are also to be entered in the data file, it should be understood, in particular, the agents holding a power of attorney of a legal person giving them the power to act on his behalf and the agents / authorized representatives of a natural person client.
- The obligation in accordance with Article 2, paragraph 1 concerns payment accounts and bank accounts identified by an IBAN number, within the meaning of Regulation (EU) No 260/2012, which exist on the date of entry into force of this law as well as the accounts which will be opened after this date. The obligation to set up the data file in accordance with article 2, paragraph 1 concerns safes that are rented on the date of entry into force of this law as well as safes that will be rented out. after that date. Paragraph 2 specifies that professionals must ensure that the data entered in the file are adequate, accurate and current. Customer data must be updated by virtue of the professional constant vigilance obligations in accordance with the 2004 law. In the event of any modification of the data, professionals must ensure that these changes are reflected in the file within a reasonable period of time. does not exceed one day.
- Paragraph 3 refers to the provisions of the 2004 law concerning the retention period of data contained in the data file.
- Paragraph 4 provides, for the purposes of harmonizing and simplifying procedures, that the CSSF defines the structure of the data file maintained by professionals and the details of the data concerned (cf section 2 related to the CSSF Circular).
POSSIBILITY TO OUTSOURCE THE DATA REPORTING
- Paragraph 5 provides for the possibility for professionals to resort to subcontracting under the conditions and according to the methods of article 41, paragraph 2bis, of the amended law of April 5, 1993 on the financial sector or of article 30 , paragraph 2bis, of the amended law of 10 November 2009 on payment services.
- Professionals may therefore subcontract their obligations under this law in accordance with the requirements to which they are subject within the framework of prudential regulations,
- in particular with regard to professional secrecy requirements. In this case, the professional retains full responsibility for complying with all of his obligations under this law
PRUDENTIAL SUPERVISION AND SANCTIONS
- Article 3 provides that the CSSF, as manager of the central electronic data retrieval system, will be in charge of monitoring compliance by professionals with their obligations under Chapter 2.
- Article 4 establishes the powers of the CSSF as manager of the central electronic data retrieval system in order to ensure that professionals comply with the obligations provided for in Chapter 2.
- Article 5 sets out the penalties applicable in the event of non-compliance by professionals with their obligations under the law. These are cases where professionals fail to set up the data file and keep the data therein in accordance with Article 2, paragraph 1, or to ensure that these data are adequate, accurate, current and up-to-date. up to date in accordance with Article 2, paragraph 2.
- This also covers cases where professionals fail to fulfill their obligation to provide access to data to the CSSF, in accordance with Article 2, paragraph 4, subparagraph 1, or when they knowingly provide access to the CSSF to data which is incomplete, inaccurate or false. It should be noted in this regard that in the event that the professional knows that information in his file is false or incomplete (for example in the event of a change of address of the customer who has not yet entered his new address) but no has not yet received feedback from his client in order to be able to update it, the professional will be able to put an entry in the file to this effect.
- Sanctions are also applicable in the event that professionals fail to fulfill their obligation to ensure complete confidentiality with regard to any access by the CSSF to the data file in accordance with Article 7. Sanctions are proportional to the circumstances relevant to paragraph 4. These penalties meet the requirements of Article 58, paragraph 1, of Directive (EU) 2015/849.
SYSTEM GOVERNANCE ASSIGNED TO THE CSSF
- Chapter 3 governs the creation of the central electronic data retrieval system by the CSSF.
- Article 7, paragraph 1, provides that the CSSF sets up a central electronic data retrieval system, allowing the identification, in good time, of any natural or legal person which holds or controls payment accounts or bank accounts identified by an IBAN number, within the meaning of Regulation (EU) No 260/2012, as well as safes kept by credit institutions established in Luxembourg.
- Paragraph 2 provides that the CSSF can access directly, immediately and without filtering the data entered in the data file created by professionals insofar as this is necessary to enable it to carry out its implementation and maintenance missions. management of the central electronic data retrieval system.
- This access must be done through a secure procedure. This article thus allows the CSSF to find the data it needs for the operation of the central electronic data retrieval system in each of the files created by professionals in order to consolidate them for the user who will have initiated the search according to the chapter. 4. These searches are carried out by the personnel designated for the creation and management of the central electronic data retrieval system within the CSSF. The central electronic data retrieval system must provide access in accordance with Chapter 4 to all data referred to in Article 2, paragraph 1.
- Therefore, for bank and payment accounts, not only the holders of a customer account, but also any person claiming to act on behalf of the customer. This is the counterpart of Article 2 which transposes Article 32a (3) of Directive (EU) 2015/849,
- Article 9 contains the provisions for data security.
- Paragraph 1 provides that the CSSF must ensure the security of data accessible through the central electronic data retrieval system by ensuring that only persons authorized
- To this end, the CSSF implements technical and organizational measures in accordance with high technological standards.
- Paragraph 2 more specifically provides for the data which must be recorded in a log concerning access and searches carried out by the persons referred to in Article 8, paragraph 1.
- Paragraph 3 provides for similar logging for authorized persons of national authorities or self-regulatory bodies.
Technical precisions are defined by the CSSF in the circular 20/747
Technical requirements are described in the CSSF Circular 20/747
- The CSSF circular 20/747 (hereinafter “The Circular”) aims to provide professionals as defined in article 1, point 6 of the law, with the necessary details for the establishment and operation in their IT systems, the technical infrastructure necessary to allow the efficient functioning, in the relationship between the CSSF and the professional, of the central electronic data retrieval system (hereinafter “the System”) set up and managed by the CSSF.
- The CSSF circular mentions that the System is required to be in place for the deadline of 10th September 2020 according the requirements set out in the article 67(1) of the EU Directive 2015/849 as amended by the EU Directive 2018/843,
- The Circular contains two appendix :
- Appendix 1 describes the technical procedures that professionals are called to strictly follow;
- Appendix 2 describes the structure of the data file expected by the CSSF;
- In order to set up the central electronic data retrieval system as defined in this circular, the trader must make available in his computer system, a data file to which the CSSF will access.
- CSSF Described approach :
- On a daily basis (Full file/week end included), the professional must set up in his Technical Infrastructure, the data files concerning any information relating to the data reporting scope according to the file format defined in Annex 2
- 2. The professional makes the file available and informs the CSSF of its availability using the API exposed by the CSSF;
- 3. The CSSF connects and downloads the file [Step 2: “Download registry” of the architecture diagram];
- 4.The CSSF sends professionals a “feedback” including the status of the downloaded file: accepted or rejected including the errors encountered. In the event of rejection, a corrected file must be made available to the CSSF. (cf. §4.2 “CSSF feedback / response”);
- 5. The professional is responsible for securing this file. He can for example delete it once the file has been downloaded by the CSSF.
- In order to identify himself with the CSSF and make his file available, the professional must implement a specific communication interface, called “Application Programming Interface” (“API”) based on https communication.
- The File will be exchanged will be a JSON file with the format is described in appendix 2 of the circular.
TARGET Solution to be implemented by Opexia
- The Solution will be composed with several solution components :
- 1- Extraction interface from the Core banking System : Opexia Teams will be in charge of identifying and working with the Institution IT team to collect missing data according the data reporting obligations related to the Law and according the CSSF 20/747.
- A deliverable will be produced and validated by the bank. The interface is producing a file that will be uploaded through sftp transfer to Opexia system.
- 2- Infrastructure set up to support the API components : Opexia team will install, set up and operate a proper execution infrastructure including continuity services to run the API programs according the CSSF Requirements;
- 3- API dedicated for the professional : Opexia team will set up and configure the API programs including the CSSF enrolment, certificates implementation and will handle the testing activities with the CSSF;
The OPEXIA Solution is including following scope :
For more information, Please contact us email@example.com