CSSF AML/CFT Conference 2025 dedicated to investment firms

The Investment Firms Supervision Division of the Commission de Surveillance du Secteur Financier (CSSF) recently hosted its annual AML/CFT conference at the Luxembourg Chamber of Commerce. In cooperation with the Luxembourg Financial Intelligence Unit (CRF), the event provided valuable insights into a variety of topics - including findings and lessons learned from recent on-site examinations in the area of anti-money laundering and counter-terrorist financing.

The CSSF's audit plan for investment firms in the context of AML/CFT on-site inspections was divided into the following areas:

• Risk assessment / risk appetite
• Risk-based approach
• Customer due diligence obligations
• Ongoing transaction monitoring
• Ongoing name matching
• Cooperation with authorities
• Appropriate internal organization and governance

The results of the CSSF audits show that many investment firms do not pay the necessary attention to AML/CFT. Weaknesses were identified particularly in the area of governance, which illustrate how important a strong compliance culture is in order to effectively prevent money laundering and terrorist financing.

According to CSSF data, 23% of investment firms have not separated the roles of "Responsable du respect des obligations (RR)" and "Responsable du contrôle du respect des obligations (RC)". While the RR is responsible for compliance with AML/CFT requirements at management level, the RC is responsible for operational implementation and monitoring.

During the on-site inspections, the CSSF identified numerous deficiencies. The following examples show typical weaknesses:

Risk-based approach:

An effective risk-based approach requires a sound methodology for assessing customer and country risks. However, there are considerable deficits here in many investment companies. Often, enhanced due diligence (EDD) is not applied to clients related to high-risk countries and the risk posed by legal representatives is not sufficiently considered. Country risk assessments are also often inadequate, as they do not include key references such as the EU Delegated Regulation on high-risk countries or the risk factors from Annex IV of the AML/CFT Act. In addition, there is often a lack of information to assess whether a customer is eligible for simplified due diligence (SDD) - which impairs the effectiveness of the overall risk-based approach.

Customer due diligence obligations

The implementation of customer due diligence obligations often suffers from insufficient information or a lack of verification of the origin of assets. As a result, risks in connection with tax offenses cannot be reliably ruled out. In many cases, the documentation is incomplete. There are also deficits in the identification of beneficial owners of legal entities - for example, by failing to obtain extracts from the Transparency Register (RBE). Another frequent problem is the infrequent updating of customer data, which means that changes in the risk profile are not recognized in good time.

At CURENTIS, we are an experienced consulting firm that supports banks, investment firms and other obliged entities subject to the requirements of the Luxembourg Anti-Money Laundering Act. With our in-depth regulatory expertise and a hands-on approach, we help our clients to build effective compliance structures and continuously optimize their AML/CFT processes. We are also a reliable partner when it comes to preparing for CSSF audits - with tailored support to meet the regulatory requirements appropriately.