LUXEMBOURG Law and Practice Contributed by: Claudia Hoffmann, Daniel Krauspenhaar, Stefanie Samosny and Sascha Wiemann, Luther
4.13 Anticipated Changes for Investors The EU recently adopted a comprehensive reform of its AML/CTF framework, with the aim of strengthen - ing this framework, creating an EU-wide AML/CTF playing field and encouraging intensified supervisory convergence and co-operation among EU AML/CTF authorities. Key developments include the following. • Establishment of an authority for AML/CTF (AMLA): its creation aims at ensuring the efficient and adequate supervision of high-risk obliged entities with regard to AML/CTF, strengthening common supervisory approaches for all other obliged enti - ties, and facilitating joint analyses and co-operation between Financial Intelligence Units (FIUs). • A sixth anti-money laundering directive (AMLD VI): AMLD VI sets out rules on the organisation of national AML/CTF systems, clarifies the powers and co-operation of FIUs and supervisors, and strengthens cross-border collaboration. • A single EU AML/CTF rulebook (AMLR): by replac - ing the Directive-based system with directly appli - cable regulations, the AMLR ensures that AML/ CTF measures are uniformly enforced across the EU, eliminating disparities and strengthening the internal market’s integrity.
on the organisation of the National Data Protection Commission (NDPC). Investor data collected during onboarding, AML/KYC checks, communications and ongoing reporting must be processed lawfully, fairly and transparently, with investors being informed of the purposes and legal basis for processing, as well as their rights. In addition, the CSSF has issued guidance relevant to managers and AIFs on cybersecurity, IT risk man - agement and outsourcing. Managers are required to establish, implement and maintain systems and pro - cedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in ques - tion, including through encryption or other protective measures. Circular CSSF 17/654 (as amended) specif - ically governs IT outsourcing, requiring due diligence, contractual safeguards and ongoing monitoring of service providers. Personal data breaches that may affect investors must be reported to the NDPC and, where relevant, to investors themselves. Transfers of personal data outside the EU are only permitted if adequate safe - guards are in place.
192 CHAMBERS.COM
Powered by FlippingBook