LUXEMBOURG Law and Practice Contributed by: Andreas Heinzmann, Valerio Scollo and Angela Permunian, GSK Stockmann
supervision. For example, in the area of anti-money laundering and countering the financing of terrorism (AML/CFT) supervision, the CSSF has the authority to issue warnings, reprimands, administrative fines and professional disqualification, and these sanctions may be made public. With regard to administrative fines, the CSSF has recently imposed a fine of EUR5 million on a Luxem - bourg bank due to non-compliance with the appli - cable AML/CFT legislation. The amount of the fine is proportional to the bank’s turnover. In addition to imposing administrative fines, the CSSF may also report cases to the prosecutor’s office regarding investment firms that claim to be estab - lished in Luxembourg and offer investment services without authorisation. Otherwise, fintech companies may be subject to enforcement actions by the CNDP for non-compliance with the applicable data protection rules. 2.11 Implications of Additional, Non- Financial Services Regulations Data Protection and Privacy The GDPR together with the Luxembourg Law of 1 August 2018 regulate the processing of personal data, and such rules apply regardless of the industry sec - tor or whether the relevant entity is a legacy player or a newly established start-up. In addition to the gen - eral rules governing the processing of personal data, the rules relating to privacy by design and privacy by default as well as automated decision-making and profiling may be relevant for fintech companies. Cybersecurity Management of risks relating to information and com - munication technologies (ICT) is an essential part of the necessary risk management by financial institu - tions. The CSSF has recently implemented the guide - lines adopted by the EBA on ICT and security risk management, which need to be complied with by all entities authorised under the Financial Sector Law and the Payment Services Law. In addition, specific requirements apply to entities considered operators of essential services in accord -
ance with Directive (EU) 2016/1148, as transposed into national legislation by the Law of 28 May 2019. Certain entities of the financial sector, such as banks, may need to take specific measures to manage secu - rity risks if their services are judged accordingly by the CSSF. Following the adoption of DORA, all entities in scope must ensure that they can withstand ICT-related dis - ruptions and threats. In particular, fintechs may need to adhere to strict standards to prevent and limit the impact of ICT-related incidents. DORA also provides an oversight framework on service providers (such as Big Techs) that provide cloud computing to financial institutions. 2.12 Review of Industry Participants by Parties Other Than Regulators The activities of financial sector participants are main - ly reviewed by the regulators; however, auditors are typically appointed by industry participants to review their business activities. Furthermore, certain regu - lated entities – eg, banks – must set up internal risk control, compliance and internal audit functions. 2.13 Conjunction of Unregulated and Regulated Products and Services In principle, there is no general prohibition for regu - lated entities to combine regulated and unregulated products. However, in certain cases the regulator must be notified of such activities and may then assess the compatibility of these services and products in more detail. For example, in the case of services and products related to virtual assets, the CSSF has pub - lished FAQs outlining its position on the possibility of banks opening virtual asset accounts. According to the CSSF, banks may open accounts, similar to securities accounts, that allow customers to deposit virtual assets; however, they cannot open virtual asset bank accounts (eg, current accounts). 2.14 Impact of AML and Sanctions Rules In accordance with the AML Law, which transposes, among others, Directive (EU) 2015/849 into national law, fintech companies that qualify as professionals under the AML Law are required to comply with sev - eral professional obligations.
518 CHAMBERS.COM
Powered by FlippingBook