De-risking Practices and ML/FT Risk Management

The CSSF has been approached by individuals and legal entities regarding difficulties in opening bank accounts in Luxembourg. In this context, the CSSF has been informed that some credit institutions attribute these difficulties to burdensome legal requirements relating to the prevention of money laundering/financing of terrorism ("ML/FT") and to their understanding of the CSSF's expectations regarding ML/FT risk exposure of supervised entities.

Against this backdrop, the CSSF wishes to clarify that it expects professionals to manage ML/FT risks effectively, which does however not mean that such risk shall be avoided. To manage their ML/FT exposure, supervised entities shall develop a proper understanding of the ML/FT risks to which they may be exposed in the conduct of their business and implement an appropriate and effective internal framework for the identification and mitigation of such risks.

The guidance issued by different stakeholders is intended to raise awareness and supports professionals in designing and implementing appropriate internal control frameworks. It shall not however be interpreted as a prohibition of entering into higher-risk business relationships. The existence of a higher level of ML/FT risk exposure does not as such justify a refusal to establish or maintain a business relationship. Thus, supervised entities may not generally ban or exclude entire categories of clients, products or services other than those expressively provided for by applicable laws and regulations, such as the Law of 12 November 2004 on the fight against money laundering and terrorist financing and CSSF Regulation No 12-02 of 14 December 2012. However, this does not preclude any decision by professionals to redefine their business line and to stop offering services or products to a dedicated category of clients as further set out in point 2 below.

As reflected in Circular CSSF 21/782 and further reinforced by Circular CSSF 23/842 and Circular CSSF 25/878, which integrate the latest amendments to the guidelines of the European Banking Authority ("EBA") on ML/FT risk factors (EBA/GL/2021/02 and EBA/GL/2024/01), professionals shall apply a nuanced and well-informed assessment of customer risk profiles. Financial inclusion and sound ML/FT risk management are not mutually exclusive and should be pursued in a balanced and proportionate manner, as also recommended in the FATF's Guidance on Financial Inclusion promoting greater recognition of a risk-sensitive approach to implementing AML/CFT measures. This approach allows professionals to apply "simplified due diligence" to low-risk populations instead of rigid, traditional identification requirements.

As a general principle, the CSSF does not intervene in business models or commercial decisions of the professionals of the financial sector. Only in exceptional circumstances, when professionals have not taken the appropriate ML/FT risk management actions, the CSSF enjoins the professionals to adopt a "de-risking" approach as the ML/FT risk is deemed as no longer manageable. However, professionals must not confuse said (rare) CSSF-imposed "de-risking" with an "exit strategy" implemented in order to remain profitable.

Accordingly, decisions relating to the acceptance or refusal of clients remain the sole responsibility of each institution and the CSSF may not issue opinions on individual onboarding decisions. In this context and considering the increase of compliance costs and the growing complexity of ML/FT risks, professionals may decide that some categories of higher ML/FT risk customers are no longer profitable for them. However, this then is a strategic business decision, to be distinguished from decisions driven by cases of non-compliance with laws and regulations.

The CSSF recalls that the identification and mitigation by professionals of ML/FT risks also requires an active cooperation of the potential client with the professional. Difficulties in opening a bank account may arise when potential clients are unable to provide adequate documentation, including information on the origin of funds, or refuse to provide information.

In this context, it is important that clients understand that financial institutions are subject to strict legal obligations and that cooperation in providing accurate and complete information is essential to enable professionals to fulfil their obligations.

Should a client present specific or high-risk characteristics or face practical difficulties in providing standard documentation, professionals are encouraged to assess whether alternative and proportionate measures may be implemented to establish or maintain existing business relationships in accordance with the updated EBA guidelines (EBA/GL/2023/03) and Circular CSSF 23/842.

In order to address unwarranted de-risking, Article 21(4) of AMLR¹ mandates the EBA and EU Anti-Money Laundering Authority ("AMLA") to issue, by July 2027, joint guidelines on the measures that may be taken to ensure compliance with AML/CFT rules, including in relation to business relationships that are most affected by de-risking practices.