Reminder of professional obligations – Law of 25 March 2020, as amended, establishing a central electronic data retrieval system related to payment accounts and bank accounts identified by IBAN and safe-deposit boxes held by credit institutions in Luxembourg (“Central System” or “CRBA”)

To the professionals referred to under point (6) of Article 1 of the Law of 25 March 2020 establishing a central electronic data retrieval system related to IBAN accounts and safe-deposit boxes, as amended

Ladies and Gentlemen,

This communiqué refers to the professional obligations laid down in the Law of 25 March 2020 establishing a central electronic data retrieval system related to payment accounts and bank accounts identified by IBAN and safe-deposit boxes held by credit institutions in Luxembourg, as amended (the “Law”).

In accordance with Article 2 of the Law, the professionals are required to put in place a data file which allows the identification of any natural or legal person holding or controlling, within these professionals, payment accounts or bank accounts identified by IBAN, as defined under point (15) of Article 2 of Regulation (EU) No 260/2012, or safe-deposit boxes (the “File”).

In order to meet the objectives of the Law and of the CRBA and to ensure that the identification of any natural or legal person as mentioned above may be performed, the professionals must comply with the File structure and the details of the data that must be included when making the File available, in accordance with Article 2(4) of the Law and as specified, in particular, in Circular CSSF 20/747 on the technical modalities relating to the application of the Law, as amended (the “Circular”).

The CSSF draws the professionals’ attention to Annexes 1 and 2 of the Circular which describe the technical modalities that professionals must strictly follow and the structure of the File to be submitted to the CSSF. Complying with the structure and mandatory information is essential to ensure a proper transmission of the File data into the Central System, i.e. the CRBA.

Thus, any non-compliance with the technical specifications set out in the above-mentioned Annexes has direct consequences as regards:

the reliability of the CRBA which depends, like any central register, on the quality of the data entered into the CRBA;
the accuracy of the data transmitted by the CSSF to the national authorities and self-regulatory bodies that have access to the CRBA in accordance with the terms laid down in the Law; and
the accuracy of the data retrieved by the national authorities, among which the Financial Intelligence Unit, that have a direct, immediate and unfiltered access to the CRBA, in accordance with the provisions of the Law.

Consequently, any inconsistency when making the File available may affect the objectives set by the Law, and, in particular, hinder the correct and full identification of the accounts and safe-deposit boxes by all the authorities and self-regulatory bodies that have access to the CRBA data within the scope of their respective missions. Deficiencies in the implementation of the File are thus not acceptable and must be addressed promptly.

As manager of the CRBA, the CSSF continuously followed up with the professionals when the CRBA was set up, in particular by offering technical and legal assistance and by publishing (i) information in the form of “Questions & Answers”, (ii) communications via MFT and (iii) other specific publications whose purpose was to clarify and improve the structure of the File and its input into the CRBA.

More specifically, in addition to the reminder above, the CSSF would like to draw the attention of the professionals, through this communiqué, to several examples of deficiencies identified by the CSSF and other users accessing the CRBA’s data and which will have to be taken into account by the professional when performing the review of their compliance with their obligations on this subject.

Examples of deficiencies identified

Among the deficiencies identified, the following examples should be mentioned:

reversal of surname and name in the File fields, due to an erroneous understanding of the words “surname” and “name” in English, while Annex 2 of the Circular specifies “surname” as “nom – Familienname – last name” and “name” as “prénom – Name – first name”;
erroneous understanding of the difference between legal name and name of a legal person (the Circular requests to provide the “legalName” as well as the “name”, the latter being defined as the “Usual business name”);
missing mandatory information (i.e., empty fields) or input of non-relevant information in the fields “surname” or “name” (for example, use of spaces or single letters like A. instead of Alfred as first name);
size of the File differing significantly from one day to the other, indicating a repeated problem of non-transmission of all daily data, unless a significant number of account closures could explain such variations;
failure to comply with the correct date format (for example, month and day are reversed);
where one person has several surnames/names, the professional did not correctly separate these surnames/names with a comma as set out in the Circular;
errors identified in the roles of the persons indicated in the File, i.e. persons having been reported as account holders whereas they are only beneficial owners or representatives and vice versa;
accounts reported as active accounts although already closed, etc.

Among the main sources of errors leading to such deficiencies, the following may be mentioned:

poor client data quality, i.a. incorrectly filled-in data not complying with the exact methodology set out in Annex 2 of the Circular; incomplete data due to missing information; incorrect data as not updated following a change in the data of the client, its beneficial owner and, where applicable, the representative of the account within the set deadlines; configuration not complying with the methodology set out in the Circular and its annexes;
missing controls, notably by 2nd and 3rd lines of defence, of both the quality of client data and the files transmitted in relation to the CRBA. For example, missing assessment, by the internal control function, of the reconciliation between the data held by the professional and the data input into the File, or missing integration of the review of the professional’s compliance obligations resulting from the Law in the internal audit function’s work.

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes