Luxembourg financial supervisor turns to APIs for AML reporting
 
        By Anne-Sophie Morvan.
The article published a few weeks ago in Paperjam was clear: the Luxembourg financial supervisor becomes 4.0., “a real time supervisor”.1 In line therewith, the Commission de Surveillance du Secteur Financier (CSSF) has decided in its Circular n°20/7472 to impose, to certain supervised entities, the implementation of application programming interfaces (APIs) for AML reporting purposes. This choice is not trivial and raises the importance of implementing APIs for both supervised entities and regulators.
Reporting of IBAN accounts & safe deposit boxes
The above-mentioned Circular, adopted by the CSSF, is part of Luxembourg’s AML V3 implementation.
As per Article 1(19) of AML V:
“Member States shall put in place centralised automated mechanisms, such as central registries or central electronic data retrieval systems, which allow the identification, in a timely manner, of any natural or legal persons holding or controlling payment accounts and bank accounts identified by IBAN […] and safe-deposit boxes held by a credit institution within their territory”.
These centralised automated mechanisms shall be set up by Member States by 10 September 2020.4
In its Law of 25 March 20205, the Luxembourg legislator made the choice of implementing a central electronic data retrieval system involving a remarkable novelty: the choice of a “pull” system.
From “push” to “pull”
Until now, most (if not all) of the reporting obligations involved the transmission of a file by the supervised entity to the CSSF. Such a transmission can be seen as a “push” from a file to the CSSF. On the contrary, the system established by the Law of 25 March 2020 involves rather6 a “pull” system, implying that the CSSF has “at any time an automated access to the data included in the data file”.7
To implement this system, the CSSF imposes that the obliged entities:8
(i) Consume the CSSF API for enrolment purposes,
(ii) Consume the CSSF API for data file availability notification purposes, and
(iii) Publish its own API for (a) retrieval of the full data file by the CSSF and (b) reception of the CSSF feedback regarding the status of the data file.
Some may raise that this “pull” system is more complex to implement for both the supervised entities and the supervisor compared to the current standard reporting methods. This complexity is, however, counterbalanced by its benefits on the long run.
The use of APIs indeed enables both the obliged entities and the regulator to automate more easily the reporting process and create easier interactions with other applications. Even though it is not the case for the present reporting obligation, the CSSF could decide – for future obligations – that it would be sufficient for financial institutions to make APIs available to the CSSF through which the relevant data to be reported can be retrieved individually and on a need to know basis by the CSSF. This, however, would only be possible to the extent that such a method fulfils the requirements laid down but the European or Luxembourg legislator.
Such an approach would notably ease the processing of the reported data by the regulator. Currently, the CSSF and other supervisors receive a substantial amount of data that is difficult to analyse to as full an extent as possible. Adopting the “pull” system on a larger scale would solve this issue.
“According to the responses [to the Bafin report “Big data meets artificial intelligence”], analyses that are based on data that is gathered once or on a monthly/quarterly basis will increasingly lose relevance as the market becomes ever more dynamic. Supervisors should therefore seek to maintain real-time access to specific corporate data using application programming interfaces (APIs) and use this to conduct ongoing analyses, such as cash flow analyses, in order to identify new risks and business models at an early stage. Setting up APIs is also considered to be useful for a smooth exchange of data between different (supervisory) authorities. Making use of the interplay between APIs and BDAI would also allow supervisors to monitor outsourcing more effectively. This would mean that the relationships between the institutions involved could be taken into account in supervisory analyses automatically”.10
The benefits of implementing APIs for both supervisors and supervised entities are numerous, and the use of this technology will most probably soon become a must.
That being said, it is interesting to put this initiative of the CSSF in perspective with our neighboring countries
What about our neighbors?
As pointed out by the “Conseil d’Etat” in its commentaries, the Grand-Duchy of Luxembourg adopted a different approach than France and Belgium where a “push” system continues to be the rule.11
In France, an equivalent IBAN register as the one introduced by AML5 has actually already existed since 1982,12 under the name of “Ficoba”,13 (for purposes beyond the sole fight against money laundering)14 and has been lately updated to encompass additional information15. Obliged entities can transmit the information to the authority on an IT support, through a network or by way of sending a printed normalized form.16
In Belgium, a similar register as the French one (going beyond the sole AML purpose) called “Point de contact central des comptes et contrats financiers” has been introduced more recently, by way of a Law dated 8 July 201817. The data can solely be reported electronically18 by way of a channel defined by the National Bank of Belgium.19
Finally, Germany, already adopted a system in 2003 that is closer to the one chosen by the Luxembourgish legislator in the Law of 25 March 202020. Pursuant §24c (1) and (2) of the German Banking Act21, any credit institution shall have a file system containing certain data, which may be retrieved by the competent authority22. A difference with the Luxembourgish system, however, is that the credit institutions must keep the data file in a separate database to ensure the competent authority’s retrieval of information.23
Luxembourg, France, Belgium and Germany have – due to historical, social or economic reasons – technically implemented the same reporting obligation requirements differently. The choice of APIs for exchange of data by the Luxembourg regulator should nevertheless become the technical standard in Europe in order to ensure a smooth transition to a better and more effective reporting experience for both regulators and supervised entities.
Reference:
[1] Paperjam, Thierry Labro, CSSF 4.0, le régulateur en temps réel (Source : https://paperjam.lu/article/cssf-4-0-regulateur-en-temps-r, last consultation on 26 July 2020).
[2] CSSF Circular n°20/747 published on 23 July 2020 – Technical arrangements relating to the application of the Law of 25 March 2020 establishing a central electronic data retrieval system related to IBAN accounts and safe-deposit boxes held by credit institutions in Luxembourg.
[3] Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.
[4] Article 1 (42) of AML V.
[5] Law of 25 March 2020 establishing a central electronic data retrieval system related to payment accounts and bank accounts identified by IBAN and safe-deposit boxes held by credit institutions in Luxembourg, available in English here: https://www.cssf.lu/wp-content/uploads/L_250320_data_retrieval.pdf (last consultation on 26 July 2020).
[6] Given the fact that the obliged entity has to notify the CSSF of the availability of the full data file every day, one may argue that the system implemented is not entirely a “pull” system but rather a hybrid system in between “pull” and “push”.
[7] Article 2(4), 2nd sentence of the Law of 25 March 2020.
[8] CSSF Circular n° 20/747, p. 8 – 10.
[9] For confidentiality reasons imposed by AMLV, the CSSF is retrieving the whole data file every day and not retrieving data individually on a need to know basis.
[10] Source : https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/BaFinPerspektiven/2019_01/bp_19-1_Beitrag_SR3_en.html (last consultation on 26 July 2020).
[11] Avis du Conseil d’Etat du 10 mars 2020, n°60.093: “ En structurant ainsi ce nouveau système sur l’accès direct et immédiat par la CSSF aux données des fichiers conservés par les professionnels, les auteurs du projet de loi ont choisi une solution originale qui se démarque de celle retenue en France1 ou en Belgique2, consistant en la mise en œuvre de la collecte des données sur la base des déclarations faites par les professionnels par l’intermédiaire d’un système centralisé.”
[12] Arrêté du 14 juin 1982 relatif à l’extension d’un système automatisé de gestion du fichier des comptes bancaires.
[13] Fichier national des comptes bancaires et assimilés.
[14] Article 4 de l’Arrêté du 14 juin 1982.
[15] Arrêté du 24 avril 2020 portant modification des articles 164 FB et suivants de l’annexe IV du code général des impôts, which provisions will enter into application on 1 September 2020. For more information, the French Direction Générale des Finances Publiques has published additional guidance: https://www.impots.gouv.fr/portail/banques (last consultation on 6 August 2020).
[16] Article 164 FF, Code général des impôts, annexe 4: “Il est satisfait aux obligations résultant des articles 164 FB à 164 FE par la communication des informations sur un support informatique ou par réseau ou par l’envoi des imprimés normalisés.” This provision has not been amended by the above mentioned Arrêté du 24 avril 2020.
[17] Loi du 8 juillet 2018 portant organisation d’un point de contact central des comptes et contrats financiers et portant extension de l’accès au fichier central des avis de saisie, de délégation, de cession, de règlement collectif de dettes et de protêt (“ Loi du 8 juillet 2018”).
[18] Art. 5 §1er de la Loi du 8 juillet 2018.
[19] Source: https://finances.belgium.be/sites/default/files/20200423%20-%20PCC%20-%20Info%20pour%20les%20redevables%20d%27information%20%20-%20FR.pdf (last consultation on 6 August 2020).
[20] Source: https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_050221_kontenabruf.html (last consultation on 6 August 2020).
[21] Gesetz über das Kreditwesen (Kreditwesengesetz – KWG).
[22] § 24c (2) KWG: „Die Bundesanstalt darf einzelne Daten aus dem Dateisystem nach Absatz 1 Satz 1 abrufen, soweit dies zur Erfüllung ihrer aufsichtlichen Aufgaben nach diesem Gesetz oder dem Geldwäschegesetz, insbesondere im Hinblick auf unerlaubte Bankgeschäfte oder Finanzdienstleistungen oder den Missbrauch der Institute durch Geldwäsche, Terrorismusfinanzierung oder sonstige strafbare Handlungen, die zu einer Gefährdung des Vermögens der Institute führen können, erforderlich ist und besondere Eilbedürftigkeit im Einzelfall vorliegt. Die Zentralstelle für Finanztransaktionsuntersuchungen darf zur Erfüllung ihrer Aufgaben nach dem Geldwäschegesetz gleichermaßen einzelne Daten aus dem Dateisystem nach Absatz 1 Satz 1 abrufen“. § 93b (2) Abgabenordnung: „Das Bundeszentralamt für Steuern darf in den Fällen des § 93 Absatz 7 und 8 auf Ersuchen bei den Kreditinstituten einzelne Daten aus den nach den Absätzen 1 und 1a zu führenden Dateisystemen im automatisierten Verfahren abrufen und sie an den Ersuchenden übermitteln“.
[23] „Die Kreditinstitute speichern die Stammdaten in einer separaten Datenbank, so dass diese ohne Kenntnis des Kreditinstituts abgerufen werden können“. (Source: https://www.bzst.de/DE/Behoerden/Kontenabruf/kontenabruf_node.html#js-toc-entry1, last consultation on 6 August 2020).