Annual submissions to the CSSF
In relation to the annual descriptive report (DR) comprising the administrative and accounting organisation, internal control system, IT infrastructure and financial sector activities provided by support PFS, Circular 24/850 introduces a simplified format, by abolishing several fields included in the preceding DR template provided for under the repealed Circular 12/544 (description of shareholders, periodic reports to be communicated, analysis of annual accounts, professional obligations as regards the prevention of money laundering and terrorist financing and the rules of conduct, etc.).
Nonetheless, the summary of documents expected in the context of the DR pursuant to the repealed Circular 19/727 is expanded so as to also include:
- additional details indicated on the internal organisation chart (names of directors and managers, all departments and functions, people inside the relevant support PFS responsible for outsourced functions (if any), colour-coded hierarchical and functional lines, etc.);
- the capital links between the entities in the group of the support PFS;
- a table including recommendations made by internal audit in the context of their internal control; and
- the details of the “person in charge of the control of compliance with the professional obligations” (responsable du contrôle) and the “person responsible for compliance” (responsable du respect) pursuant to the CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as amended (CSSF Regulation 12-02).
The DR and supporting documents must be transmitted to the CSSF in electronic format (via the CSSF’s MFT system); documents with handwritten signatures must also be submitted in paper format.
The CSSF has also issued templates to be used for various references included in the revised summary of expected documents (table of recommendations of the internal audit, summary table of information systems for internal use, and summary table for information systems for external use). The DR must be submitted to the CSSF within seven (7) months as of the closure of the support PFS’ financial year, in electronic format, and in two (2) versions: a final “clean” version and a “track changes” version (including all changes made compared to the previous financial year).
Circular 24/850 replaces the risk assessment report obligation imposed under Circular 12/544 with a requirement for self-assessment questionnaire (SAQ) to be completed by support PFS and submitted to the CSSF within seven (7) months as of the closure of the financial year, for each year or period subject to statutory audit evaluating certain risks and compliance with the legal and regulatory requirements.
The SAQ comprises four (4) sections (ICT-related aspects, operational aspects, transversal aspects (except “AML/CFT”), anti-money laundering (AML) and counter-terrorist financing (CFT) aspects), all or some of which are allocated to the support PFS, according to the type of authorisation held by the latter and risk classification thereof (low-, medium-, high-risk). The model SAQ, including the questions to be answered by each type of support PFS, depending on the risk category assigned to it by the CSSF, is available on the CSSF’s website.
The CSSF reserves the right, depending on the activities performed, to request a particular support PFS to complete additional SAQ sections, on an exceptional basis, or contrarily to exempt it from providing them. Such request shall be transmitted to the concerned support PFS at the latest at the closing of the relevant financial year (and for the first year of application, at the latest by 19 February 2024).
The SAQ must be submitted to the CSSF electronically (via MFT) both in original format and in PDF format, electronically signed by at least two (2) persons responsible for the support PFS (or where it includes their handwritten signature, it should be submitted via mail).
Engagement of REAs
Annual audit report and ad hoc reporting
The results of the statutory audit performed by the REAs shall be presented in a written audit report including an audit opinion (Art. 35 of Law of 23 July 2016 concerning the audit profession, as amended (2016 Law)).
Notwithstanding the above audit report, REAs are subject to ongoing reporting obligations towards the CSSF pursuant to the LFS (Art. 54(3)), on an ad hoc basis, by way of spontaneous written or oral communication, in cases of (indicatively) major conflicts within the management bodies of the support PFS, unexpected departures of key function holders, major financial difficulties in a branch or subsidiary, major IT incidents, important legal disputes, etc.
Circular 24/850 introduces the requirement for a management letter (ML) to be drawn up by the REAs for each year or period subject to statutory audit, to the attention of the persons responsible for the management of the support PFS. The ML should include, in accordance with the applicable auditing standards (Art. 33 of 2016 Law):
- the weaknesses and points needing improvement by the support PFS, as observed during the statutory audit procedures, which are deemed to be of sufficient importance to be brought to the attention of the management;
- recommendations on the above weaknesses and points in the template format provided for by the CSSF; and
- a follow-up on the weaknesses and points needing improvement raised in previous MLs but which have not been remedied by way of appropriate measures.
As regards every weakness and point identified under item (a) above, REAs should incorporate in the ML comments from the management, including a detailed explanation of the reasons and circumstances relating to the occurrence thereof and the measures taken or decided in order to remedy the relevant weakness / point and prevent it from arising in the future.
Where no particular point has been identified, the ML shall be replaced by a certificate of non-issuance of an ML, procured by the REAs.
The ML is submitted to the CSSF within seven (7) months as of the closure of the support PFS’ financial year, electronically (via MFT) in original and PDF format, digitally signed by the partner in charge of the REA or via mail (where it includes his/her handwritten signature). The mandatory recommendations table to be used in the ML is available on the CSSF’s website.
In addition to the above, Circular 24/850 also imposes an obligation for REAs to complete a separate report (SR) for each year or period for which a SAQ has been completed by the support PFS, so as to ensure the accuracy of the information provided by the latter in said SAQ and provide answers to questions raised by the CSSF.
The SR comprises the results of a set of procedures (i.e., sample testing or verifications), pertaining to the same aspects reported under the SAQ and vary depending on the type of support PFS and risk classification thereof; in particular, REAs of client communication agents (Art. 29-1 LFS) and administrative agents (Art. 29-2 LFS) must perform procedures relating to operational aspects, transversal aspects and AML/CFT aspects, whereas the REAs of other types of support PFS have to perform procedures according to a detailed rotation plan set by the CSSF. The SR is submitted by the REAs to the concerned support PFS which is entitled to add its own comments on the REAs’ observations.
Who is in scope?
The new requirements introduced by Circular 24/850 apply to support PFS authorised under Articles 29-1 to 29-6 of the LFS, therefore including:
- client communication agents;
- administrative agents of the financial sector;
- IT systems and communication networks operators of the financial sector;
- dematerialisation service providers of the financial sector; and
- conservation service providers of the financial sector.
As the new rules apply for the financial year closing on 31 December 2023, in-scope PFS should ensure they update their DR in accordance with the new requirements and fill out the SAQ prior to the submission deadline (July 2024).