AML KYC Compliance: Practical challenges to the auditors


This blog intends to provide some insights on the guidelines provided by the Luxembourg institute of statutory auditors (Institut des réviseurs d’entreprises – IRE) in relation to compliance with the Luxembourg Law of 12 November 2004 concerning the fight against money laundering and terrorist financing (the “AML Law”).

  1. Auditors are allowed to rely on professional third parties (e.g. accounting firms of the audit clients) concerning the compliance of the customer due diligence requirements and record-keeping requirements. However, this can be done on certain strict conditions which include:
  • the need to have a properly established contract between the two parties;
  • the professional third parties be able to provide “immediately” copies of documents which include:
    • the identification of the clients;
    • the identification of the ultimate beneficial owner(s) (the “UBO”). By UBO, we mean the natural person(s) who ultimately owns the entity which is a client of the auditor;
    • the object and the nature of the professional relationship;
  • the professional third parties are also subject to the same or equivalent AML Law;
  • the professional third parties are not based in “high-risk” countries.

The practical challenge here for the auditors is the ability to obtain the requirement documentation “immediately”. This is a requirement of the AML Law which has to be tried and tested regularly.

  • Concerning the need to document work done, it is important that the auditors keep all relevant documentary evidence of their work carried out. The guideline is very clear on this point: it applies the principle of “work not documented is work not done”.
  • Concerning the need to systematically obtain a copy of the UBO declaration, it is the obligation of the auditors to ensure that they identify and verify the identity of the UBO(s) using independent and reliable sources as well as understanding “who is who” in complex, multi-layered group structures. Not having a UBO declaration per se is not necessarily a non-compliance if the auditors manage to obtain other information identifying the UBO by other independent and reliable sources. This includes obtaining information from the Luxembourg National Register of Beneficial Owners.
  • Concerning the need for the auditors to subscribe to a database to control the identity of the clients, its agents or the UBOs, there is no legal obligation to do so. However, a simple check on the internet is not considered sufficient. Furthermore, the auditors are professionally obliged to be up to date on all the UN Security Councils and EU resolutions concerning decisions made in relation to certain people, groups, entities in the fight against money laundering and terrorist financing. Hence the auditors are required to demonstrate that they have acquired adequate knowledge of their clients, their activities and their risk profiles on the basis of properly and reliable documented information.
  • Concerning the need to carry out a parallel reporting to the Luxembourg regulator, the CSSF (Commission de Surveillance du Secteur Financier) on suspicions of money launderings, the auditors are not obliged to do so since they are already obliged to report to the Luxembourg Financial Unit (“FIU”).

The above guidelines are not intended to be an exhaustive list but are intended to provide some of the key and recurrent practical challenges faced by the auditors.

Jimmy Tong Sam, Managing Partner from Auren Luxembourg