The Luxembourg ‘Central Register Law’ (Law of 25 March 2020 establishing a central data retrieval system for bank, payment accounts and safe-deposit boxes) is implementing certain provisions of EU Directive 2018/8431 (the “5th AML Directive”) by establishing a central electronic data retrieval system (CEDRS). It enables the identification of any natural or legal person holding or controlling payment accounts, bank accounts identified by an IBAN and safe-deposits boxes in Luxembourg, in a timely manner. The CSSF Circular 20/747 published on 23 July 2020 contains the technical arrangements related to the application of the Law of 25 March 2020.
The system to be set up requires each financial industry professional that is in scope of the Law to create a file on a daily basis containing the whole client data set as defined by the regulator. The CSSF, in its capacity of ‘Central Repository Supervisor’, will access said file by means of a secure procedure to be able to carry out queries on these data sets. The deadline to implement this setup is scheduled on 10 September 2020, as pointed out by the CSSF Circular 20/747 (footnote 1 on page 2).
What does it imply for banks?
Each Luxembourg bank needs to make available all required data on a daily basis and in a system that is available permanently (24 hours/7-days a week): IBAN number, account or safe-deposit box holder’s name, date of birth, nationality, ID document type, number and validity information for natural persons…, as well as additional information for legal entities, for every payment account and safe-deposit box held in its books. The data to be shared is defined by the CSSF and needs to be up to date, true and accurate.
Moreover, the above data needs to be transferred by financial institutions to the regulator in a predefined format, following a specific protocol and in an API “pull” setup: indeed, the CSSF will retrieve the file containing the customer data sets through an API portal available at the bank’s side. To do so, banks will have to gather and centralise all required information on accounts and safe-boxes deposits, prepare a file in the expected format, build the required OpenAPI implementation for file retrieval by the CSSF, prepare the enrolment with the CSSF via a secured channel and plan the testing phase, handle errors, as well as keep the files up to date on a regular basis.
This is a paradigm change from previous setups and implementations that Luxembourg banks are using to transfer their reports to the regulator. Today’s workflows are typically relying on a ‘push’ setup, where banks make use of approved third-party systems to hand in their reporting files. The CEDRS implementation in Luxembourg requires banks to allow for the reporting file to be retrieved on an API infrastructure to be set up and maintained by the bank, or by a provider that will implement and operate such a system on the bank’s behalf.
How can banks become compliant with CEDRS?
This is where the Luxembourg FinTech platform operator Finologee can help: with its CEDRS Module, the company provides a fully outsourced and compliant technical gateway enabling banks to share account and safe-deposit box holder data with the CSSF to be able to meet the rather tight deadline of September 10th 2020 that the regulator has brough forward. Deployment is done strictly in accordance with CSSF Circular 20/747 specifications.
As the CEDRS Module is installed and runs on Finologee’s ‘Trusted Platform’ alongside the Finologee ‘PSD2 for Banks’ product (that is currently used by 35 financial institutions), existing clients will be able to benefit from a substantial economy of scale when choosing Finologee as their provider for CEDRS compliance. New clients can safely rely on the company’s significant experience in managing such implementations with its highly efficient processes, documentation and project management expertise. Finologee operates under a double Support PFS license by the Luxembourg regulator CSSF, which makes this kind of outsourcing structure a straightforward process for Luxembourg-regulated banks.
This proficient framework and the company’s in-house knowledge ensure an easy and custom implementation to fit each bank’s set up in terms of data management. Finologee is also able to supply an optional component that handles file validation, encryption and signature and that will be installed on the bank’s own infrastructure, so only encrypted data is transferred outside of the bank’s own systems. Besides, Finologee can also link the CEDRS Module with the KYC Manager product to aggregate data or even to manage manual data entry or curation for client data sets that are only available on paper or on scanned documents for instance.
Finologee’s CEDRS Module is the fast track to achieve account and safe-deposit box holder reporting compliance for Luxembourg-regulated entities.