Financial Crime World

Here is the article in Markdown format:

Financial Sector Professionals Face Tighter Data Retention and Security Measures

Luxembourg, March 8, 2019

In a bid to combat money laundering and terrorist financing, financial sector professionals in Luxembourg are being tasked with stricter data retention and security measures.

Stricter Data Retention Requirements

According to Article 3(6) of the Law on the fight against money laundering and terrorist financing, professionals must collect and retain:

  • Screen shots of customer conversations
  • Audio records of customer conversations

These records must be stored for at least five years after a transaction or end of business relationship. They can be stored on any medium as long as they meet conditions for use as evidence in an analysis by anti-money laundering (AML) authorities.

Enhanced Security Measures

Security measures must be implemented to protect access to stored data and ensure the principle of “least privilege” is respected:

  • Only authorized personnel should have access to customer data
  • Data should not be shared unnecessarily

The Luxembourg Financial Sector Commission (CSSF) has emphasized the importance of encryption when storing customer data, as recommended in its 2013 Annual Report.

Evaluation of External Providers

External providers of video identification tools must ensure that:

  • Data is stored securely
  • Only authorized personnel have access to data

Financial sector professionals are also required to evaluate the security measures put in place by external providers, including video conference systems, to prevent fake websites or mobile applications (phishing) from being used to compromise customer data.

Role of CSSF

The CSSF has clarified its role in supervising compliance with AML regulations:

  • It will verify the application of tools and systems by financial sector professionals
  • However, it does not provide certification for these tools or systems

Relevant Information

Financial sector professionals are advised to carefully review their data retention and security measures to ensure compliance with the new regulations. The CSSF can provide guidance and support to help entities meet these requirements.

Contact:

Commission de Surveillance du Secteur Financier (CSSF) 283, route d’Arlon L-2991 Luxembourg (+352) 26 25 1 - 1 direction@cssf.lu www.cssf.lu