Global asset management quarterly - Europe

In 2012, as a result of scandals, the then CEO of the FCA, Martin Wheatley, was asked to conduct a review into the London Interbank Offered Rate (Libor). The resulting report, the ‘Wheatley Review’, recommended criminal sanctions for benchmark manipulation, and a program of reform, rather than replacement, for Libor (including its transfer to a new administrator, improvements in the methodology for calculating the benchmark, and that administration of and submission to Libor be made regulated activities under the Financial Services and Markets Act 2000).

Libor’s administrator and its 20 panel banks became regulated for benchmark activities on 1 April 2013. In April 2015 the list of regulated benchmarks in the UK was enlarged to include seven other major benchmarks – LBMA Gold Price, and LBMA Silver Price, the ICE Swap Rate, SONIA, RONIA, the WM/Reuters London 4pm Closing Spot Rate and the ICE Brent Index.

The administrators of these benchmarks are subject to FCA rules that require them to put in place appropriate governance arrangements (including the formation of an oversight committee) to have effective controls to ensure the integrity of input data and to keep adequate records. Benchmark submitters are subject to similar requirements to ensure that they manage any conflicts of interest and are subject to an annual audit. Both administrators and submitters need to have a named individual responsible for compliance with these rules.

While work was being undertaken in the UK, the International Organisation of Securities Commissions (IOSCO) developed global Principles for Financial Benchmarks, published in July 2013. These principles created a common cross-jurisdictional framework for good market practice and have been widely adopted as industry standards. They impress upon administrators the need for strong governance, robust benchmark design, transparent methodologies and clear accountability.

On 29 June 2016, Regulation (EU) 2016/1011 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds (the Benchmarks Regulation) was published in the Official Journal of the EU. It entered into force on 30 June 2016. The Benchmarks Regulation generally applies from 1 January 2018 subject to certain transitional provisions (see below). The Benchmarks Regulation, being directly applicable in Member States, will supersede the UK’s existing requirements.

Article 3(3) of the Benchmarks Regulation sets out the definition of “benchmark”. The definition does not hinge on what the benchmark references, but how it is used:

“’benchmark’ means any index by reference to which the amount payable under a financial instrument or a financial contract, or the value of a financial instrument, is determined, or an index that is used to measure the performance of an investment fund with the purpose of tracking the return of such index or of defining the asset allocation of a portfolio or of computing the performance fees.”

Article 3(1) of the Benchmarks Regulation defines an “index” as meaning any figure

• that is published or made available to the public; and
• that is regularly determined:
  • (i) entirely or partially by the application of a formula or any other method of calculation, or by an assessment; and
  • (ii) on the basis of the value of one or more underlying assets or prices, including estimated prices, actual or estimated interest rates, quotes and committed quotes or other values or surveys;

A Commission Delegated Regulation sets out further guidance as to the meaning of “published or made available to the public” (Commission Delegated Regulation of 29 September 2017 supplementing Regulation (EU) 2016/1011 of the European Parliament and of the Council specifying technical elements of the definitions laid down in paragraph 1 of Article 3 of the Regulation).

Article 2 of the Benchmarks Regulation sets out certain exemptions to the definition of benchmark. Benchmarks provided by central banks or other authorities for public policy purposes are excluded. Also, benchmarks that reference a price of a single financial instrument (such as the price of a specific share) are not in scope¹. Standard variable rates offered by credit institutions will not be considered benchmarks when used in mortgage or consumer credit contracts.

Applying the principle of proportionality, the Benchmarks Regulation classifies benchmarks as ‘critical’, ‘significant’ and ‘non-significant’, and the nature and degree of the requirements under it will be determined by these classifications. A benchmark is deemed to be either ‘critical’ or ‘significant’ where it satisfies the conditions set out in Articles 20(1) or 24(1) of the Benchmarks Regulation². A ‘non-significant’ benchmark is one that meets the definition of ‘benchmark’ but does not satisfy the conditions to be either a critical or significant benchmark (Article 3(27) of the Benchmarks Regulation)³. The Benchmarks Regulation also contains requirements for different types of benchmark: regulated-data benchmarks (Article 17), interest rate benchmarks (Article 18) and commodity benchmarks (Article 19).

The primary impact of the Benchmarks Regulation will be on benchmark administrators, as it introduces a requirement for their prior-authorisation/registration (Article 34) and ongoing supervision (Articles 4 to 14 and 27 to 28). Where an administrator has been authorised its details shall be placed on a public register maintained by the European Securities and Markets Authority (ESMA) (Article 36 of the Benchmarks Regulation). ESMA will start publishing this register as from 1 January 2018. The ongoing requirements, like the IOSCO Principles, cover governance and accountability as well as the design and methodology of any benchmarks provided.

The Benchmarks Regulation also introduces a code of conduct for contributors of input data requiring the use of robust methodologies and sufficient and reliable data (Article 15 of the Benchmarks Regulation). It also sets out governance and control requirements for contributors (Article 16 of the Benchmarks Regulation).

The Benchmark Regulation also impacts users of benchmarks who are already 'supervised entities' (defined in Article 3(17) of the Benchmarks Regulation). This includes alternative investment fund managers (AIFMs), undertakings for collective investment in transferable securities (UCITS) management companies (and self-managed UCITS), MiFID II investment firms and credit institutions as defined by the Capital Requirements Regulation.

Supervised entities will need to consider carefully whether they ‘use’ a benchmark. Article 3(7) of the Benchmarks Regulation defines ‘use of a benchmark’ as:

• issuance of a financial instrument which references an index or a combination of indices;
• determination of the amount payable under a financial instrument or a financial contract by referencing an index or a combination of indices;
• being a party to a financial contract which references an index or a combination of indices;
• providing a borrowing rate as defined in point (j) of Article 3 of Directive 2008/48/EC calculated as a spread or mark-up over an index or a combination of indices and that is solely used as a reference in a financial contract to which the creditor is a party; and
• measuring the performance of an investment fund through an index or a combination of indices for the purpose of tracking the return of such index or combination of indices, of defining the asset allocation of a portfolio, or of computing the performance fees;

Asset managers represent an important group of benchmark users, either in the case of passive managed funds and exchanged traded funds – where benchmarks are used as a target for index linked funds – or in the case of the evaluation of an active manager’s performance – where the fund performance is measured against a selected index or a set of indices. Asset managers as benchmark users are generally not involved in the production, calculation and contribution to data on which benchmarks are based⁴.

Where a fund uses a benchmark to measure its performance for the purpose of either tracking the return of the benchmark or defining the asset allocation of the portfolio or computing performance fees payable by it, such use will fall within the scope of the Benchmarks Regulation (Article 3(7)(e) of the Benchmarks Regulation)⁵.

Also, a fund will be considered to use a benchmark where it enters into a derivative contract (the underlying of which is a benchmark) which is traded on a trading venue unless the terms of that contract are set by:

• the trading venue on which the derivative is being traded;
• the counterparty where that counterparty is an investment firm acting as a systematic internaliser;
• the central counterparty clearing the relevant trade⁶;

The Benchmarks Regulation provides that:

• supervised entities may only use benchmarks that are provided by an EU authorised benchmark administrator, or a non-EU benchmark administrator where a positive equivalence or recognition determination has been made (see below);
• where the prospectus of a UCITS fund references a benchmark, the prospectus must include information on whether the index provider complies with the Benchmarks Regulation. This disclosure must be included in the prospectus of all new UCITS authorised on or after 1 January 2018 (Article 29(2) of the Benchmarks Regulation). Existing UCITS must incorporate such disclosure the next time they are updating their prospectuses after that date or at the latest within 12 months after that date (Article 52 of the Benchmarks Regulation). No equivalent disclosure requirements are imposed on alternative investment funds;
• supervised entities must have in place certain written contingency plans setting out the steps which will be taken in the event that the benchmark ceases to exist or materially changes. Where possible and appropriate, these arrangements should identify a replacement benchmark and explain why such replacement benchmarks are deemed suitable. The Benchmarks Regulation requires that these contingency arrangements should be reflected in contracts with clients. The plans and any updates to them are deliverable to the relevant Member State competent authority upon request (Article 28(2) of the Benchmarks Regulation); and
• any breaches in respect of the use of a benchmark within the scope of the Benchmarks Regulation are subject to a number of administrative sanctions including fines, which may be levied on both a firm and an individual (Article 42 of the Benchmarks Regulation);

The Benchmarks Regulation provides for the following mechanisms under which third country benchmarks may be used by supervised entities in the EU

• equivalence (Article 30 of the Benchmarks Regulation): the European Commission (Commission) makes a positive decision on the equivalence of a third country’s regime for benchmark administrators or a positive equivalence decision is made as regards specific administrators, benchmarks or families of benchmarks in a third country. In either case ESMA is to establish cooperation arrangements with the relevant third country competent authority;
• recognition (Article 32 of the Benchmarks Regulation): recognition is a temporary measure until the Commission can adopt a positive equivalence decision. A benchmark provided by an administrator located in a third country may be used by EU supervised entities provided the administrator acquires prior recognition by the Member State competent authority of reference. Prior recognition is based on the third country administrator’s compliance with the IOSCO Principles. A third country administrator must also have a legal representative in the EU;
• endorsement (Article 33 of the Benchmarks Regulation): administrators or supervised entities located in the EU can apply to their Member State competent authority to endorse third country benchmarks;

In each of the above cases, the details of the third country administrators shall be placed on the public register maintained by ESMA.

Article 51 of the Benchmarks Regulation provides for certain transitional periods

• an index provider which was already providing a benchmark on 30 June 2016 benefits from a transitional period until 1 January 2020 to apply for authorisation or registration as an administrator;
• a non-authorised or non-registered index provider may continue to provide an existing benchmark until 1 January 2020;

Article 52 of the Benchmarks Regulation provides that for UCITS prospectuses approved prior to 1 January 2018, the underlying documents shall be updated on the first occasion or at the latest within 12 months after that date.

For some firms the introduction of the Benchmarks Regulation will not come as a huge shock where they have already been raising their standards under the IOSCO Principles. However, for other firms meeting the new requirements will be a challenging exercise.

Any supervised entity, including AIFMs and UCITS managers, should carefully consider their risk exposure to the Benchmarks Regulation. They should create an inventory of the benchmarks that they use, and seek assurances from the administrators of those benchmarks that they are aware of the Benchmarks Regulation and have plans in place to comply with it from 1 January 2018. This is particularly important where the benchmarks are provided by smaller administrators, particularly in third countries. Supervised entities should also be thinking about potential alternative benchmarks in case any benchmark they currently use becomes unavailable, and the creation of written contingency plans mentioned above. For UCITS funds, new prospectuses will need wording regarding compliance with the Benchmarks Regulation as will existing prospectuses that are updated.

Territorial scope: The GDPR will apply to non-EU establishments where data about data subjects in the EU is processed in connection with “offering goods or services” to those European data subjects or “monitoring” their behavior. Non-EU entities that are subject to the GDPR will be required to designate a representative in an EU Member State (unless limited exceptions apply).

Fines: The fines under the GDPR are significantly higher than those which can be imposed under current law (up to £550,000 under current UK law). Under the GDPR, fines for breaches of certain important provisions can amount to up to €20 million or 4% of global annual turnover, whichever is the greater. Fines for breaches of other provisions can amount to up to €10m or 2% of global annual turnover, whichever is greater.

Data governance and accountability: The GDPR places onerous accountability obligations on organisations to demonstrate compliance with the GDPR. Some of the elements that must be demonstrated are explicit (whilst some are implied by the language of the GDPR). The net effect of the additional requirements is that all large organisations will need to implement a formal data protection programme to demonstrate data protection is taken seriously.

This will include having policies setting out how to comply coupled with training to bring those policies to life and taking steps to show that data protection compliance has been taken into consideration and the organisation has implemented appropriate compliance measures in relation to its data processing activities. Organisations will also be required to maintain a formal, written record of processing activities under its responsibility.

A data protection officer will also need to be appointed in certain circumstances. A data protection officer is responsible for monitoring compliance, advising the organisation on compliance with the GDPR and acting as the main point of contact in relation to data protection compliance.

Data processors: Data processors are organisations which process personal data for and on behalf of another organisation (the data controller). Under existing law, they have no statutory obligations or liability. The GDPR changes this – data processors will have direct obligations under the GDPR. These include requirements to implement technical and organisational security measures to protect personal data, an obligation to keep a register of data processing activities, direct obligations to comply with the rules relating to the transfer of personal data outside of the EU and restrictions on their ability to engage sub-processors obligations. Data processors can be liable for fines from data protection regulators and claims from individuals whom the personal data they process relates to (data subjects) where they breach their obligations under the GDPR.

Consent: The GDPR includes new limitations on the use of consent as a ground for processing personal data. This includes requirements that consent language is separate from other information and is unbundled. It also requires that it must be as easy to withdraw consent as to give it.

Fair processing notices: The information that is required to be given to data subjects is extended to include providing details of the grounds that are used to justify processing, the period for which the personal data will be retained, the mechanism of the export (see below) if the data exported outside the EU and the source of the data (if not the data subjects themselves).

The notice must highlight that consent may be withdrawn, the existence of the data subject rights (see below) and the right to lodge a complaint with the data protection regulator.

Data subject rights: The rights that data subjects have in respect of their personal data have been enhanced under the GDPR, including rights to have personal data transmitted to themselves or another data controller, to require the controller to erase personal data in some circumstances and to more information about a data controller's processing (export solution, storage limits) through a subject access request. Organisations must respond to requests from data subjects within a shorter time period than under current law.

Personal data breach: Under the GDPR, organisations must notify the data protection regulator within 72 hours of the breach and, in certain high risk circumstances, the individuals to whom the personal data relates without undue delay. Organisations must also maintain a personal data breach register.

Export of personal data: The shape of export restrictions remains similar as under current law in that personal data cannot be exported outside of the European Economic Area (EEA) unless the recipient non-EEA country has either been deemed by the European Commission (Commission) to offer adequate data protection safeguards or a valid export mechanism has been put in place (e.g. Commission approved model clauses or Binding Corporate Rules). Failure to comply with the export rules can attract the highest 4% of worldwide turnover fines.

Recent developments:

Guidelines on automated individual decision-making and profiling for the purposes of the GDPR

On 3 October 2017, the Article 29 Data Protection Working Party (Working Party) adopted guidelines on automated individual decision-making and profiling for the purposes of the GDPR. The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of the guidelines is to clarify those provisions.

Guidelines on personal data breach notification under the GDPR

On 3 October 2017, the Working Party adopted guidelines on personal data breach notification under the GDPR. The guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Guidelines on data protection impact assessment

On 4 October 2017, the Working Party adopted revised guidelines on data protection impact assessment and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. In order to ensure a consistent interpretation of the circumstances in which a data protection impact assessment is mandatory (Article 35(3)), the guidelines clarify this notion and provide criteria for the lists to be adopted by Data Protection Authorities under Article 35(4).

The European Union (Markets In Financial Instruments) Regulations 2017 which were published in July of last year with the purpose of transposing Directive 2014/65/EU into Irish law have been revised by the publication of the European Union (Markets in Financial Instruments) (Amendment) Regulations 2017, with the majority of changes being very minor in nature.

In response to the European Supervisory Authorities joint statement in November 2017 in respect of the requirement under the margin regulatory technical standards to exchange variation Margin for physically settled FX forwards from 3 January 2018, the Central Bank issued a statement on 18 December 2017 confirming that it would apply its risk-based supervisory powers in the day-to-day enforcement of applicable legislation in a proportionate manner. Although not expressly stated, it may be inferred from the Central Bank’s statement that investment funds do not need to comply with the relevant requirement to exchange variation margin for physically-settled FX forwards. A copy of the Central Bank’s statement is available on the Central Bank’s website.

With effect from 1 December 2017, the Central Bank has introduced a new “authorisation” levy which will apply to every Irish domiciled investment fund that is authorised and every sub-fund that is approved by the Central Bank. This is a once-off levy which will be payable by the relevant fund within 28 days of the issue of the levy notice by the Central Bank. Details of the applicable rates, together with further information relating to the levy is available from the Central Bank’s webpage, which is accessible here.

In December 2017, a second edition of the Central Bank Investment Firms Regulations was signed into law and took effect from 3 January 2018. The revised Regulations are intended to consolidate all of the requirements applicable to certain investment firms, fund service providers and market operators and include changes related to MiFID II, and the Investor Money Regulations (IMR) have been incorporated, with certain matters relating to the client assets regime and the IMR which to date have been addressed in guidance have now been put on a legislative footing in the revised Regulations. The Central Bank has confirmed that they will issue guidance on Part 6 (relating to Client Asset Requirements) and Part 7 (Investor Money Requirements) but that pending the issue of such guidance, the current guidance will continue to apply.

It has also published a revised version of its Q&A on investment firms available on the Central Bank’s website.

The Central Bank issued a number of revised Q&A on Undertakings for Collective Investment in Transferable Securities (UCITS) and the Alternative Investment Fund Managers Directive (AIFMD), the most recent of which are the 28th edition of the Central Bank Q&A on AIFMD and the 22nd edition of the Central Bank Q&A on UCITS. The revised editions published in the period under review provide additional guidance on the prospectus disclosure requirements applicable to UCITS and alternative investment funds (AIFs) under the Benchmarks Regulation, set down regulatory considerations to be complied with by depositaries of UCITS and AIFs when acquiring Chinese shares through the Shanghai-Hong Kong Stock Connect and the Shenzen-Hong Kong Stock Connect and address the application of the Key Information Documents for Packaged Retail and Insurance - Based Investment Products (PRIIPs) Regulation to AIFs.

In late December 2017, the EU (Securities Financing Transactions) Regulations 2017 (the “Irish SFT Regulations”) were signed into Irish law. The purpose of these regulations is to give full effect to the SFT Regulation. The Irish SFT Regulations designate the Central Bank as the competent authority in Ireland for the purposes of the SFT Regulation and grant it with some far-reaching powers in order to monitor compliance with the provisions of the SFT Regulation and the Irish Regulations, including a right of access, inspection and questioning. The Irish SFT Regulations also grant the Central Bank with certain enforcement powers and sets down the administrative sanctions which it may impose for infringements of the SFT Regulation. They also impose obligations on in-scope firms to ensure that there are appropriate whistleblowing arrangements in place to allow employees to report actual or potential infringements of the SFT Regulation.

The EU PRIIPs Regulations (the “Irish PRIIPs Regulations”) were also signed into law in late December 2017. These Regulations, which are intended to give full effect to the PRIIPs Regulation, designate the Central Bank as the competent authority in Ireland for the purposes of the PRIIPs Regulation and set down the sanctions which may be imposed by the Central Bank for infringements of the PRIIPs Regulation. The Irish PRIIPs Regulations also require regulated financial service providers, including UCITS and AIFM and those regulated firms selling PRIIP to put in place whistleblowing arrangements to allow their employees to report actual or potential infringements of the PRIIPs Regulation.

As a consequence of investor demand and the uncertainties as to the implementation of a third-country AIFM passport as well as the limitation of reverse solicitation capacities, numerous re-domiciliation or next product domiciliation projects in Luxembourg involving both regulated and non-regulated funds have been realised and are under examination.

On the one side the possibility to transfer a foreign investment fund’s registered office to Luxembourg with the continuation of its legal personality is creating some strong interest for asset managers wishing to raise assets in the European Union. This process allows for a foreign fund to preserve its full corporate history, including track record and it is also worth noting that it is generally completely tax neutral.

On the other side Luxembourg offers with its broad range of legal structures (e.g. the special limited partnership) appropriate solutions for the next fund generation.

Parallel structures are also raising strong interest.

The possibility of re-domiciliation or shifting licensed business to Luxembourg may also be particularly relevant in the Brexit context for promoters wishing to keep the benefit of their funds’ passport and ensure it for their future products. This in particularly the case for asset managers. Recent months have seen more and more asset managers announce Luxembourg as the jurisdiction taking over these functions after Brexit. An increasing number of asset managers are also seriously considering possible localisation of their UCITS management companies or regulated AIFMs in Luxembourg and discussions with the Luxembourg regulator are increasing.

In addition during the past months more financial institutions and insurance companies have expressed their intention to either increase their business presence in their existing Luxembourg entities or establish newly formed entities to relocate business post Brexit.

The RAIF, the flexible investment vehicle which has been in existence for slightly more than 18 months (it has been implemented in July 2016), continues to create strong interest. Since implementation, 296 RAIF structures (official list at the companies register as at 3 Feb 2018) have been created in Luxembourg with a variety of different investment policies and for a number of different purposes (time-to-market, incubation, private wealth management etc.). The RAIF-product is not only fit for illiquid asset classes but, mainly due to the availability of variable capital structuring, also to liquid asset classes including strategies involving a high trading frequency.

It may be observed that investors, especially institutional investors, in Europe and around the globe, have now got used to the RAIF perhaps seeing it as an SIF alternative (and to a lower number a SICAR alternative), a Luxembourg investment fund meeting the highest standards of structural quality and flexibility, as they were used to in a “real” SIF (or “real” SICAR) but without an add-on regulation on the fund product itself.

Besides this, for illiquid asset classes there has been increasing demand for AIF’s structured as unregulated partnerships (SCS or SCSp). Promoters and investors appreciate the legal framework allowing (to the extent applicable requirements are met) for a choice of set ups which range from an AIF which is only managed by a registered AIFM (and, for instance, not requiring a depositary) to an AIF managed by an authorised AIFM. In both instances investments without the requirement of minimum diversification is allowed, to the extent it is intended.

Even though the RAIF and the unregulated AIF as described above are currently dominating the structural demand in the alternative asset classes, the SIF as the traditional regulated fund vehicle with its year-long market position and flexibility continues to preserve its importance within the range of available fund products. This particularly applies to strategies involving liquid asset classes and/or markets where certain investors are more comfortable or the legal framework is favouring/requiring regulated fund vehicles.

ALFI’s annual Real Estate Investment Fund Survey revealed that real estate assets held through Luxembourg fund vehicles (Real Estate Investment Fund, REIF) reached an all-time high of over €57.000 billion in more than 300 vehicles (not even taking into account fund of fund vehicles or debt fund vehicles related to real estate). Over more than a decade Luxembourg has positioned and increased its importance as the crossborder hub for REIFs and the strong activity on international real estate markets, for instance in Germany has, translated into a high demand for Luxembourg REIF structures.

The Luxembourg market sees a further strengthening of its position as the recognised on-shore hub for all kinds of private equity, venture capital, real estate, infrastructure etc. (and alike) fund structures. In particular professional and institutional investors from Europe and abroad trust the recognised stable and flexible Luxembourg market and its fund products, whether regulated or not. Notably, increasing investment in infrastructure and clean energy is being realised through Luxembourg fund vehicles which can be easily adapted.

Debt and credit funds are continuing their steady growth in Luxembourg thanks to the flexible legal and regulatory environment allowing them to implement all types of debt/credit strategies: mezzanine, distressed, including in particular origination, etc.

Luxembourg is strengthening its position as a key on-shore domicile for structuring debt funds: over 70 per cent of the top 30 debt fund managers worldwide are present in Luxembourg.

We see an increasing demand for a potential structuring of Luxembourg funds investing in the Cryptocurrency/Bitcoin sector. It is an interesting and challenging exercise to bring together on-shore market requirements and a dynamic and new asset class which functions very differently from the “traditional” alternative world. We are confident that the Luxembourg market will have a workable answer to this challenge.

On 16 January 2018, the Commission de Surveillance du Secteur Financier (CSSF) published a revised version of its Application Questionnaire which needs to be filed when seeking authorisation of an alternative investment fund manager.

The Application Questionnaire includes, inter alia, the following:

• Ownership and qualifying holdings: The repeal of CSSF Circular 09/392 has been taken into account by the CSSF and it has been replaced by CSSF Circular 17/669 adopting the joint guidelines of ESMA, EBA, and EIOPA on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector.
• For self-managed AIFM and for existing Chapter 15 management companies applying for the AIFM license, the amount of the own funds must be at least equal to (a) 300,000 EUR plus 0.02 per cent of assets under management above 250 million EUR or (b) a quarter of the previous year’s general expenses, whichever is higher.

A draft bill of law has been introduced in Luxembourg on 6 December 2017 in order to implement the Fourth Anti-Money Laundering Directive (the AML Directive) into Luxembourg Law.

Further to this draft bill a register of beneficial owners (registre de bénéficiaires effectifs = REBECO) will be created. It is expected that the draft bill will be adopted around the end of Q1 2018.

Briefly, for every beneficial owner (BO) who directly or indirectly holds more than 25% in an entity the following information will need to be provided to the REBECO:

• date and place of birth
• nationality
• private or professional address of residence
• BO’s nature and extent of beneficial interests held in the relevant entity.

The information must be accurate, complete and up-to-date.

In practice, access to this information will be limited. The information contained in the REBECO will be made available electronically only to national competent public authorities, including but not limited to the prosecutor, the Commission de Surveillance du Secteur Financier (CSSF), the Commissariat aux Assurances (CAA) and tax administrations. Such electronic access is unrestricted.

Self-regulatory bodies (such as the Bar Council, Notary Chamber and the Institut des Réviseurs d’Entreprises) will also have limited electronic access to the REBECO. Such electronic access is only to be used within the strict context of their supervisory functions. Access is subject to the authorisation of the REBECO manager. Only partial information may be disclosed to these self-regulatory bodies.

Obliged entities (for instance credit institutions, professionals of the financial sector, insurance undertakings, UCITS management companies and AIFMs) will also have limited electronic access to the REBECO. Limited access will only be given where obliged entities are required to carry out client due diligence measures in relation to their clients.

Physical access may also be granted to any person or organisation that: (i) can demonstrate a legitimate interest in relation to anti-money laundering; (ii) is resident in Luxembourg; and (iii) has made an official written and duly justified request in this respect. Such access is subject to the prior approval of a formal commission created by the Minister of Justice.

Any subject entity may request a restriction of access to the REBECO where such access would expose the BO to a risk of fraud, kidnapping, blackmail, violence or intimidation, or where the BO is a minor or otherwise incapable.

Furthermore, criminal sanctions may be imposed on the self-regulatory bodies or on the obliged entities if they purposely access the REBECO outside the aforementioned circumstances.

On 25 October 2017, a draft bill of law adapting and completing Luxembourg law to the Regulation (EU) No 1286/2014 on key information documents (KIDs) on packaged retail and insurance-based investment products (PRIIPs) (the PRIIPs Regulation) and, inter alia, modifying the amended Luxembourg law of 17 December 2010 on undertaking for collective investment and the amended Luxembourg law of 7 December 2015 on the insurance sector, was lodged with the Luxembourg Parliament.

Regulation (EU) No. 1286/2014 on key information documents (KIDs) on packaged retail and insurance-based investment products (PRIIPs), which entered into force on 29 December 2014, applies since 1 January 2018.

From a legislative perspective, the draft bill of law specifies that the CSSF and the CAA will be the relevant competent authorities for the PRIIPs Regulation for, respectively, management/investment companies and insurance companies. They will have controlling powers as well as the power to impose fines. In addition to that, the draft bill of law states that the SICARs (Investment Company in Risk Capital) and investment funds other than UCITS are authorized to prepare a UCITS KIID provided they clearly state on the document that they are not subject to the UCITS Directive. In such cases, these entities and the persons who sell or provide advice on the units or shares of those funds or SICARs would benefit from the exemption contained in art. 32 of the PRIIPs Regulation and therefore, for the time being and until 31 December 2019 would not have to comply with the requirements of the PRIIPs Regulation.

A new draft bill N°7184 adapting and completing Luxembourg law to Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) was lodged with the Luxembourg Parliament on 12 September 2017.

On 3 October 2017, the Article 29 Working Party adopted two new guidelines: the first one on data breach notification and another on automated individual decision-making and profiling.

The guidelines on data breach notification are a consequence of the requirement imposed by the GDPR to notify to the competent national supervisory authority (the CNPD in Luxembourg) any breach which is likely to result in a risk to the rights and freedoms of individuals and, in certain cases, to also notify the individuals whose personal data have been affected by the breach.

Such notification will be mandatory for controllers, but also for processors who will have to inform their controllers if there is a breach. Therefore, controllers and processors are encouraged in these guidelines to plan in advance and put in place processes to be able to detect and promptly contain a breach. Thus, these guidelines explain the steps controllers and processors can take to meet these new obligations.

Such a failure to report a breach should be taken seriously since it may lead to a sanction, including an administrative fine, the value of which can be up to EUR 10 million or up to 2 per cent of the worldwide annual turnover of the controlling entity.

As a consequence of advances in new technologies and the widespread availability of personal data on the internet, the Article 29 Working Party also decided to adopt guidelines on automated individual decision-making and profiling.

Automated individual decision-making and profiling are used in a large number of sectors, including in banking and finance, health, taxation, insurance, marketing and advertising.

The Article 29 Working Party recognises that there are two general benefits of these technologies: increased efficiencies and resource savings.

However, automated individual decision-making and profiling may also pose significant risks for individuals, which is the reason why the GDPR introduces new provisions to address these risks.

These guidelines clarify these new provisions and give good practice recommendations to the actors involved.

On 29 November 2017 the Luxembourg tax authorities issued a revised version of the Circular L.I.R. 104/2 (the Circular) depicting a favorable tax treatment for salaried Luxembourg tax payers (whether they are resident or non-resident) benefitting from stock option plans under the conditions contained therein. Download our tax newsletter to read the main amendments: Download newsletter