2025 CSSF Counter-Proliferation Financing Thematic Review

• In 2024, the AML/CFT division of the UCI On-site Inspections department conducted a thematic review on five Luxembourg-based investment fund managers, which focused on the IFMs’ potential exposure to the risks related to the financing of proliferation of weapons of mass destruction (hereafter “WMD”) at asset level, in particular about dual-use goods (hereafter “DUGs”) and investments in vessels, shipping or other transportation means.
• During its review, the CSSF established that the sampled IFMs were aware of and prepared for the topic, even if the measures that they implemented to combat the proliferation financing risk were still maturing.
• This is in line with the proliferation financing risk identified for the Luxembourg fund industry, which is estimated to be low

Executive Summary

This briefing summarises the findings and recommendations from the Commission de Surveillance du Secteur Financier (CSSF)'s thematic review on Counter-Proliferation Financing (CPF) controls, as detailed in the attached document "THEMATIC REVIEW LUX OF WMD.pdf" (published circa 2025).

• https://www.cssf.lu/en/2025/11/publication-of-the-results-of-the-thematic-review-concerning-measures-implemented-by-luxembourg-investment-fund-managers-to-combat-the-proliferation-financing-risk/
• https://www.cssf.lu/wp-content/uploads/Counter-Proliferation-Financing-Thematic-Review.pdf

FOCUS

• The review focused on five Luxembourg-based Investment Fund Managers (IFMs) and their exposure to proliferation financing risks related to Weapons of Mass Destruction (WMD), particularly through dual-use goods (DUGs) and investments in vessels, shipping, or transportation.
• Key themes include alignment with Financial Action Task Force (FATF) Recommendations, Luxembourg's Law of 19 December 2020 on restrictive financial measures, and emerging best practices.
• The overall CPF risk for the Luxembourg fund industry is assessed as low, but measures are still maturing.

Key Findings

• Market Awareness and Preparedness:
• IFMs demonstrated awareness of CPF risks at the asset level (e.g., DUGs and vessels).
• However, controls are maturing, reflecting the low estimated CPF risk in the Luxembourg fund industry.
• Threats and Vulnerabilities:
• Exposure through investments in DUGs, vessels, or shipping routes potentially linked to sanctioned entities or high-risk jurisdictions (e.g., North Korea, Iran).
• Risks of sanctions evasion, non-implementation, or breaches of TFS.
• Geographical indicators (e.g., from the Peddling Peril Index*) highlight vulnerabilities in certain countries' strategic trade control systems.
• Overall Risk Assessment:
• Low for the sector, but potential for indirect exposure via fund assets requires vigilant monitoring.

The Peddling Peril Index (PPI)

The PPI is an international ranking system that evaluates how well countries implement strategic trade controls to prevent the spread of weapons of mass destruction (WMD) and related technologies.

Purpose

• It measures the effectiveness of national systems for controlling exports, imports, transit, and transhipment of sensitive goods and technologies.
• The goal is to reduce proliferation risks by identifying gaps and encouraging improvements in trade control systems worldwide. [resources.inmm.org]

How It Works

• The PPI ranks about 200 countries and territories using over 100 indicators across five key areas:
1. International Commitments (e.g., adherence to treaties like UN Security Council Resolution 1540)
2. Legislation (comprehensive export control laws)
3. Ability to Monitor and Detect Strategic Trade
4. Ability to Prevent Proliferation Financing
5. Adequacy of Enforcement [cdn.fourwaves.com]

Recommendations and Best Practices

• Based on observed market practices, the CSSF recommends IFMs (and by extension, similar entities) adopt the following to strengthen GRC frameworks.
• These should be integrated into AML/CFT policies on a risk-based approach.

Governance Enhancements

• Include a dedicated section on CPF risks in AML/CFT risk assessments, policies, and procedures.
• Incorporate CPF into board-level oversight, ensuring alignment with FATF Guidance on Proliferation Financing Risk Assessment and Mitigation (2021).
• Maintain a country risk list with CPF-specific indicators, such as those from the Peddling Peril Index (last updated version available at isis-online.org).

Risk Management Measures

• General TFS Screening: Perform EU and UN-level TFS screening, plus adverse media checks on transaction parties.
• Vessel and Shipping Investments:
• Conduct pre-acquisition due diligence, including vessel screening against TFS lists.
• Identify destinations and routes; implement risk-based monitoring via Automatic Identification System (AIS) tracking.
• DUG-Exposed Assets:
• Maintain a register of such assets.
• Ensure controls align with EU Regulation 2021/821 (e.g., exports, brokering, technical assistance).
• Verify base clients exclude sanctioned countries, military sectors linked to high-risk jurisdictions, or sanctioned clients.
• Conduct asset-specific risk assessments.
• Identify and verify Ultimate Beneficial Owners (UBOs).
• Risk-rate jurisdictions of the asset and related parties.
• Screen for sanctions and adverse media, including OFAC lists (as a best practice, though not mandatory under Luxembourg law).

Compliance Obligations

• Integrate CPF risks and TFS into annual staff training, covering definitions, threats, vulnerabilities, exposure, trends, and reporting under the Law of 19 December 2020.
• Report any enforcement issues (e.g., attempted transactions) to the Ministry of Finance or CSSF.
• Reference FATF's 2025 report on "Complex Proliferation Financing and Sanctions Evasion Schemes" (detailed in CSSF Newsletter No. 295, August 2025) for emerging trends.

GRC Implications

• Governance: Strengthen board accountability for CPF oversight, ensuring policies evolve with FATF and EU updates. Regular reviews of risk assessments are essential.
• Risk: Adopt a proactive, risk-based approach to identify CPF exposures, particularly in alternative investments like vessels or DUGs. Use tools like AIS and indices for ongoing monitoring.
• Compliance: Ensure full adherence to Luxembourg laws and FATF standards to avoid penalties, including criminalisation of non-compliance as a money laundering predicate. Non-Luxembourg entities (e.g., in Jersey) should benchmark against these to achieve cross-border alignment, while considering similar EU/UN obligations.

Next Steps and Conclusion

Organisations should review their AML/CFT frameworks against these best practices and conduct internal audits for CPF gaps. The CSSF plans continued public-private dialogues and cooperation to enhance market awareness.

In summary, while CPF risks are low, proactive adoption of these recommendations will mitigate vulnerabilities, ensure regulatory compliance, and support robust GRC. If you would like more guidance, please refer to the FATF resources cited in the document.

Here are the official FATF resources cited in the CSSF document, along with direct links:

1. FATF Guidance on Proliferation Financing Risk Assessment and Mitigation (2021)

• Purpose: Helps countries, financial institutions, DNFBPs, and VASPs identify, assess, and mitigate proliferation financing risks.
• Link: https://www.fatf-gafi.org/en/publications/Financingofproliferation/Proliferation-financing-risk-assessment-mitigation.html [fatf-gafi.org]

2. FATF Guidance on Counter Proliferation Financing – Implementation of UNSCR Financial Provisions

• Purpose: Explains obligations under UN Security Council Resolutions and FATF Recommendation 7 for targeted financial sanctions.
• Link: https://www.fatf-gafi.org/en/publications/Financingofproliferation/Guidance-counter-proliferation-financing.html [fatf-gafi.org]

3. FATF Recommendation 7 – Targeted Financial Sanctions Related to Proliferation

• Purpose: Requires countries to implement targeted financial sanctions to comply with UNSCRs on WMD proliferation.
• Link: https://www.fatf-gafi.org/en/publications/Financingofproliferation/Unscr-proliferation-wmd.html [fatf-gafi.org]

4. FATF Recommendations (Full Set)

• Purpose: Global standards for AML/CFT and counter-proliferation financing.
• Link: https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html [fatf-gafi.org]

5. FATF Methodology for Assessing Technical Compliance and Effectiveness (2022)

• Purpose: Sets out how FATF evaluates compliance with its standards, including proliferation financing measures.
• Link: https://www.fatf-gafi.org/en/publications/Mutualevaluations/Fatf-methodology.html
• Direct PDF: https://www.fatf-gafi.org/content/dam/fatf-gafi/methodology/FATF-Assessment-Methodology-2022.pdf.coredownload.inline.pdf [fatf-gafi.org], [fatf-gafi.org]

NOTES ON  Background and Context

The CSSF review aimed to:

• Assess market awareness of CPF risks via Luxembourg investment funds.
• Identify threats and vulnerabilities, focusing on regimes related to North Korea, Iran, and non-country-specific sanctions.
• Benchmark practices against FATF standards (e.g., Recommendations 1, 2, and 7, updated October 2020) and local laws.

Key Definitions and Regulatory Framework:

• CPF Definition (per FATF): The raising, moving, or making available of funds, assets, or resources for WMD proliferation, including DUGs (goods with civilian and military applications, as defined in EU Regulation 2021/821) for non-legitimate purposes.
• Luxembourg Law of 19 December 2020: Mandates Targeted Financial Sanctions (TFS) for professionals (including IFMs), such as freezing assets to prevent CPF. Article 6 designates the Ministry of Finance and CSSF as competent authorities for reporting enforcement issues, including attempted transactions.
• Additional Legal Developments: The 2022 Law of 20 July introduced CPF-related infringements as a predicate offence to money laundering under Article 506-1 of the Criminal Code.
• FATF Context: Countries must require financial institutions to assess and mitigate money laundering (ML), terrorist financing (TF), and CPF risks, including TFS compliance with UN Security Council resolutions.