Short, engaging headline

Date 20XX

Select the right professional services firm – one with the industry depth, knowledge, and insight to help clients address their most pressing issues.

kpmg.com

Short descriptionSectors and themes

BankingBriefing

March 2017

kpmg.lu

Q1 2017

Getting growth back to the top of the strategic agenda

Upcoming transposition of the 4th AML Directive: Will we see light at the end of the tunnel soon?

PSD2 and why it represents an opportunity for banks

Fighting the symptoms of Cyber Fatigue

EU Audit reform series

PrefaceDear readers,

Welcome to the latest edition of the KPMG Banking Briefing, in which our team of experts discerns and analyses the major developments affecting the banking industry in Luxembourg.

This issue addresses the following topics:

How banks need to once again set their sights on growth, given MIFID 2 and stricter inducement regulations, and how they should focus on delivering enhanced value amid stiff competition.

The imminent transposition of the 4th AML Directive – we take stock of the latest scenario and look ahead to how this will play out in the months to come.

Why PSD2 presents an opportunity that banks need to grab with both hands, in terms of enhancing customer experience and growing their business.

How to effectively address cyber security concerns, in a world where cyber fatigue is setting in and uncertainty prevails despite excessive expenditure and regulations around security.

We hope you find this publication insightful and useful, and would welcome any feedback you might have. Happy reading!

Table of contentsGetting growth back to the top of the strategic agenda 03

Upcoming transposition of the 4th AML Directive: Will we see the light at the end of the tunnel soon? 05

PSD2 and why it represents an opportunity for banks 07

Fighting the symptoms of cyber fatigue 09

EU Audit reform series 11

Getting growth back to the top of the strategic agendaPrivate banking is entering a new phase. Whilst regulatory-driven changes are still high on the agenda, there is an increasing focus on commercially-driven transformation. MIFID 2 and the stricter rules on inducements have led to a rethinking of the service offering and targeted clientele. Growth is once again a key topic for banks. In order to survive, banks need to rethink their businesses.

03 Banking Briefing

Anne-Sophie MinaldoPartner

T: +352 22 51 51 7909 E: anne-sophie.minaldo@kpmg.lu

This implies prioritising their core differentiating strengths, while looking for collaborative solutions with high-quality partners capable of delivering the banks’ non-core activities more effectively. Such a combination will maximise value-add for both clients and banks themselves.

While many banks have historically delivered the full array of services themselves, it may be time to refocus on what brings tangible value to the client. We recommend that board members and executives conduct a thorough analysis to identify the real “unique saling proposition” of their organisations. They have to determine what differentiates them in the competitive arena and, most importantly, what really matters to their clients. For those

non-core activities identified, when assessing the end-to-end value chain, private banks should objectively evaluate tactical or strategic collaboration alternatives to have these services delivered more efficiently.

Since cooperation generally entails a high level of complexity, board members and executives could typically face uncertainties and doubts. To overcome such psychological challenges, they have to use a structured and fact-based framework to support the sourcing decision-making process. Banking management should assess each building block of the business and operating models to identify opportunities of collaboration and progressively develop true ecosystems.

Regulatory-driven transformation Commercially-driven transformation

2008 2016 2018

Ongoing

De-risking and legacy management

Regulatory changes

Operational excellence

Sustainable growth

– De-risking and capital reinforcement

– Management of tax issues, client remediation, start of review of target markets

– Provisions, negotiation with authorities, payment of fines

– Implementation of regulatory projects to meet new legal requirements

– Reinforcement of legal, compliance and risk management capabilities and resources

– Efficiency and productivity increases, industrialisation, cost management

– Improvement of operating model, value chain, sourcing and collaboration

– Reinforcement of digital strategies

– Transparent multi-distribution channels

– New market, client and growth strategies

[...]

04Digital traveller

04Banking Briefing

Upcoming transposition of the 4th AML Directive:Will we see light at the end of the tunnel soon?

The 4th Anti-Money Laundering Directive (AMLD), which came into force in June 2015, was aimed not only at reinforcing existing rules on the fight against money laundering and terrorist financing but also at the harmonisation of the international framework and eradicating inadequacies in current EU regulations. This directive integrates the Recommendations of the Financial Action Task Force (FATF) of February 2012 as well as outcomes of various reviews/assessments conducted by the European Commission on the implementation of the 3rd Money Laundering Directive. The deadline for each country to have it transposed has been set for the end of June 2017. On 5 July 2016, the Commission published a proposal to amend the 4th AMLD and set out a series of measures to better counter the financing of terrorism and also increase the transparency of financial transactions and corporate entities.

05 Banking Briefing

Sandrine PeriotDirector

T: +352 22 5151 7220 E: sandrine.periot@kpmg.lu

Where do we stand?

– The 4th AMLD has yet to be transposed into Luxembourg national legislation. Some changes brought about by the 4th AMLD were already anticipated, through the Law of 27 October 2010 and CSSF regulation 12-02. Others, such as the recognition of tax crimes related to direct and indirect taxes as a predicate offence to money laundering, have recently been introduced with the Law of 23 December 2016 and CSSF Circular 17/650.

– Draft bills, relating to both the transposition of the 4th AMLD and the implementation of a UBO (ultimate beneficial owners) register as mandated by the directive, are expected by the end of April. The UBO register will most likely be administered by the Trade and Companies Register.

– The proposal from the Commission is still under debate. Several committees reviewed both the 4th AMLD and the updates proposed in July 2016 and suggested further recommendations and amendments. A report on this proposal with the latest changes was published by the European Parliament on 9 March 2017.

What’s new?

– The accessibility of the UBO register: the 4th AMLD dictates that, in addition to competent authorities, FIU and obliged entities, UBO information should be accessible to any person or organisation that can demonstrate a legitimate interest. The concept of “legitimate interest” might be obsolete. Considering that some countries have announced their intention to make information contained in the register publicly available, such information should then become publicly available in all EU Member States to avoid any discrepancy.

– Trusts and similar legal arrangements set up for other purposes, such as charitable aims, use of family assets or other purposes that benefit the community, and would not qualify as for-profit organisations, are now obliged to publicly disclose certain UBO information. The definition of trusts and similar arrangements has been detailed further to ensure that any other type of legal arrangement with a structure or function resembling a trust is covered, e.g., Treuhand, Stiftung, Privatstiftung and Fiducie.

– Although it remains the legal responsibility of each company, trust and other entity to disclose this information and ensure it is current, the revised directive further requires entities to report any discrepancy between the information held in the register and that obtained via customer due diligence obligations.

– An interconnection of the central registers among the EU Member States is also foreseen.

– The shareholding threshold is lowered to 10% for the identification of a beneficial owner, irrespective of the level of risk.

What’s next on the agenda?

– The position of the European Parliament will be forwarded to the Council for review.

– The 4th AMLD requires each Member State to conduct an AML risk assessment at the country level. This has to be published and outcomes may impact professionals/entities operating in areas considered more prone to money laundering/terrorist financing.

– The European Supervisory Authority should issue its guidelines “on the risk factors to be taken into consideration and/or the measures to be taken in situations where simplified due diligence or enhanced due diligence measures are appropriate”. These guidelines should be adopted within two years of the Directive coming into effect, i.e., no later than 26 June 2017 (note that in the joint consultation paper issued in October 2015, private banking was considered as automatically high risk).

06Digital traveller

06Banking Briefing

PSD2 is the revised version of the Payment Services Directive regulation that was adopted in 2007 and provided the foundation for a Single Euro Payments Area. It came into effect in January 2016 and will apply from January 2018. The key drivers for PSD2 are technological – since PSD was launched, new players and technologies have emerged in the payments industry without being regulated under PSD. The regulators wanted to level the playing field between the banks and new entrants and “open up” the EU payments market by requiring banks to allow third party access to their customers’ account information.

PSD2 and why it represents an opportunity for banks

07 Banking Briefing

What does this mean for banks?

The Directive introduces two new payment service providers: Payment Initiation Services Providers (PISPs) and Account Information Services Providers (AISPs). PISPs enable customers to make direct credit transfers from their online payment accounts and AISPs are account information aggregators consolidating different current accounts for customers, but could also provide data analysis based on the information obtained.

A key element under the new directive is that banks must provide secured access to their customer account information, upon their request to use the services of PISP or AISP. This access-to-accounts provision (also referred to as “XS2A”) requires banks to build open APIs (application programming interfaces) to provide third parties with access to their customer account information.

On this aspect the minimum requirement for banks will be to establish and maintain securely APIs that are needed to provide their customer account data to the new market participants.

However, this also presents opportunities and, aside from simply becoming compliant, banks should consider leveraging them to deliver more value-added services and a better customer experience, and even attract new customers. Banks will have the opportunity to enter new distribution channels and take on different roles across the value chain. They have traditionally played the role of payment processors while fintechs have been positioned as payment initiators, primarily driving innovation in this space.

By not taking advantage of these new roles and opportunities, banks could be left with the costs of compliance without strengthening their customer relationships. Acting as PISPs or AISPs could enable banks to obtain account data from other banks that their customers use and help them provide value-added services such as spending behaviour analysis. The development or use of APIs in this aspect is crucial for the expansion of services and therefore requires the right strategic considerations.

Banks that consider PSD2 as merely a compliance exercise are likely to miss out on the opportunity to use their current position as a foundation of development and stay relevant in the changing ecosystem of payments and banking. The development of interfaces between fintechs and banks will accelerate innovation in the market for the benefit of customers. PSD2 (by way of open APIs) in this context presents an opportunity for banks to expand their range of innovative services, which will grow the market further. Outside the financial industry, APIs are not a novel concept, having contributed to success stories across other industries, such as Amazon, Google and Apple.

PSD2 is an opportunity for banks to reinvent themselves, diversify their products and service offerings, and continue to be recognised for adding value for their customers.

Jürgen RiederAssociate Partner

T: +352 22 51 51 7280 E: juergen.rieder@kpmg.lu

08Digital traveller

08Banking Briefing

Let’s face the facts: With cyber incidents, it’s not a question of if, but when your company will be the target of an attack.

Constantly hearing about unspecified threats, however, can be annoying. Preparation for the unforeseeable is costly and, in the end, you may still be uncertain about whether you have actually taken all necessary precautions.

This uncertainty, the tremendous financial commitment associated with running a full-fledged cyber security program, and the constant and ubiquitous news about data breaches have led to a brand new ‘disease’, the symptoms of which you might already have experienced – Cyber Fatigue.

‘Cyber Security in the boardroom’- 2.0

Over the past few years, cyber risk awareness has made its way into the boardroom, which happened to be the right way to ensure potential threats are properly addressed by providing adequate funding to Cyber Security programs.

Yet, significant data breaches continue to make headlines (remember Ashley Madison?), ransomware is spreading virulently across the cyberspace, employees fall prey to increasingly sophisticated social engineering attacks, and so on. It’s frustrating and worrisome, and on top of that, throwing even more money after top-notch Cyber Security tools just doesn’t seem to help.

Now add to this an ever-expanding regulatory framework, regulation like GDPR which will bring painful penalties for the violation of data protection rules and the justified demands of individuals to ensure their privacy rights are not violated.

After a few years of increasing Cyber Security budgets, board members are now asking themselves: shall we keep on spending, and how much is enough? Will it ever be enough?

The question of ‘Did we really take everything into account?’ can make Cyber Security programs spiral out of control.

Are you experiencing symptoms?

A few indicators that your organisation may be experiencing Cyber Fatigue would include:

1. Double-digit compound annual growth rate (CAGR) in cyber budgets over the last five years

2. Ever-increasing depth and breadth of executive and board briefings on cyber issues

3. Continual net addition of cyber-related technologies – with few, if any, being retired

Cyber SecurityFighting the symptoms of Cyber Fatigue

09 Banking Briefing

Thomas KochSenior Manager

T: +352 22 5151 7920 E: thomas.koch@kpmg.lu

The remedy against Cyber Fatigue

A clearly defined strategy of breaking the shackles of threats and spending will help you combat the symptoms of Cyber Fatigue.

In a nutshell, it is a 5-pronged approach that will result in a Cyber Security strategy that adequately addresses your company’s threat situation, security capabilities and overall business strategy.

Let’s put an end to budget increases, all-too-dramatic threat scenarios and the fear of failure. It’s time to realign your Cyber Security strategy based on objective assessments and factual risks.

Five ways to fight Cyber Fatigue

Read the full study “How to bounce back from Cyber Fatigue” here: www.kpmg.lu/cybersecurity

Make measured investment in cyber capabilities based on risk

As a first step in the process, we must quantify the risk, a unique ‘value at risk’ calculation that incorporates breach likelihood.

Regularly measure the effectiveness of your security investments

Most companies do not understand the full amount that they spend on Cyber Security.

Develop/align the right cyber risk model

Once you understand your cyber assets and how they are managed, begin structuring an effective cyber risk management model.

Continually update your model to reflect emerging threats

Cyber Security is an elusive target, an ongoing challenge that mandates continual vigilance.

Build/promote risk-aligned security organisation

In addition to the systemic changes around identifying, measuring and managing cyber risks, one of the important but often overlooked aspects is building and continually developing a risk-aligned culture in security and larger organisation.

41

52

3

10Digital traveller

10Banking Briefing

Do I need to establish an AC?

The entities required to establish an audit committee are public interest entities (PIEs). PIEs include:

– Luxembourg entities whose transferable securities are traded on a regulated market of any Member State; according to the CSSF, investment funds having their units admitted to trading on a regulated market are PIEs

– Credit institutions

– Insurance and reinsurance undertakings (except for pension funds and captive companies)

Can my bank benefit from any exemption?

The following exemptions could potentially apply to Luxembourg banks:

– Banks that are subsidiary undertakings if EU requirements are met at a group level

– Luxembourg credit institutions:

– Whose shares are not admitted to trading on a EU regulated market, and

– Which have, in a continuous or repeated manner, issued only debt securities admitted to trading on a regulated market, provided that the total nominal amount of such debt securities remains below EUR 100 million and that it has not published a prospectus under the Transparency Directive

BUT

– If a credit institution is exempted, the Board of Directors (BoD) or the Supervisory Board will take over the responsibilities of the Audit Committee.

EU Audit reform seriesSeries 2 – Audit committee

11 Banking Briefing

Pia SchanzPartner

T: +352 22 51 51 6642 E: pia.schanz@kpmg.lu

Marco WeberAssociate Partner

T: +352 22 51 51 6652 E: marco.weber@kpmg.lu

What is the role of the audit committee?

Want to learn more about the Audit Reform? Check out our next Banking Briefing with more insights into the obligation of Audit Committees to monitor non-audit services and mandatory auditor rotation.

What is the role of the

audit committee?

Providing information to the BoD/Supervisory

Board on the outcome of the audit

Monitoring the audit

Monitoring the financial reporting

process

Monitoring the selection of the audit firm and

recommendation of the audit firm to be appointed

Monitoring the effectiveness of the

undertaking’s internal quality control and risk management systems and, where applicable,

its internal audit

Reviewing and monitoring the independence of the

audit firm, and in particular the appropriateness of

the provision of non-audit services

12Digital traveller

12Banking Briefing

© 2017 KPMG Luxembourg, Société coopérative, a Luxembourg entity and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Designed by CREATE | CRT078632

Thomas KochSenior Manager

T: +352 22 5151 7920 E: thomas.koch@kpmg.lu

Sandrine PeriotDirector

T: +352 22 5151 7220 E: sandrine.periot@kpmg.lu

Stanislas ChambourdonPartner, Head of Banking

T: +352 22 51 51 6206 E: stanislas.chambourdon@kpmg.lu

Pia SchanzPartner

T: +352 22 51 51 6642 E: pia.schanz@kpmg.lu

Marco WeberAssociate Partner

T: +352 22 51 51 6652 E: marco.weber@kpmg.lu

Jürgen RiederAssociate Partner

T: +352 22 51 51 7280 E: juergen.rieder@kpmg.lu

Anne-Sophie MinaldoPartner

T: +352 22 51 51 7909 E: anne-sophie.minaldo@kpmg.lu

Contact us

KPMG Luxembourg,Société coopérative 39, Avenue John F. KennedyL-1855 LuxembourgTel: +352 22 51 51 1

www.kpmg.lu