Led by:
About the training session
Objectives
- Understand their legal duties, accountability, and personal liabilities across AML/CFT, DORA and GDPR.
- Improve their understanding of key risks to support balanced, well‑informed discussions with management
Content
DORA Digital Operational Resilience for board members
Role & legal accountability of the management body
- Oversight over ICT risk framework
- Duty to approve ICT resilience strategies and ensure adequate resources
- Personal exposure to sanctions (up to EUR 5M for individuals)
Governance duties under DORA
- Documentation duties, audit trail, follow up
- Incident reporting obligations
- Monitoring third party ICT risk
Practical board questions
- What should board members ask during risk reporting cycles?
- How to assess ICT incident dashboards?
- What evidence supervisors expect boards to have reviewed?
AML/CFT – Board Responsibilities & CSSF Expectations
Legal and regulatory AML/CFT framework
- FATF, EU AML package, Luxembourg Law of 12 November 2004
- CSSF Circulars and supervisory trends
Board’s accountability
- Oversight of AML framework, risk appetite and BWRA
- Adequate internal organisation, RR/RC oversight
Professional obligations
- Due diligence, ongoing monitoring
- Reporting duties (STR/SAR) and cooperation with FIU
- Consequences of non-compliance (sanctions, fines, reputational risk)
Recent supervisory findings – What boards must monitor
- Weaknesses in CDD
- Inadequate risk assessment
- Outsourcing AML processes
Case based Board Discussion
- CSSF sanction cases
- Red flag scenarios
- What the board should ask compliance during quarterly reporting
GDPR – Governance & Accountability for Board Members
Accountability obligations and board liability
- Governance duties under GDPR
- DPIAs, records of processing, risk-based controls
Data breach response
- Incident detection & internal reporting channels
- 72-hour reporting obligation
- Supervisory expectations
Data governance & oversight
- Data subject rights handling
- Third party processors
- How GDPR overlaps with DORA (incident response, records, controls)
What boards must review annually
- DPO reports
- Breach logs
- Compliance dashboards
- Evidence of staff training
Speakers
Our speakers belong to both our specialised and complementary teams and as such cover all legal, regulatory, taxation and advisory aspects of doing business in Luxembourg. We invite you to check our training agenda where the speakers are listed on each training session.
Duration
3 hours
For more information please contact us by e-mail at institute@arendt.com