Payments & E-Money Regulations in Luxembourg

1) high-risk jurisdictions on which enhanced due diligence and, where appropriate, counter-measures are imposed2) jurisdictions under increased monitoring of the FATFVersion of 17 February 2026

AI Analysis

The Annex of Circular CSSF 22/822 (Version of 17 February 2026) is Luxembourg's Commission de Surveillance du Secteur Financier's implementation guidance on FATF (Financial Action Task Force) designations of high-risk jurisdictions requiring enhanced due diligence and counter-measures, as well as jurisdictions under increased monitoring. This document is critical for Luxembourg-regulated financial institutions because it operationalizes international AML/CFT standards into binding compliance obligations, directly impacting customer acceptance, transaction monitoring, and correspondent banking relationships.

Sectors:

Banking & Credit Investment Management Payments & E-Money

Topics:

AML / Financial Crime Reporting & Disclosure

BankAsset ManagerPayment Provider

View Original

🇱🇺 CSSF News medium

February 17th 2026

DORA – Submission timeframe for register of information for third-country branches of credit institutions having their head office in a third country

No description available.

Sectors:

Banking & Credit Payments & E-Money

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing

BankPayment Provider

View Original

🇱🇺 CSSF Guidance high

February 12th 2026

Circular letter

AML/CFT standardised data collection taking place in 2026

AI Analysis

The CSSF Circular Letter 2026-02-12 announces a standardized data collection exercise on AML/CFT for supervised entities, scheduled for 2026, aimed at enhancing regulatory oversight of money laundering and terrorist financing risks. This matters because it signals intensified CSSF scrutiny on AML/CFT compliance, requiring firms to prepare structured data submissions that could inform future supervisory actions, risk assessments, and enforcement. As part of broader CSSF AML/CFT initiatives, non-compliance risks fines or heightened inspections.

What Changed

Introduction of standardized AML/CFT data collection: CSSF mandates uniform reporting formats for collecting data on AML/CFT risks, controls, and practices across supervised sectors, building on existing risk-based supervision frameworks. Alignment with ongoing AML/CFT enhancements: Complements recent governance-focused circulars (e.g., Circular 26/906 on central administration and risk management for payment/e-money institutions) by emphasizing data-driven validation of AML/CFT effectiveness, including risk assessments, transaction monitoring, and third-party oversight. No explicit new...

What You Need To Do

Assess and document AML/CFT data readiness
Update governance and controls
Conduct internal reviews
Prepare for submission
Engage auditors

Key Dates

2026 (exact date TBD) - AML/CFT standardised data collection exercise Firms must submit required data during this period; preparation recommended immediately given today's date (12 February 2026). DEADLINE

20 January 2026 - Issuance of related Circular 26/906 Establishes governance baselines (e.g., compliance independence, risk proportionality) informing data collection expectations. DEADLINE

26 January 2026 - CSSF AML/CFT Conference for Specialised PFS Provided updates on sub-sector risks, terrorist financing reviews, and FIU insights relevant to data preparation.

28 January 2026 - Conference materials published Available for download to guide compliance alignment. DEADLINE

Compliance Impact

Urgency: High – With data collection in 2026 underway today (12 February 2026), firms face immediate preparation needs amid recent enforcement (e.g., EUR 102,000 fine on depositary for AML-related gaps) and conferences signaling sub-sector focus. This elevates AML/CFT as a supervisory priority, potentially triggering on-site inspections, fines, or remediation orders for inadequate data/risks; proactive alignment prevents escalation in a risk-based regime.

References

Sectors:

Banking & Credit Payments & E-Money Investment Management

Topics:

AML / Financial Crime Reporting & Disclosure Senior Managers / Governance

BankPayment ProviderAll Firms

View Original

🇱🇺 CSSF Guidance high

February 11th 2026

Guidance for interpretation and resolution of CSSF error messages related to the submission of the DORA register

Guidance allowing financial entities to identify the National Competent Authority to which their register of information has to be submitted.

AI Analysis

This CSSF guidance document, published on 11 February 2026, provides detailed explanations and resolution steps for error messages encountered during the submission of the DORA Register of Information (RoI) via the eDesk portal, specifically for the 2026 submission cycle. It matters because it enables Luxembourg financial entities to ensure compliant submissions amid enhanced validation checks on more data fields, avoiding re-submission delays and supporting timely transmission to the ESAs by CSSF deadlines. Non-compliance risks supervisory scrutiny under DORA's ICT risk management framework.

What Changed

Enhanced validation checks for the 2026 RoI submission: Applies ESA-defined checks (last updated April 2025) to more data fields to improve data quality, compared to prior cycles. Specific error resolutions detailed, including requirements for LEI code communication to CSSF beforehand, correct reference date ('2025-12-31') in file naming, plain-CSV files in predefined .zip structure, and proper FilingIndicators.csv/parameters.csv content. Mandatory inclusion of all tables (even empty) in FilingIndicators.csv set to 'true', with matching identification codes across parent-child records. Builds...

What You Need To Do

Assign "DORA Reporting" role in eDesk to dedicated employee(s) per user guide
Communicate LEI code to CSSF line supervisor prior to first submission to enable upload
Prepare RoI in plain-CSV files within
Test submissions against listed error codes (e
Consult ESAs' EBA resources (data point model, validation rules, FAQs) and CSSF guides (e

Key Dates

31 December 2025 - Reference date for 2026 RoI submission (all contractual arrangements up to this date).

11 February 2026 - Publication date of this error guidance (last updated 10/02/2026).

1 April 2025 to 15 April 2025 - Initial 2025 submission window via eDesk (for context; 2026 window likely similar, pending confirmation).

30 April 2025 - CSSF re-submission deadline post-validation for 2025; analogous for 2026 if errors detected. DEADLINE

May 2025 - ESAs' second-round validation for 2025; expect similar for 2026 with potential re-submissions.

Compliance Impact

Urgency: High - Published today (11 February 2026), this equips firms for imminent 2026 RoI submissions (reference date 31 December 2025), with stricter validations on expanded fields risking rejections/re-submissions. Matters for operational resilience compliance under DORA Article 28, as accurate RoI supports supervisory oversight of ICT third-party risks; delays could trigger CSSF/ESA follow-up or fines. Firms with prior 2025 issues (e.g., portal extensions to May 2025) must prioritize to avoid recurrence.

Adoption of the EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions)

AI Analysis

Circular CSSF 25/896 adopts the EBA Guidelines EBA/GL/2024/14 and EBA/GL/2024/15, mandating Luxembourg financial institutions to establish robust internal policies, procedures, and controls for complying with EU and national restrictive measures (sanctions). This matters because it sets binding EU-wide standards to prevent sanctions violations and circumvention, with absolute obligations for immediate asset freezing and reporting, amid escalating geopolitical tensions.

What Changed

Institutions must develop, implement, and maintain up-to-date policies, procedures, and controls for identifying, investigating, and applying restrictive measures without delay, including risk management for violations and circumvention. Management body responsibilities expanded: approve sanctions compliance strategy, oversee implementation, conduct at least annual assessments of exposure and controls, ensure remedial actions, and report deficiencies. Screening and monitoring requirements: Maintain updated sanctions lists with immediate integration of changes; screen customer base,...

What You Need To Do

Conduct annual exposure assessments to sanctions risks and circumvention; update policies accordingly
Appoint senior management/board-level responsibility for approving and overseeing sanctions strategy, including annual reviews and deficiency reporting
Implement reliable screening systems for customers, transactions, and lists; define screenable datasets; test systems regularly for effectiveness (e
Provide documented training to relevant staff on sanctions, institutional exposure, and internal processes
Establish processes for immediate action on matches: suspend transfers, freeze assets, report to Ministry of Finance/CSSF/FIU without delay; maintain whitelists only under strict conditions

Compliance Impact

Urgency: High – With less than 12 months until the 30 December 2025 deadline (as of January 2026), firms face binding requirements for absolute compliance, including personal accountability for management bodies; non-compliance risks enforcement by CSSF, reputational damage, and fines amid frequent EU sanctions updates (e.g., Regulations 2025/1469, 2025/1476). This elevates sanctions from operational task to strategic board priority.

References

Sectors:

Banking & Credit Payments & E-Money Crypto & Digital Assets

Topics:

AML / Financial Crime Senior Managers / Governance Reporting & Disclosure

BankPayment ProviderCrypto Exchange

View Original