Payments & E-Money Regulations in Luxembourg

🇱🇺 CSSF Consultation high

April 17th 2026

Public consultation by AMLA on the draft RTS on group-wide minimum requirements and additional measures for subsidiaries and branches in third countries

No description available.

AI Analysis

The CSSF publication highlights AMLA's public consultation on draft Regulatory Technical Standards (RTS) under Articles 16(4) and 17(3) of Regulation (EU) 2024/1624, specifying minimum group-wide AML/CFT requirements and additional measures for subsidiaries and branches in third countries. This matters because it aims to harmonize cross-border AML frameworks, ensuring groups maintain consolidated ML/TF risk views and robust controls, particularly in high-risk third-country operations, impacting EU financial groups' compliance structures. Private sector input is encouraged to align standards with practical operations.[https://www.cssf.lu/en/Document/public-consultation-by-amla-on-the-draft-rts-on-group-wide-minimum-requirements-and-additional-measures-for-subsidiaries-and-branches-in-third-countries/][https://www.amla.europa.eu/amla-consults-group-wide-requirements-and-business-wide-risk-assessment_en]

What Changed

- Group-wide AML/CFT frameworks: Establishes minimum standards for design and implementation across groups, including cross-border structures and third-country operations, to enable consolidated...
Third-country subsidiaries and branches: Introduces additional measures for entities in non-EU countries, extending requirements beyond traditional groups to other...
Information sharing and parent identification: Defines provisions for intra-group data sharing and criteria to identify the EU parent undertaking when multiple entities report to a third-country head...
Interlinked mandates: Cross-references obligations between Articles 16(4) and 17(3) for complementary requirements on organizational...

Suggested Considerations

Register for 20 May 2026 public hearing to engage directly on practical application across group structures.[https://www.amla.europa.eu/events/public-hearing-draft-rts-group-wide-minimum-requirements-and-additional-measures-subsidiaries-and-2026-05-20_en]
Assess current group-wide AML/CFT frameworks against proposed minimums, identifying gaps in third-country controls, risk consolidation, and data sharing protocols.

Compliance Impact

Urgency: High – Firms with third-country exposure must act now on consultation (closes 15 July 2026) to influence final RTS, as these will mandate binding minimums for group-wide AML/CFT, potentially requiring significant framework overhauls for risk consolidation and controls. Non-engagement risks misaligned systems post-adoption, increasing supervisory scrutiny under harmonized EU standards; early assessment prevents rushed...

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Topics:

AML / Financial Crime Reporting & Disclosure Senior Managers / Governance

BankAsset ManagerPayment Provider

View Original

🇱🇺 CSSF Consultation high

April 17th 2026

Public consultation by AMLA on the draft Guidelines on business-wide risk assessment

No description available.

AI Analysis

AMLA has launched a public consultation on draft Guidelines for business-wide risk assessments (BWRA) under the new Anti-Money Laundering Regulation (EU 2024/1624), with submissions open until 15 July 2026. These guidelines establish minimum requirements for all obliged entities across financial and non-financial sectors to systematically identify and manage money laundering and terrorist financing risks inherent to their operations.

What Changed

The draft Guidelines introduce four minimum requirements for conducting adequate business-wide risk assessments applicable to all obliged entities. The framework mandates that entities:
Identify risk exposure across their business model, customers, products, services, transactions, delivery channels, and geographical exposure
Maintain consolidated risk views across group structures, eliminating silos between branches and subsidiaries
Utilize internal and external data sources to build comprehensive risk landscapes, including monitoring customer behavior changes and tracking international typologies
Apply proportionality based on entity size, business model, and risk profile, while ensuring consistent application of policies across the organization The guidelines specifically address evaluation...

Suggested Considerations

*Immediate (by 15 July 2026):
Review draft Guidelines and assess alignment with current BWRA practices
Identify gaps between existing risk assessment frameworks and proposed minimum requirements
Prepare formal consultation responses, particularly if your organization operates in non-financial sectors
Register for relevant public hearings (28 May for BWRA Guidelines; 20 May for group-wide RTS) to engage directly with AMLA

Key Dates

Later in 2026

- Final adoption of guidelines and technical standards

16 April 2026

- Consultation launched

20 May 2026, 10:00–12:00 CET

- Public hearing on draft RTS on group-wide requirements

28 May 2026, 10:00–12:00 CET

- Public hearing on draft Guidelines on business-wide risk assessment

15 July 2026 DEADLINE

- Consultation deadline for submissions

Compliance Impact

Urgency: HIGH

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Investment Management Payments & E-Money

Topics:

AML / Financial Crime Operational Resilience / Outsourcing Senior Managers / Governance

All Firms

View Original

🇱🇺 CSSF Warning high

April 15th 2026

Warning concerning fraudulent activities by persons misusing the name of Coinbase Luxembourg S.A.

No description available.

Sectors:

Crypto & Digital Assets Payments & E-Money

Topics:

AML / Financial Crime Consumer Protection / Conduct Authorisation & Licensing

Crypto ExchangeFintechPayment Provider

View Original

🇱🇺 CSSF Guidance high

April 1st 2026

Circular CSSF 26/909

Application of the Guidelines of the European Securities and Markets Authority for the criteria on the assessment of knowledge and competence under the Markets in Crypto Assets Regulation (MiCA) (ESMA35-24871704-2922)

AI Analysis

Circular CSSF 26/909 specifies how the CSSF applies ESMA's Guidelines (ESMA35-24871704-2922) for assessing **knowledge and competence** criteria under MiCA, targeting staff involved in crypto-asset services. It matters because it enforces MiCA's staff certification requirements, ensuring Luxembourg CASPs meet EU-wide standards for consumer protection and operational integrity amid the full MiCA rollout on 30 December 2024.

What Changed

- Adoption of ESMA Guidelines: CSSF mandates application of ESMA's criteria for evaluating staff knowledge and competence in crypto-asset services, including roles in custody, trading, portfolio...
Assessment Framework: Firms must implement standardized tests and processes to verify staff qualifications, aligning with MiCA Article 62 on CASP authorization, focusing on technical crypto...
No New Standalone Rules: This circular builds on prior CSSF MiCA circulars (e.g., 25/890 on crypto-asset classification), integrating competence checks into licensing dossiers and ongoing supervision.

Suggested Considerations

Assess Staff Competence: Implement ESMA-guided evaluations (e.g., exams, certifications) for all relevant personnel handling crypto services; document results in governance frameworks.
Update Policies and Training: Integrate competence criteria into HR, onboarding, and annual reviews; roll out MiCA-specific training on reporting, breaches, and governance.
Licensing Dossier Enhancement: Include competence attestations in CSSF applications; appoint dedicated compliance/risk officers with verified qualifications.
Ongoing Monitoring: Conduct regular audits, penetration tests, and incident planning; confirm compliance annually via management body statements.
Early CSSF Engagement: Schedule dialogues and info sessions; create MiCA readiness scorecards for board and regulator discussions.

Key Dates

1 April 2026

Circular CSSF 26/909 published; immediate application of ESMA competence guidelines.; [User-provided content]

Compliance Impact

Urgency: High – With publication today (1 April 2026) and MiCA's CASP regime live since 30 December 2024, firms face immediate supervisory scrutiny during licensing and VASP transitions ending 1 July 2026. Non-compliance risks authorization denial, enforcement, or operational halts, especially as CSSF audits dossiers for competence gaps amid Luxembourg's role as MiCA hub.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Crypto & Digital Assets Capital Markets & Trading Payments & E-Money

Topics:

Authorisation & Licensing Senior Managers / Governance Consumer Protection / Conduct

Crypto ExchangeBankFintech

View Original

🇱🇺 CSSF News low

March 19th 2026

Notification form for updating payment institutions/electronic money institutions information

No description available.

Sectors:

Payments & E-Money

Topics:

Authorisation & Licensing

Payment Provider

View Original

🇱🇺 CSSF Warning high

March 13th 2026

Warning concerning the website www.vivid-money.lu

No description available.

Sectors:

Payments & E-Money

Topics:

AML / Financial Crime Consumer Protection / Conduct Authorisation & Licensing

FintechPayment Provider

View Original

🇱🇺 CSSF Guidance critical

February 18th 2026

Annex of Circular CSSF 22/822

1) high-risk jurisdictions on which enhanced due diligence and, where appropriate, counter-measures are imposed2) jurisdictions under increased monitoring of the FATFVersion of 17 February 2026

AI Analysis

The Annex of Circular CSSF 22/822 (Version of 17 February 2026) is Luxembourg's Commission de Surveillance du Secteur Financier's implementation guidance on FATF (Financial Action Task Force) designations of high-risk jurisdictions requiring enhanced due diligence and counter-measures, as well as jurisdictions under increased monitoring. This document is critical for Luxembourg-regulated financial institutions because it operationalizes international AML/CFT standards into binding compliance obligations, directly impacting customer acceptance, transaction monitoring, and correspondent banking relationships.

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Investment Management Payments & E-Money

Topics:

AML / Financial Crime Reporting & Disclosure

BankAsset ManagerPayment Provider

View Original

🇱🇺 CSSF News medium

February 17th 2026

DORA – Submission timeframe for register of information for third-country branches of credit institutions having their head office in a third country

No description available.

Sectors:

Banking & Credit Payments & E-Money

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing

BankPayment Provider

View Original

🇱🇺 CSSF Guidance high

February 12th 2026

Circular letter

AML/CFT standardised data collection taking place in 2026

AI Analysis

The CSSF Circular Letter 2026-02-12 announces a standardized data collection exercise on AML/CFT for supervised entities, scheduled for 2026, aimed at enhancing regulatory oversight of money laundering and terrorist financing risks. This matters because it signals intensified CSSF scrutiny on AML/CFT compliance, requiring firms to prepare structured data submissions that could inform future supervisory actions, risk assessments, and enforcement. As part of broader CSSF AML/CFT initiatives, non-compliance risks fines or heightened inspections.

What Changed

- Introduction of standardized AML/CFT data collection: CSSF mandates uniform reporting formats for collecting data on AML/CFT risks, controls, and practices across supervised sectors, building on...
Alignment with ongoing AML/CFT enhancements: Complements recent governance-focused circulars (e.g., Circular 26/906 on central administration and risk management for payment/e-money institutions) by...
No explicit new obligations beyond preparation for data submission, but implies deeper integration of tax-related AML indicators and sub-sector risk updates, as seen in related CSSF activities.

Suggested Considerations

Assess and document AML/CFT data readiness: Inventory current risk assessments, transaction monitoring logs, KYC processes, SAR filings, and third-party oversight records in standardized formats; map to proportionality factors (e.g., transaction volumes, outsourcing).
Update governance and controls: Ensure compliance functions have independence, direct board reporting, and audit coverage of AML/CFT; test ICT resilience for monitoring continuity.
Conduct internal reviews: Perform gap analyses against Circular 26/906 (e.g., fund safeguarding, escalation protocols) and recent conference topics (e.g., terrorist financing, tax indicators); remediate deficiencies with board-approved plans.
Prepare for submission: Designate resources for data compilation; cooperate fully with CSSF/FIU requests, including transfer-of-funds information under EU 2015/847.
Engage auditors: Leverage approved auditors for validation of AML/CFT effectiveness ahead of collection.

Key Dates

2026 (exact date TBD) DEADLINE

AML/CFT standardised data collection exercise; Firms must submit required data during this period; preparation recommended immediately given today's date (12 February 2026)

20 January 2026 DEADLINE

Issuance of related Circular 26/906; Establishes governance baselines (e.g., compliance independence, risk proportionality) informing data collection expectations

26 January 2026

CSSF AML/CFT Conference for Specialised PFS; Provided updates on sub-sector risks, terrorist financing reviews, and FIU insights relevant to data preparation

28 January 2026 DEADLINE

Conference materials published; Available for download to guide compliance alignment

Compliance Impact

Urgency: High – With data collection in 2026 underway today (12 February 2026), firms face immediate preparation needs amid recent enforcement (e.g., EUR 102,000 fine on depositary for AML-related gaps) and conferences signaling sub-sector focus. This elevates AML/CFT as a supervisory priority, potentially triggering on-site inspections, fines, or remediation orders for inadequate data/risks; proactive alignment prevents escalation in a risk-based regime.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Payments & E-Money Investment Management

Topics:

AML / Financial Crime Reporting & Disclosure Senior Managers / Governance

BankPayment ProviderAll Firms

View Original

🇱🇺 CSSF Guidance high

February 11th 2026

Guidance for interpretation and resolution of CSSF error messages related to the submission of the DORA register

Guidance allowing financial entities to identify the National Competent Authority to which their register of information has to be submitted.

AI Analysis

This CSSF guidance document, published on 11 February 2026, provides detailed explanations and resolution steps for error messages encountered during the submission of the DORA Register of Information (RoI) via the eDesk portal, specifically for the 2026 submission cycle. It matters because it enables Luxembourg financial entities to ensure compliant submissions amid enhanced validation checks on more data fields, avoiding re-submission delays and supporting timely transmission to the ESAs by CSSF deadlines. Non-compliance risks supervisory scrutiny under DORA's ICT risk management framework.

What Changed

- Enhanced validation checks for the 2026 RoI submission: Applies ESA-defined checks (last updated April 2025) to more data fields to improve data quality, compared to prior cycles.
Specific error resolutions detailed, including requirements for LEI code communication to CSSF beforehand, correct reference date ('2025-12-31') in file naming, plain-CSV files in predefined .zip...
Mandatory inclusion of all tables (even empty) in FilingIndicators.csv set to 'true', with matching identification codes across parent-child records.
Builds on prior CSSF guides, emphasizing eDesk role "DORA Reporting" assignment and ESAs' technical standards. No new regulatory requirements under DORA itself; this refines technical submission...

Suggested Considerations

Assign "DORA Reporting" role in eDesk to dedicated employee(s) per user guide.
Communicate LEI code to CSSF line supervisor prior to first submission to enable upload.
Prepare RoI in plain-CSV files within .zip following ESAs' folder structure/file naming (reference date '2025-12-31'); include all tables in FilingIndicators.csv (even empty, set to 'true').
Test submissions against listed error codes (e.g., ICTO007 for LEI, identification mismatches); resolve per guidance sections (e.g., Sections 3.2.2, 5.1.2, 6).
Consult ESAs' EBA resources (data point model, validation rules, FAQs) and CSSF guides (e.g., submission guide, guidance tables).

Key Dates

30 April 2025 DEADLINE

- CSSF re-submission deadline post-validation for 2025; analogous for 2026 if errors detected

May 2025

- ESAs' second-round validation for 2025; expect similar for 2026 with potential re-submissions

1 April 2025 to 15 April 2025

- Initial 2025 submission window via eDesk (for context; 2026 window likely similar, pending confirmation)

31 December 2025

- Reference date for 2026 RoI submission (all contractual arrangements up to this date)

11 February 2026

- Publication date of this error guidance (last updated 10/02/2026)

Compliance Impact

Urgency: High - Published today (11 February 2026), this equips firms for imminent 2026 RoI submissions (reference date 31 December 2025), with stricter validations on expanded fields risking rejections/re-submissions. Matters for operational resilience compliance under DORA Article 28, as accurate RoI supports supervisory oversight of ICT third-party risks; delays could trigger CSSF/ESA follow-up or fines. Firms with prior 2025 issues (e.g., portal extensions to May 2025) must prioritize to avoid recurrence.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Investment Management Payments & E-Money

Topics:

Operational Resilience / Outsourcing Technology & Cyber Reporting & Disclosure

BankFintechPayment Provider

View Original

🇱🇺 CSSF News medium

February 9th 2026

PSD2 - PSP ICT Assessment – 2026 Campaign related to the financial year 2025

No description available.

Sectors:

Payments & E-Money

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing

Payment Provider

View Original

🇱🇺 CSSF News medium

February 2nd 2026

Outcomes of the 2025 SFTR Data Quality indicators review

The CSSF informs the market regarding the outcomes of the SFTR Data Quality indicators review performed in 2025

Sectors:

Banking & Credit Capital Markets & Trading Payments & E-Money

Topics:

Reporting & Disclosure Prudential / Capital Requirements Operational Resilience / Outsourcing

BankBroker DealerPayment Provider

View Original

🇱🇺 CSSF News medium

January 20th 2026

Publication of the update of the ML/FT Sub-Sector Risk Assessment on Specialised Professionals of the Financial Sector providing corporate services (trust and company service provider activities)

No description available.

Sectors:

Banking & Credit Wealth & Private Banking Payments & E-Money

Topics:

AML / Financial Crime Authorisation & Licensing Reporting & Disclosure

BankWealth ManagerPayment Provider

View Original

🇱🇺 CSSF Guidance high

January 20th 2026

New Circular CSSF 26/906 “Central administration, internal governance and risk management” applicable to payment and electronic money institutions

No description available.

AI Analysis

CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes.

What Changed

The circular consolidates and updates governance rules, focusing on:
Management bodies: Responsibilities, composition, qualifications, organization, and functioning, including CSSF authorization of members based on professional experience, standing (e.g., police...
Internal control functions: Responsibilities, characteristics, organization, and execution of work for compliance officers and internal auditors, with notifications to CSSF including detailed...
Conflicts of interest: Key requirements for a management policy applicable to all staff and management body members.
New product approval: Defined key steps in the process.

Suggested Considerations

Gap analysis: Assess current frameworks against circular requirements on management bodies, internal controls, conflicts of interest, product approval, and fund safeguarding.
Updates and notifications: Review/revise governance arrangements (e.g., policies, structures); notify CSSF of management body members, compliance officers, and internal auditors with required documentation (professional experience, police records, etc.).
Implementation: Establish robust risk identification/management/monitoring/reporting processes, internal controls, and proportional arrangements (e.g., IT, outsourcing).
Documentation: Develop conflicts policy, new product approval procedures, and safeguarding rules; ensure management body authorization.
Ongoing: Maintain sound/prudent management amid growth; integrate with Law of 10 November 2009 requirements.

Key Dates

20 January 2026

- Publication date of Circular CSSF 26/906

30 June 2026 DEADLINE

- Compliance deadline: Institutions must assess/review central administration, internal governance, and risk management frameworks to ensure full compliance

Compliance Impact

Urgency: High - With ~5 months from publication (20 Jan 2026) to compliance (30 Jun 2026), firms face tight timelines for assessments, policy overhauls, and CSSF notifications, especially given repealed circulars and sector growth pressures. Non-compliance risks supervisory actions, as this fosters "sound and prudent management" in a high-volume industry; proactive reviews are essential to avoid disruptions.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Payments & E-Money

Topics:

Senior Managers / Governance Operational Resilience / Outsourcing

Payment ProviderFintech

View Original

🇱🇺 CSSF Guidance high

January 20th 2026

Circular CSSF 26/906

Central administration, internal governance and risk management

AI Analysis

Circular CSSF 26/906, published on 20 January 2026, consolidates and clarifies Luxembourg's rules on central administration, internal governance, and risk management specifically for payment institutions, electronic money institutions, and account information service providers. It repeals prior circulars (IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155) to address growth in transaction volumes by mandating robust governance, control functions, and risk processes, enhancing safety, efficiency, and trust in these services. This matters for compliance professionals as it strengthens defenses against financial crime, operational risks, and supervisory scrutiny in a high-growth sector.

What Changed

- Consolidation and repeal: Replaces outdated circulars with unified requirements under the amended Law of 10 November 2009 on payment services, covering central administration (decision-making must...
Governance enhancements: Board approves strategy, risk appetite, AML/CFT policies, outsourcing, and information security; management implements via procedures; proportionality based on business...
Operational controls: Strict access to systems (need-to-know, least-privilege, 4-eyes validation); counterparty due diligence for custodians/insurers; full responsibility for agents, distributors,...
AML/CFT focus: Elevates compliance function independence, direct board reporting, risk-based resourcing, and oversight of third parties/opaque structures to close gaps exploited by criminals.

Suggested Considerations

Assess and update governance frameworks: Review central administration location, board/management responsibilities, risk strategy, AML/CFT policies, compliance charter, and funds safeguarding principles to align with the circular.
Confirm control functions: Ensure compliance function (CCO) has independence, resources, direct board access, and authority for investigations; justify/secure CSSF approval for part-time/dual roles.
Implement operational safeguards: Establish daily reconciliations (or justified weekly), segregation/insurance for client funds, system access controls (4-eyes, board validation for significant movements), and third-party due diligence/monitoring.
Document proportionality: Tailor governance to business risks (staff, volumes, products, outsourcing); update new product approval, conflicts policies, and business continuity/incident reporting.
Retain records and report: Board-approve all key policies; prepare for CSSF inspections on outsourcing (per Circular CSSF 22/806) and ICT risks.

Key Dates

20 January 2026

Publication date of Circular CSSF 26/906

30 June 2026 DEADLINE

Compliance deadline; Institutions must assess, review, and ensure their central administration, internal governance, and risk management frameworks fully comply with the circular

Compliance Impact

Urgency: High – With a 30 June 2026 deadline (five months from publication), firms face immediate pressure to review and remediate governance gaps amid sector growth and heightened AML/CFT scrutiny; non-compliance risks supervisory actions, fines, or license issues, especially as it closes criminal exploitation vectors like weak controls and third-party risks.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Payments & E-Money

Topics:

Senior Managers / Governance AML / Financial Crime Operational Resilience / Outsourcing

Payment Provider

View Original

🇱🇺 CSSF Enforcement high

January 12th 2026

Population concerned by the enforcement

No description available.

AI Analysis

This CSSF publication, dated January 12, 2026, identifies the specific population (likely a firm or individual) subject to an enforcement action, such as an administrative sanction, as part of the CSSF's transparency in supervisory measures. It matters because it signals CSSF's active enforcement priorities, potentially in areas like AML or reporting failures, enabling firms to assess similar risks in their operations and strengthen compliance to avoid parallel actions. Published amid rising focus on financial crime typologies like sexual extortion, it underscores the regulator's commitment to public accountability.

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Payments & E-Money

Topics:

AML / Financial Crime Reporting & Disclosure Authorisation & Licensing

BankPayment ProviderAll Firms

View Original

🇱🇺 CSSF Guidance high

December 24th 2025

Circular CSSF-CPDI 25/49

Survey on the amount of covered deposits held on 31 December 2025

AI Analysis

Circular CSSF-CPDI 25/49 is a **mandatory quarterly reporting requirement** for Luxembourg credit institutions and postal financial service providers to submit data on covered deposits as of December 31, 2025. This survey directly feeds into the Single Resolution Fund's annual target level calculation and the Luxembourg deposit guarantee scheme's contribution assessments, making it essential for regulatory compliance and fund management.

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Payments & E-Money

Topics:

Reporting & Disclosure Prudential / Capital Requirements

BankPayment Provider

View Original

🇱🇺 CSSF Enforcement high

August 18th 2025

Circular CSSF 25/896

Adoption of the EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions)

AI Analysis

Circular CSSF 25/896 adopts the EBA Guidelines EBA/GL/2024/14 and EBA/GL/2024/15, mandating Luxembourg financial institutions to establish robust internal policies, procedures, and controls for complying with EU and national restrictive measures (sanctions). This matters because it sets binding EU-wide standards to prevent sanctions violations and circumvention, with absolute obligations for immediate asset freezing and reporting, amid escalating geopolitical tensions.

What Changed

- Institutions must develop, implement, and maintain up-to-date policies, procedures, and controls for identifying, investigating, and applying restrictive measures without delay, including risk...
Management body responsibilities expanded: approve sanctions compliance strategy, oversee implementation, conduct at least annual assessments of exposure and controls, ensure remedial actions, and...
Screening and monitoring requirements: Maintain updated sanctions lists with immediate integration of changes; screen customer base, transactions, and datasets accurately; enable immediate...
Training and testing: Deliver regular, documented role-specific training; perform ongoing system testing for screening calibration, list accuracy, transaction monitoring effectiveness, and reporting.
Proportionality applies based on institution's size, activities, and exposure; PSPs and CASPs explicitly addressed with tailored controls.

Suggested Considerations

Conduct annual exposure assessments to sanctions risks and circumvention; update policies accordingly.
Appoint senior management/board-level responsibility for approving and overseeing sanctions strategy, including annual reviews and deficiency reporting.
Implement reliable screening systems for customers, transactions, and lists; define screenable datasets; test systems regularly for effectiveness (e.g., immediate freezing, accurate hits).
Provide documented training to relevant staff on sanctions, institutional exposure, and internal processes.
Establish processes for immediate action on matches: suspend transfers, freeze assets, report to Ministry of Finance/CSSF/FIU without delay; maintain whitelists only under strict conditions.

Compliance Impact

Urgency: High – With less than 12 months until the 30 December 2025 deadline (as of January 2026), firms face binding requirements for absolute compliance, including personal accountability for management bodies; non-compliance risks enforcement by CSSF, reputational damage, and fines amid frequent EU sanctions updates (e.g., Regulations 2025/1469, 2025/1476). This elevates sanctions from operational task to strategic board priority.

References

AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.

Sectors:

Banking & Credit Payments & E-Money Crypto & Digital Assets

Topics:

AML / Financial Crime Senior Managers / Governance Reporting & Disclosure

BankPayment ProviderCrypto Exchange

View Original