Press release 26/07
Bank
No description available.
Asset ManagerWealth ManagerBank
No description available.
BankWealth ManagerAll Firms
No description available.
BankWealth ManagerAsset Manager
Table listing the professional activities and the mandates performed
This CSSF publication is an updated table (in XLSX format) listing standardized professional activities and mandates for members of the management body/governing body and conducting officers, as required under points 105 and 107 of Circular CSSF 18/698. It matters because it ensures consistent, transparent reporting of senior personnel roles in Luxembourg investment fund managers (IFMs), supporting governance, conflict-of-interest management, and CSSF supervisory oversight. Compliance professionals must use this list to standardize disclosures in authorization files and ongoing reporting.
What Changed
The document was originally published on 14 January 2019 and updated on 12 March 2026, reflecting revisions to the predefined list of professional activities and mandates[Source URL]. Key aspects include:
Alignment with Circular CSSF 18/698 requirements for IFMs (management companies for UCIs and AIFs), specifying reportable roles like those in collective portfolio management, risk management, valuation, compliance, internal audit, and IT operations.
Emphasis on detailed documentation of mandates to demonstrate fitness, properness, and avoidance of conflicts, including for shareholders with...
What You Need To Do
- Download and use the XLSX table
- Update authorization and notification files
- Conduct fit-and-proper assessments
- Annual compliance review
- Policy updates
Key Dates
14 January 2019 - Original publication of the list.
23 August 2018 - Publication of underlying Circular CSSF 18/698, setting baseline requirements.
End of May (post-financial year) - Compliance deadline for Circular 18/698 obligations, including governance reporting (e.g., 5 months after year-end). DEADLINE
12 March 2026 - Latest update to the list, requiring immediate review and integration into reporting processes[Source URL].
Compliance Impact
Urgency: High – The March 12, 2026 update coincides with today's date, demanding immediate review to avoid supervisory findings during CSSF inspections or authorization processes. Non-compliance risks authorization delays, fines, or reputational damage, as Circular 18/698 emphasizes robust governance in a heightened scrutiny environment for IFMs (e.g., delegate oversight, AML).
Asset ManagerBankAll Firms
Administrative sanction imposed on a réviseur d’entreprises agréé
The CSSF imposed an administrative sanction on 2 December 2025 against an approved statutory auditor (*réviseur d’entreprises agréé*) for breaches of professional obligations, likely related to continuing education requirements under Luxembourg's Audit Law, mirroring patterns in recent similar cases. This enforcement action underscores the CSSF's rigorous oversight of audit professionals, emphasizing compliance with ongoing training mandates to maintain audit quality and market integrity. Compliance professionals should note it as evidence of heightened scrutiny on non-delegable professional duties.
What Changed
This is not a regulatory change or new requirement but an enforcement action applying existing rules under point f) of Article 43(1) read with point a) of Article 43(2) and Article 44 of the Law of 23 July 2016 on the audit profession (Audit Law), alongside CSSF Regulation N°16-10 on continuing education.
What You Need To Do
- Immediate self-audit
- Remediation plan
- Internal training programs
- Fit-and-proper reviews
- Record retention
Key Dates
2 December 2025 - Date of administrative sanction imposition by CSSF.
6 March 2026 - Publication date of the sanction notice (today's date, aligning with CSSF practice for transparency under Article 48(2) of the Audit Law).
31 December 2024 - Likely reference period end for continuing education non-compliance (inferred from identical prior case). DEADLINE
Compliance Impact
Urgency: Medium. This matters as a signal of CSSF's proactive controls on auditor CPE, with fines starting at EUR 1,500 for initial breaches but scaling with severity/duration; repeated actions (e.g., multiple 2025 sanctions) indicate rising enforcement tempo, risking broader audit ecosystem scrutiny. Affected parties face direct fines and reputational harm, while others must prioritize CPE to avoid chain-reaction liabilities in financial reporting.
All Firms
Administrative sanction imposed on a réviseur d’entreprises agréé
The CSSF imposed an administrative sanction on 2 December 2025 against an approved statutory auditor (*réviseur d’entreprises agréé*) for breaches of professional obligations, likely related to continuing education requirements under Luxembourg's Audit Law, mirroring patterns in recent similar cases. This enforcement action underscores the CSSF's rigorous oversight of audit professionals, emphasizing compliance with ongoing training mandates to maintain audit quality and market integrity. Compliance professionals should note it as evidence of heightened scrutiny on non-compliance with minimum continuing education hours.
What Changed
No new regulatory changes are introduced; this is an enforcement action applying existing rules under point f) of Article 43(1) read with point a) of Article 43(2) and Article 44 of the Law of 23 July 2016 concerning the audit profession (Audit Law), alongside CSSF Regulation N°16-10 on continuing education for statutory auditors. Breaches typically involve failing to meet the minimum total hours of continuing education by the reference period end (e.g., December 31, 2024, as in a comparable August 2025 case).
What You Need To Do
- Statutory auditors must immediately verify compliance with Article 3(1) of CSSF Regulation N°16-10, ensuring minimum continuing education hours are met for relevant periods
- Audit firms should conduct internal audits of training logs and implement remediation plans, including supplementary training if deficits exist
- All affected parties must report any identified breaches to CSSF proactively and retain evidence of corrective actions, as CSSF controls under Article 10 of the Audit Law can trigger fines
Key Dates
2 December 2025 - Date of administrative sanction imposition by CSSF.
6 March 2026 - Publication date of the sanction notice.
31 December 2024 - Reference period end for continuing education compliance (inferred from similar case). DEADLINE
Compliance Impact
Urgency: Medium. This matters due to the pattern of CSSF enforcement on audit continuing education (e.g., EUR 1,500 fine in August 2025 case for similar breaches), signaling ongoing supervisory controls that could expand to on-site inspections. Non-compliance risks fines, public naming (or anonymous publication per Article 48(2) Audit Law), and reputational damage, but lacks immediate firm-wide deadlines, reducing to medium urgency for proactive reviews.
All Firms
No description available.
BankWealth ManagerAll Firms
Administrative sanction imposed on an investment firm
The CSSF imposed an administrative sanction on 8 October 2025 against an unnamed investment firm, as detailed in a publication released on 4 March 2026. This enforcement action underscores CSSF's rigorous oversight of investment firms, particularly in areas like AML/CFT compliance, conduct rules, and organizational requirements, serving as a warning for similar entities to strengthen cooperation and internal controls. It matters because it highlights escalating fines for repeated or material breaches, potentially influencing supervisory expectations across Luxembourg's financial sector.
What Changed
No new regulatory changes or requirements are introduced; this is an enforcement action applying existing rules. Based on patterns in the provided CSSF sanction documents, the sanction likely addresses breaches such as:
Failure to cooperate with CSSF requests, e.g., not submitting required AML/CFT questionnaires by deadlines, violating Article 5(1) of the amended Law of 12 November 2004 on AML/CFT.
Non-compliance with investment policies, organizational requirements, or conduct rules under the UCI Law (e.g., Articles 41, 43, 109), including improper broker exposures or valuation...
What You Need To Do
- Enhance cooperation protocols
- Review investment compliance
- Strengthen governance
- Training and monitoring
- Self-reporting
Key Dates
4 April 2025 - Deadline for submitting CSSF AML/CFT Questionnaire (breach example from similar case). DEADLINE
11 September 2025 - Date of fine imposition in comparable AIFM non-cooperation case.
16 July 2025 - Date of fine imposition for UCITS investment policy breaches.
8 October 2025 - Date of the sanction in question.
10 January 2025 - Date of prior depositary oversight fine.
Compliance Impact
Urgency: High - This matters due to CSSF's pattern of publicizing nominative sanctions (e.g., Max Gain Capital, Zeus Asset Management), signaling increased scrutiny on investment firms amid AML/CFT and conduct risks. Fines (EUR 10,000–127,500) represent material hits (up to 10% of turnover), with factors like poor cooperation amplifying penalties; firms with similar exposures face elevated inspection risk, especially post-2025 enforcement wave.
Asset ManagerBroker DealerWealth Manager
No description available.
The CSSF published guidance on 2 March 2026 specifying minimum documents and information required for assessing shareholding structures of authorised Investment Fund Managers (IFMs) during initial authorisation and subsequent modifications, covering both qualified and non-qualified shareholders. This matters because incomplete submissions will not be processed, potentially delaying authorisations or amendments amid ongoing CSSF scrutiny of governance and ownership in Luxembourg's fund sector.
What Changed
Minimum Document Requirements: Establishes a mandatory list of documents for each new shareholder candidate, differentiated by type (e.g., natural person, legal person, beneficial owner, direct/indirect qualified/unqualified shareholders, legal arrangements like trusts). Examples include identification documents (ID, CV, DH, CR), beneficial owner details (especially if PEP or CSSF-requested), and templates via Market Entry Form (MEF).
Additional Mandatory Submissions: For changes involving qualified holdings (entry, increase/decrease, removal), requires updated group structure charts, MEF (in...
What You Need To Do
- Review Guidance
- Prepare Complete Packages
- Submit Fully
- Internal Processes
Key Dates
2 March 2026 - Publication and effective date Guidance applies immediately; incomplete applications received on/after this date will not start processing until complete.
Compliance Impact
Urgency: High – Effective immediately on publication (2 March 2026), with strict non-processing of incomplete files risking significant delays in time-sensitive authorisations/amendments. Matters for maintaining operational timelines in competitive fund markets, where CSSF oversight of IFM ownership ties to broader governance expectations (e.g., board composition, qualifications).
Asset Manager
Version 1.0
This CSSF guidance (Version 1.0, published 2 March 2026) specifies the minimum documents and information required for assessing shareholding structures of authorised Investment Fund Managers (IFMs) during initial authorisation or modifications involving qualified and non-qualified shareholders. It standardises submissions to ensure completeness, with incomplete applications rejected until fully provided, enhancing regulatory efficiency and scrutiny of ownership changes. Compliance professionals must prioritise this to avoid delays in authorisation processes for Luxembourg-domiciled IFMs.
What Changed
Minimum Document Lists: Introduces detailed checklists in an XLSX format covering candidate shareholder documents (e.g., ID, CV, declarations of honour (DH), criminal records (CR) for natural persons; similar for legal persons, beneficial owners, and legal arrangements like trusts).
Differentiation by Shareholder Type: Requirements vary by natural/legal person, beneficial owner, direct/indirect qualified/unqualified shareholders, and involvement in financing (e.g., "Yes, if PEP or if requested by the CSSF" for beneficial owners; full docs for trustees in legal arrangements).
Other Mandatory...
What You Need To Do
- Prepare Complete Packages
- Submit Core Items
- Initial/Modification Filings
Key Dates
2 March 2026 - Publication and immediate applicability New guidance effective; incomplete applications received on/after this date not processed until complete.
Compliance Impact
Urgency: High – Immediate effect from 2 March 2026 means any ongoing or planned IFM authorisation/modification applications risk delays or rejection if non-compliant, potentially disrupting fund launches or ownership restructurings in Luxembourg's key investment management hub. Matters due to standardised scrutiny on fit-and-proper ownership, aligning with AIFMD governance and reducing administrative back-and-forth.
Asset Manager
Exigences applicables au réviseur d’entreprises agréé spécial auprès des établissements de crédit émetteurs de lettres de gage
Circular CSSF 26/907, published on February 18, 2026, establishes requirements for **approved special statutory auditors (réviseurs d'entreprises agréés spéciaux) serving credit institutions that issue mortgage bonds (lettres de gage)**. This circular formalizes the governance and audit standards applicable to a specialized auditor role within Luxembourg's credit institution framework, ensuring enhanced oversight of entities engaged in mortgage bond issuance.
What Changed
The search results provided do not contain the full text of Circular CSSF 26/907, as it is available only in French and the PDF content was not included in the available materials. However, based on the title and regulatory context, this circular addresses:
Statutory auditor qualifications and requirements for the specialized role of approving auditors (réviseurs agréés spéciaux) overseeing credit institutions that issue mortgage bonds
Governance standards for auditors in this specialized capacity
Audit and oversight responsibilities specific to mortgage bond issuance activities
The...
What You Need To Do
- *Obtain and review the full French text of Circular CSSF 26/907 from the CSSF website
- *Assess current auditor qualifications against the new requirements for approved special statutory auditors
- *Update audit engagement letters and terms to reflect any new standards or responsibilities
- *Document compliance with the circular's requirements in governance and audit files
- *Communicate with appointed auditors to ensure alignment with the new framework
Key Dates
18 February 2026 - Circular CSSF 26/907 published
No specific implementation deadline provided in available search results; firms should consult the full French text for any transition periods or effective dates
Compliance Impact
Urgency: HIGH
Bank
No description available.
BankAsset ManagerWealth Manager
AML/CFT standardised data collection taking place in 2026
The CSSF Circular Letter 2026-02-12 announces a standardized data collection exercise on AML/CFT for supervised entities, scheduled for 2026, aimed at enhancing regulatory oversight of money laundering and terrorist financing risks. This matters because it signals intensified CSSF scrutiny on AML/CFT compliance, requiring firms to prepare structured data submissions that could inform future supervisory actions, risk assessments, and enforcement. As part of broader CSSF AML/CFT initiatives, non-compliance risks fines or heightened inspections.
What Changed
Introduction of standardized AML/CFT data collection: CSSF mandates uniform reporting formats for collecting data on AML/CFT risks, controls, and practices across supervised sectors, building on existing risk-based supervision frameworks.
Alignment with ongoing AML/CFT enhancements: Complements recent governance-focused circulars (e.g., Circular 26/906 on central administration and risk management for payment/e-money institutions) by emphasizing data-driven validation of AML/CFT effectiveness, including risk assessments, transaction monitoring, and third-party oversight.
No explicit new...
What You Need To Do
- Assess and document AML/CFT data readiness
- Update governance and controls
- Conduct internal reviews
- Prepare for submission
- Engage auditors
Key Dates
2026 (exact date TBD) - AML/CFT standardised data collection exercise Firms must submit required data during this period; preparation recommended immediately given today's date (12 February 2026). DEADLINE
20 January 2026 - Issuance of related Circular 26/906 Establishes governance baselines (e.g., compliance independence, risk proportionality) informing data collection expectations. DEADLINE
26 January 2026 - CSSF AML/CFT Conference for Specialised PFS Provided updates on sub-sector risks, terrorist financing reviews, and FIU insights relevant to data preparation.
28 January 2026 - Conference materials published Available for download to guide compliance alignment. DEADLINE
Compliance Impact
Urgency: High – With data collection in 2026 underway today (12 February 2026), firms face immediate preparation needs amid recent enforcement (e.g., EUR 102,000 fine on depositary for AML-related gaps) and conferences signaling sub-sector focus. This elevates AML/CFT as a supervisory priority, potentially triggering on-site inspections, fines, or remediation orders for inadequate data/risks; proactive alignment prevents escalation in a risk-based regime.
BankPayment ProviderAll Firms
No description available.
This CSSF communiqué announces the availability of updated UCI Reports (SAQ, SR, and ML) under Circular CSSF 21/790 on the eDesk platform's CISERO module for specific 2026 year-ends, with key enhancements focused on valuation, NAV determination, and risk-based streamlining. It matters for Luxembourg UCIs as it reflects evolving supervisory priorities, aligns with EU directives like Directive (EU) 2024/927, and imposes refined self-assessment obligations to bolster resilience in stressed conditions and liquidity management.
What Changed
SAQ Updates (Valuation Section): New questions on valuation policies for stressed market conditions/exceptional circumstances; coverage for new sub-funds/strategies; independent validation of material valuation models; and risk-based backtesting for model-valued investments comprising significant NAV portions.
SAQ Simplifications and Clarifications: Removed questions on sub-funds with significant non-standard OTC derivatives, unquoted assets, or external valuer OTC FDIs (including NAV proportions); refined wording on conflicts of interest; added sub-questions (e.g., stale valuations); updated...
What You Need To Do
- Access updated Reports on eDesk CISERO module immediately and review changes vs
- Update valuation policies/procedures to explicitly cover stressed conditions, new sub-funds/strategies, model validations, and backtesting; document compliance
- Revise NAV processes for LMT alignment with Directive (EU) 2024/927 Annexes and ESMA performance fee guidelines; confirm for open-ended UCIs
- Dirigeants/management
- Train staff on updates; conduct gap analysis on policies (e
Key Dates
9 February 2026 Reports (SAQ, SR, ML) made available on eDesk CISERO for year-ends 31 January, 28 February, 31 March, 30 April 2026.
Financial year-end +5 months (UCITS/Part II UCIs) SAQ/SR submission deadline. DEADLINE
Financial year-end +6 months (SIFs/SICARs) SAQ/SR submission deadline. DEADLINE
Three months before year-end (post-30 April 2026) Future Reports availability.
16 April 2026 Entry into application of AIFM/UCITS Review Directive LMT requirements.
Compliance Impact
Urgency: High – Immediate access required for imminent submissions (e.g., 31 January 2026 year-end due ~June 2026); new valuation questions demand policy reviews to avoid supervisory findings, especially amid stressed markets; SR simplifications reduce burden but shift focus to SAQ self-assessment, heightening dirigeants' accountability. Non-compliance risks CSSF follow-up on modified audits or weaknesses, per Circular 21/790.
Asset Manager
Administrative sanction imposed on Corestate Capital Holding S.A.
The CSSF published an administrative sanction on 6 February 2026 against Corestate Capital Holding S.A., likely for breaches in regulatory compliance such as depositary duties, oversight, or governance under Luxembourg financial laws, marking a repeat enforcement action following a prior sanction in June 2025. This matters for compliance professionals as it underscores CSSF's aggressive enforcement on alternative investment fund managers (AIFMs) and depositaries, signaling heightened scrutiny on safekeeping, oversight, and internal controls to prevent systemic risks in Luxembourg's fund sector. It highlights the regulator's willingness to impose public nominative sanctions, amplifying reputational damage alongside fines.
What Changed
No new regulatory changes or requirements are introduced; this is an enforcement action enforcing existing obligations under laws like the AIFM Law of 12 July 2013 (e.g., Articles 19(8), 19(9), 19(11) on safekeeping and oversight duties), the Law of 5 April 1993 on the financial sector, and Commission Delegated Regulation (EU) No 231/2013 (CDR 231/2013, e.g., Articles 92, 94, 96 on risk assessment, valuation verification, and cash flow monitoring).
What You Need To Do
- Conduct immediate gap analysis
- Enhance oversight duties
- Strengthen governance
- Firm-wide audit
- Training and reporting
Key Dates
20 June 2025 - Prior administrative sanction imposed on Corestate Capital Holding S.A., indicating ongoing non-compliance issues. DEADLINE
6 February 2026 - Publication date of the current administrative sanction on Corestate Capital Holding S.A., effective immediately as a public enforcement notice.
February 2023 –January 2024 for similar cases).
Compliance Impact
Urgency: High – This represents CSSF's pattern of public nominative fines (e.g., EUR 102,000 on JTC for depositary breaches, EUR 10,000 on Capitalis for AML non-cooperation), with escalation risks for repeat violations like Corestate's back-to-back sanctions. It matters due to Luxembourg's dominance in European fund assets (over EUR 5 trillion), where governance lapses can trigger outflows, license revocation, or cross-border ESMA scrutiny; firms must act preemptively to mitigate fines (typically EUR 10,000–102,000) and reputational harm from nominative publication.
Asset ManagerAll Firms
Administrative sanction imposed on Corestate Capital Holding S.A.
The CSSF published an administrative sanction on 6 February 2026 against Corestate Capital Holding S.A., likely imposing a fine for regulatory breaches, marking a repeat enforcement action following a prior sanction on the same entity dated 20 June 2025. This matters as it underscores CSSF's intensified supervisory scrutiny on Luxembourg-based investment managers, particularly regarding governance, asset safekeeping, and oversight duties under AIFM Law, signaling heightened enforcement risks for similar firms. Compliance teams should review it for patterns in depositary and transparency violations evident in recent CSSF cases.
What Changed
No new regulatory changes or requirements are introduced; this is an enforcement action highlighting non-compliance with existing obligations under Luxembourg's AIFM Law (notably Articles 19(8), 19(9), 19(11), and 51) and related delegated regulations like CDR 231/2013. Key breaches from analogous recent CSSF sanctions include inadequate safekeeping of assets (e.g., missing ownership verification and records), failure to oversee AIFM valuation policies and cash remittance timelines, improper delegation to custodians without due diligence, and weak internal governance such as conflicts of...
What You Need To Do
- Enhance oversight processes
- Strengthen governance
- For issuers like Corestate
Key Dates
20 June 2025 - Prior administrative sanction imposed on Corestate Capital Holding S.A..
6 February 2026 - Publication date of the current administrative sanction on Corestate Capital Holding S.A..
Compliance Impact
Urgency: High – This represents repeat enforcement on Corestate (second sanction in under a year), aligning with CSSF's pattern of nominative publications for severe, ongoing breaches in depositary and governance areas, as seen in JTC (EUR 102,000 fine for similar safekeeping/oversight failures) and BigRep SE (EUR 10,000 for reporting lapses). It elevates risks of fines, reputational damage, and market jeopardy assessments under AIFM Law Article 51, urging preemptive remediation amid CSSF's active 2023-2026 inspection cycle.
Asset ManagerAll Firms
Press release 26/03
BankWealth Manager
Administrative sanction imposed on Genève Invest (Europe) S.A.
The CSSF imposed an administrative sanction on 23 July 2025 against Genève Invest (Europe) S.A., a Luxembourg-regulated entity, for breaches of professional obligations, as detailed in a publication released on 4 February 2026. This enforcement action underscores the CSSF's focus on robust internal controls and compliance with investment rules, serving as a warning to investment firms on the consequences of organizational and conduct failures. Compliance professionals should note it as evidence of heightened CSSF scrutiny on fund managers handling client assets and counterparties.
What Changed
This is not a regulatory change or new requirement but an enforcement action highlighting existing obligations under Luxembourg law. Key breaches likely mirror patterns in recent CSSF sanctions, such as non-compliance with UCI Law provisions on investment policies (e.g., Articles 41, 43), sound accounting procedures (Article 109), and rules of conduct (Articles 111, CSSF Regulation 10-04), including improper cash deposits with unauthorized brokers and inaccurate asset valuation.
What You Need To Do
- Immediate review of counterparty due diligence
- Enhance valuation and accounting controls
- Conduct internal audits
- Update governance and reporting
Key Dates
23 July 2025 - Date of administrative sanction imposition on Genève Invest (Europe) S.A.
4 February 2026 - Publication date of the sanction document by CSSF.
Compliance Impact
Urgency: High – This sanction, published today (4 February 2026), signals ongoing CSSF off-site and on-site probes into fund operations, similar to fines imposed in July 2025 on Zeus Asset Management (€18,136 for UCI breaches) and a bank (reprimand for AML gaps). It matters due to escalating enforcement—fines calibrated to turnover (e.g., 10% in Zeus case)—and risks of reputational damage, especially for wealth managers with broker exposures. Non-compliance could trigger investigations, as CSSF considers infringement duration, cooperation, and history.
Asset ManagerWealth ManagerAll Firms
No description available.
BankWealth ManagerAsset Manager
No description available.
CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes.
What Changed
The circular consolidates and updates governance rules, focusing on:
Management bodies: Responsibilities, composition, qualifications, organization, and functioning, including CSSF authorization of members based on professional experience, standing (e.g., police records), and irreproachable conduct.
Internal control functions: Responsibilities, characteristics, organization, and execution of work for compliance officers and internal auditors, with notifications to CSSF including detailed personal and professional information.
Conflicts of interest: Key requirements for a management policy...
What You Need To Do
- Gap analysis
- Updates and notifications
- Implementation
- Documentation
Key Dates
20 January 2026 - Publication date of Circular CSSF 26/906.
30 June 2026 - Compliance deadline: Institutions must assess/review central administration, internal governance, and risk management frameworks to ensure full compliance. DEADLINE
Compliance Impact
Urgency: High - With ~5 months from publication (20 Jan 2026) to compliance (30 Jun 2026), firms face tight timelines for assessments, policy overhauls, and CSSF notifications, especially given repealed circulars and sector growth pressures. Non-compliance risks supervisory actions, as this fosters "sound and prudent management" in a high-volume industry; proactive reviews are essential to avoid disruptions.
Payment ProviderFintech
Central administration, internal governance and risk management
Circular CSSF 26/906, published on 20 January 2026, consolidates and clarifies Luxembourg's rules on central administration, internal governance, and risk management specifically for payment institutions, electronic money institutions, and account information service providers. It repeals prior circulars (IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155) to address growth in transaction volumes by mandating robust governance, control functions, and risk processes, enhancing safety, efficiency, and trust in these services. This matters for compliance professionals as it strengthens defenses against financial crime, operational risks, and supervisory scrutiny in a high-growth sector.
What Changed
Consolidation and repeal: Replaces outdated circulars with unified requirements under the amended Law of 10 November 2009 on payment services, covering central administration (decision-making must be in Luxembourg), management body responsibilities, internal control functions (compliance, risk management, internal audit as independent second/third lines), conflicts of interest management, new product approval processes, and client funds safeguarding (e.g., segregation, daily/weekly reconciliations based on risk).
Governance enhancements: Board approves strategy, risk appetite, AML/CFT...
What You Need To Do
- Assess and update governance frameworks
- Confirm control functions
- Implement operational safeguards
- Document proportionality
- Retain records and report
Key Dates
20 January 2026 - Publication date of Circular CSSF 26/906 .
30 June 2026 - Compliance deadline Institutions must assess, review, and ensure their central administration, internal governance, and risk management frameworks fully comply with the circular. DEADLINE
Compliance Impact
Urgency: High – With a 30 June 2026 deadline (five months from publication), firms face immediate pressure to review and remediate governance gaps amid sector growth and heightened AML/CFT scrutiny; non-compliance risks supervisory actions, fines, or license issues, especially as it closes criminal exploitation vectors like weak controls and third-party risks.
Payment Provider
Application of the Guidelines of the European Banking Authority on the management of environmental, social and governance (ESG) risks (EBA/GL/2025/01)
Circular CSSF 26/905 mandates the application of EBA Guidelines (EBA/GL/2025/01) on managing **ESG risks** for Luxembourg-supervised institutions, requiring integration of environmental, social, and governance risk identification, measurement, management, and monitoring into internal processes. This aligns with CRD amendments (Articles 74, 76, 87a) and emphasizes proportionality to institutions' business models, with plans including timelines, targets, and milestones toward EU climate goals like net-zero by 2050. It matters for compliance as it embeds ESG into prudential supervision, potentially impacting capital, risk frameworks, and supervisory reviews.
What Changed
Institutions must establish proportionate strategies, policies, processes, and systems for ESG risk management, covering short-, medium-, and long-term horizons, including transition and physical environmental risks.
Develop plans per Article 76(2) CRD with specific timelines, intermediate quantifiable targets, and milestones to address ESG financial risks, consistent with EU objectives (e.g., 55% GHG reduction by 2030, climate neutrality by 2050).
Incorporate ESG into internal governance, risk appetite, and supervisory review processes (SREP), with scenario analysis requirements (to be...
What You Need To Do
- Map and integrate ESG risks into governance, risk management frameworks, and business strategies, proportionate to scale/risk exposure
- Develop and document ESG risk management plans with quantifiable targets, milestones, timelines, and scenario analyses (broad requirements now; detailed later)
- Conduct assessments of ESG risks in portfolios, including sustainability products, transition finance, and loan origination policies, for SREP submission
- Embed in internal processes per Articles 74, 76, 87a CRD: identify/measure ESG risks (minimum standards), monitor over time horizons, and report to CSSF
- Review and update existing policies/systems for compliance by applicable dates; prepare for CSSF supervisory evaluation of plan robustness
Key Dates
20 January 2026 - Circular published by CSSF.
1 April 2026 - Application date for Less Significant Institutions (other than SNCIs).
11 January 2027 - Application date for SNCIs (dependent on CRD transposition).
Compliance Impact
Urgency: High - With application starting 1 April 2026 (just over 2 months from publication), firms face immediate pressure to gap-analyze current ESG frameworks against EBA standards, especially for SREP integration and long-term risk planning. Non-compliance risks supervisory scrutiny, capital add-ons, or enforcement, as ESG is now a core prudential pillar amid EU sustainability push; smaller institutions get a head-start but must act swiftly given proportionality demands.
BankAll Firms
2026 update
BankWealth ManagerFamily Office
Administrative sanction imposed on the alternative investment fund manager Max Gain Capital S.à r.l. (“AIFM”)
The CSSF imposed a €10,000 administrative fine on Max Gain Capital S.à r.l., an alternative investment fund manager, on 11 September 2025 for failing to submit a mandatory annual financial crime questionnaire by the April 2025 deadline. This enforcement action demonstrates the CSSF's active monitoring of AML/CFT compliance obligations and its willingness to sanction non-cooperation, even for procedural failures unrelated to substantive money laundering violations.
What Changed
This is not a regulatory change but rather an enforcement action clarifying existing obligations:
Mandatory Annual Questionnaire Requirement: All CSSF-supervised professionals must submit an annual questionnaire on financial crime covering the preceding calendar year.
Cooperation Obligation: Article 5(1) of the amended Law of 12 November 2004 on AML/CFT imposes a non-negotiable duty to cooperate with CSSF supervisory requests.
Enforcement Escalation: The CSSF will issue reminders before imposing sanctions, but continued non-compliance triggers administrative fines under Article 8-4 of the...
What You Need To Do
- regulated entities must
- *Identify Reporting Obligations
- *Calendar Management
- *Documentation
- *Escalation Protocol
Key Dates
4 April 2025 - Deadline for submission of financial crime questionnaire for the year ending 31 December 2024 DEADLINE
Before 11 September 2025 - CSSF issued two reminders to Max Gain Capital after the missed deadline DEADLINE
11 September 2025 - CSSF imposed the €10,000 administrative fine
9 January 2026 - CSSF published the administrative sanction decision
Compliance Impact
Urgency: HIGH
Asset ManagerAll Firms
Administrative sanction imposed on JTC (Luxembourg) S.A.
The CSSF imposed a €102,000 administrative fine on JTC (Luxembourg) S.A. on 23 July 2025 for breaches in its professional obligations as a depositary of non-financial assets under the AIFM Law, identified during an on-site inspection from February 2023 to January 2024 covering activities up to December 2022. This enforcement action highlights CSSF's scrutiny of depositary functions, particularly risk assessment and oversight controls, serving as a warning for similar entities to strengthen compliance amid rising supervisory focus on AIFM depositaries.
What Changed
This is an enforcement action, not a regulatory change; it enforces existing requirements under Article 51(1) (1st and 7th indents) and Article 51(2) (1st sub-paragraph, 3rd indent) of the amended Law of 12 July 2013 on AIFMs (AIFM Law), and related provisions like Article 92(1) of Commission Delegated Regulation (EU) No 231/2013 (CDR 231/2013).
What You Need To Do
- related entities) must
- Conduct immediate gap analyses on risk assessment processes for AIF strategies and AIFM organization per Article 92(1) CDR 231/2013
- Implement robust verification processes for AIFM compliance with asset delegation rules
- Ensure availability of key documentation and evidence of controls for the depositary function, addressing pre-2022 gaps if applicable
- Develop and test oversight processes, leveraging self-identified improvements and action plans as mitigating factors, as JTC did prior to inspection
Key Dates
February 2023 - January 2024 Period of CSSF on-site inspection on depositary obligations, covering activities up to December 2022.
23 July 2025 Date CSSF imposed the €102,000 administrative fine on JTC (Luxembourg) S.A.
9 January 2026 Date of official CSSF publication announcing the sanction.
Compliance Impact
Urgency: High – This matters due to the fine's size (€102,000), reflecting breach accumulation, severity, and duration, despite JTC's partial remediation; it signals intensified CSSF on-site scrutiny of depositary functions post-2023 inspections, with potential for higher penalties absent proactive controls. Depositaries face elevated enforcement risk, especially with unavailability of evidence pre-2022, urging swift remediation to avoid similar outcomes under Article 51 AIFM Law.
Asset Manager
Long Form Report – Practical rules concerning the self-assessment questionnaire to be submitted by investment firms – Mission and related reports of the réviseurs d’entreprises agréés (approved statutory auditors)
Broker DealerAll Firms
Update of Circular CSSF 24/853 on the Long Form Report (as amended by Circular CSSF 25/870) – Practical rules concerning the self-assessment questionnaire to be submitted by investment firms Mission and related reports of the réviseurs d’entreprises agréés (approved statutory auditors)
Circular CSSF 26/904 updates Circular CSSF 24/853 (as amended by Circular CSSF 25/870) by introducing a revised Long Form Report (LFR) for investment firms, featuring a digital self-assessment questionnaire (SAQ) and enhanced auditor reports focused on AML/CFT and risk management. This matters because it aligns reporting with CSSF's risk-based supervision under CSSF 4.0, reduces redundancies, applies proportionality based on business models, and mandates digital submission to improve efficiency and data analysis.
What Changed
Revised LFR Structure: Comprises four parts in a single digital document: (1) yearly SAQ completed by investment firms; (2) descriptive elements verified by approved statutory auditors (REAs); (3) AML/CFT report with risk assessments, declarations on audits, and data on incomplete fund transfers; (4) REA's independent assessment of ML/FT risks and organizational aspects.
Digital Format: Completion and submission via CSSF's online portal, supporting CSSF 4.0 digital strategy for efficient processing.
Proportionality and Scope: Applies individually to investment firms (no consolidated LFR if...
What You Need To Do
- Investment Firms
- REAs/Auditors
Key Dates
Financial year ending 31 December 2024 - Applicability of revised LFR to all investment firms; submissions begin for this period onward on a yearly basis.
No specific submission deadline stated - Yearly production required via CSSF portal; firms should align with existing annual reporting cycles for auditors (typically post-year-end). DEADLINE
Compliance Impact
Urgency: High - Applies immediately to FY ending 31 December 2024 reports, requiring swift updates to reporting processes, digital tools, and AML/CFT documentation amid CSSF's risk-based shift; non-compliance risks supervisory actions, as LFR directly informs CSSF oversight on key prudential/AML areas with no transition period specified.
Asset ManagerBroker DealerAll Firms
Update of Circular CSSF 24/850 on the practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS, as well as the engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.
Circular CSSF 25/903 updates Circular CSSF 24/850, refining practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg regarding their annual descriptive report, self-assessment questionnaire, and the roles of approved statutory auditors (réviseurs d’entreprises agréés). It specifies requirements for auditors' engagement, management letters, and separate annual reports. This matters for support PFS as it enhances supervisory oversight, ensures consistent reporting quality, and strengthens internal controls, directly impacting compliance and audit processes amid CSSF's focus on robust PFS supervision.
What Changed
Updates to Descriptive Report and Self-Assessment Questionnaire: Refines content, format, and submission requirements for support PFS's annual submissions, emphasizing more detailed disclosures on operations, risks, and controls (building on CSSF 24/850).
Auditor Engagement Rules: Introduces specific practical guidelines for approved statutory auditors, including mandatory scope of work, independence confirmations, and standardized procedures for reviewing support PFS reports.
Management Letter and Separate Report: Establishes detailed rules for auditors to issue an annual management letter...
What You Need To Do
- *Review and Update Processes
- *Engage/Confirm Auditors
- *Implement Templates and Testing
- *Training and Governance
- *Submit on Time
Key Dates
1 January 2026 - Effective Date Applies to annual reporting cycles starting for financial year 2025 onwards.
30 April (annually) - Submission Deadline Support PFS must submit descriptive report, self-assessment questionnaire, management letter, and separate auditor report to CSSF by 30 April following the financial year-end (first applicable: 30 April 2026 for FY 2025). DEADLINE
31 December 2025 - Preparation Milestone Auditors must be engaged and initial scoping completed by year-end 2025 for FY 2025 compliance. DEADLINE
Compliance Impact
Urgency: High. This is high urgency for support PFS due to the impending 30 April 2026 deadline for FY 2025 submissions, with non-compliance risking supervisory fines, license reviews, or reputational damage under CSSF's PFS enforcement regime. It matters as it tightens audit accountability, potentially increasing costs (e.g., auditor fees) while reducing reporting errors—critical for smaller support entities with limited resources.
All FirmsFintechPayment Provider
Practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS.Engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.
Circular CSSF 24/850, as amended by Circular CSSF 25/903, establishes practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg to submit annual descriptive reports and self-assessment questionnaires, while also defining the roles of approved statutory auditors (réviseurs d’entreprises agréés) in issuing management letters and separate reports. This guidance standardizes supervisory reporting and audit processes to enhance oversight of support PFS, which provide essential back-office services to authorized PFS. It matters because non-compliance risks supervisory sanctions, reputational damage, and operational disruptions for entities reliant on support PFS structures.
What Changed
Standardized Reporting Templates: Introduces detailed formats and content requirements for the annual descriptive report and self-assessment questionnaire, covering governance, risk management, internal controls, and operational metrics specific to support PFS activities (e.g., IT services, administrative support, custody).
Auditor Engagement Rules: Mandates approved statutory auditors to perform specific procedures, issue a management letter highlighting control weaknesses, and prepare a separate report confirming compliance with the circular's requirements.
Amendments via CSSF 25/903:...
What You Need To Do
- Annual Reporting Cycle
- February to review submissions, test controls, and issue management letter (flagging deficiencies) plus separate compliance report
- Governance Updates
- Auditor Coordination
- Record-Keeping
Key Dates
31 March annually - Deadline for submission of descriptive report, self-assessment questionnaire, management letter, and separate auditor report to CSSF (first applicable for FY 2024 reporting due 31 March 2025). DEADLINE
1 January 2025 - Effective date of original Circular CSSF 24/850.
15 December 2025 - Effective date of amendments in Circular CSSF 25/903, applicable to 2025 reporting cycle onwards.
End of February annually - Support PFS must engage auditors and provide necessary data to enable timely report preparation. DEADLINE
Compliance Impact
Urgency: High – This is a recurring annual obligation with a firm 31 March deadline, where delays trigger automatic CSSF notifications and potential fines (up to €250,000 per Law 1993). It matters for support PFS as it intensifies scrutiny on operational resilience in a post-SFI (2021) landscape, where CSSF prioritizes substance in delegated functions; failure risks de-authorization or client outflows. Early implementation of templates and auditor pipelines is essential to avoid first-year pitfalls.
BankWealth ManagerAll Firms
Authorisation and organisation of entities acting as UCI administrators
Circular CSSF 22/811, as amended by Circular CSSF 25/900, establishes CSSF requirements for the authorisation, governance, internal organisation, and oversight of entities acting as UCI (Undertakings for Collective Investment) administrators in Luxembourg. It matters because it standardises practices amid regulatory, technological, and market evolutions, ensuring robust controls, risk management, and supervision for fund administration activities critical to Luxembourg's fund industry.
What Changed
Authorisation Requirements: Prior CSSF authorisation is mandatory for appointment as UCI administrator, via full application under sectoral laws or a simplified administrative procedure; application must include details per Annex A, with ongoing updates for substantial changes.
Scope of UCI Administration: Defines three core functions—registrar, NAV calculation/accounting, and client communication—requiring only one designated service provider per function per UCI (or compartment); UCI/IFM may perform functions internally or delegate with oversight.
Governance and Controls: Mandates sound...
What You Need To Do
- Submit authorisation application to CSSF with Annex A information before commencing UCI administration; notify substantial changes and keep file updated
- Establish/implement governance, controls, escalation processes, resource adequacy, ICT/business continuity per circular; ensure single provider per function
- For delegations
- Conclude written contracts with UCI/IFM; submit annual UCIA activity reports
Compliance Impact
Urgency: High – Non-compliance risks CSSF sanctions, as authorisation is prior and ongoing; critical for Luxembourg fund ecosystem given evolutions in tech/markets/DORA. Firms must act promptly if unauthorised or misaligned, especially with annual reporting since 2023 and DORA integration; impacts operational models, delegations, and reporting immediately for active administrators.
Asset ManagerBankAll Firms
Provisions relating to credit institutions and investment firms of EU origin established in Luxembourg by way of branches or exercising activities in Luxembourg by way of free provision of services
Circular CSSF 07/325, as amended by Circulars CSSF 21/765, CSSF 22/827, and most recently CSSF 25/898, establishes supervisory requirements for EU credit institutions and investment firms operating in Luxembourg via branches or free provision of services (FOPS). It matters for compliance professionals as it defines CSSF's host authority role, notification obligations, reporting, and enforcement powers, ensuring alignment with CRD and MiFID II while adapting to evolving EU rules.
What Changed
CSSF 21/765: Updated provisions following amendments to CSSF Regulation No 12-02, refining notification and operational requirements for branches and FOPS.
CSSF 22/827: Further amendments to align with CRD and MiFID II changes, including enhanced notifications for programme alterations (e.g., one-month prior written notice for changes in operations, services, or activities).
CSSF 25/898: Latest update (noted in CSSF Newsletter No 298, November 2025), incorporating recent legal/regulatory developments, such as refined reporting via eDesk portal, AML/CFT compliance assessments, and supervision...
What You Need To Do
- Notifications
- Supervision cooperation
Key Dates
One month before change effective date - Notify CSSF and home authority in writing of programme changes (e.g., operations, services, additional places of business) per CRD Article 36(3) and MiFID II Article 35(10).
Within 3 months of receipt - Home state authority communicates notification file to CSSF for branch/FOPS establishment.
Six months after financial year-end - Submit electronically signed SAQ (via eDesk), annual AML/CFT and conduct of business report (per Circular CSSF 19/731, to be repealed by CSSF 25/902), reviewed by REA.
Compliance Impact
Urgency: Medium - Matters due to recurring annual reporting (e.g., SAQ, AML/CFT within six months post-year-end) and prior notifications for changes, with CSSF enforcement powers (e.g., measures under LFS Article 46(2)) for non-compliance. Recent CSSF 25/898 update (Nov 2025) requires immediate review of processes for digital submissions, but no retroactive changes or hard deadlines post-2025; grandfathering for pre-existing setups reduces immediate pressure.
BankBroker Dealer
Adoption of the EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions)
Circular CSSF 25/896 adopts the EBA Guidelines EBA/GL/2024/14 and EBA/GL/2024/15, mandating Luxembourg financial institutions to establish robust internal policies, procedures, and controls for complying with EU and national restrictive measures (sanctions). This matters because it sets binding EU-wide standards to prevent sanctions violations and circumvention, with absolute obligations for immediate asset freezing and reporting, amid escalating geopolitical tensions.
What Changed
Institutions must develop, implement, and maintain up-to-date policies, procedures, and controls for identifying, investigating, and applying restrictive measures without delay, including risk management for violations and circumvention.
Management body responsibilities expanded: approve sanctions compliance strategy, oversee implementation, conduct at least annual assessments of exposure and controls, ensure remedial actions, and report deficiencies.
Screening and monitoring requirements: Maintain updated sanctions lists with immediate integration of changes; screen customer base,...
What You Need To Do
- Conduct annual exposure assessments to sanctions risks and circumvention; update policies accordingly
- Appoint senior management/board-level responsibility for approving and overseeing sanctions strategy, including annual reviews and deficiency reporting
- Implement reliable screening systems for customers, transactions, and lists; define screenable datasets; test systems regularly for effectiveness (e
- Provide documented training to relevant staff on sanctions, institutional exposure, and internal processes
- Establish processes for immediate action on matches: suspend transfers, freeze assets, report to Ministry of Finance/CSSF/FIU without delay; maintain whitelists only under strict conditions
Compliance Impact
Urgency: High – With less than 12 months until the 30 December 2025 deadline (as of January 2026), firms face binding requirements for absolute compliance, including personal accountability for management bodies; non-compliance risks enforcement by CSSF, reputational damage, and fines amid frequent EU sanctions updates (e.g., Regulations 2025/1469, 2025/1476). This elevates sanctions from operational task to strategic board priority.
BankPayment ProviderCrypto Exchange