Repeal of Circular IML 91/75 related to the revision and remodelling of the rules to which Luxembourg undertakings governed by the Law of 30 March 1988 on undertakings for collective investment (“UCI”) are subject
The CSSF has issued Circular CSSF 26/912, formally repealing Circular IML 91/75 (and its amendments) governing Luxembourg UCIs under the (now repealed) Law of 30 March 1988 on undertakings for collective investment. This is a technical clean‑up measure that removes an obsolete circular from the rulebook and confirms that the 1991 governance, organisational and investment rules under IML 91/75 no longer apply.
What Changed
- - Circular IML 91/75, including its amendments by Circulars CSSF 05/177, 18/697, 21/790, 22/811 and 25/901, is formally repealed by Circular CSSF 26/912.
- The rules on “revision and remodelling of the rules to which Luxembourg undertakings governed by the Law of 30 March 1988 on undertakings for collective investment are subject” no longer form part of...
- Supervisory expectations for Luxembourg UCIs are now to be derived exclusively from the current UCI regime (notably the Law of 17 December 2010 relating to undertakings for collective investment and...
- Any internal compliance mappings, policy references, or control frameworks that still cite Circular IML 91/75 or its amending circulars must be treated as referencing repealed guidance and should be...
Suggested Considerations
- Update your regulatory inventory and obligation registers to reflect that Circular IML 91/75 and its amending circulars (CSSF 05/177, 18/697, 21/790, 22/811 and 25/901) have been repealed by Circular CSSF 26/912 as of 22 May 2026.
- Verify that your compliance monitoring programmes and internal audit test plans do not rely on requirements sourced from Circular IML 91/75, and re-align any such tests to the currently applicable legal and regulatory standards.
- Communicate the repeal of Circular IML 91/75 internally to legal, compliance, risk, product, and fund administration teams to prevent continued reliance on obsolete rules in ongoing or future projects.
- For any ongoing remediation, authorisation or approval processes that previously cited IML 91/75 as justification for a control design, reassess and document those controls against the current CSSF requirements that have effectively replaced or superseded the 1991 framework.
- Maintain an audit trail evidencing the update of documentation and registers in response to Circular CSSF 26/912, including board or senior management notification where your governance framework requires it for changes in regulatory obligations.
Key Dates
- Original Circular IML 91/75 on revision and remodelling of rules applicable to UCIs under the Law of 30 March 1988 is issued (subsequently amended by later circulars)
- Circular CSSF 26/912 is published and Circular IML 91/75 (as amended by Circulars CSSF 05/177, 18/697, 21/790, 22/811 and 25/901) is repealed and archived
Compliance Impact
The immediate compliance risk is low, as the circular repeals an already outdated framework; however, continuing to reference or rely on Circular IML 91/75 could create documentation inconsistencies, misalignment with current CSSF expectations and weaknesses in regulatory audits or inspections.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerHedge FundBank
1° amending:(a) the Law of 5 April 1993 on the financial sector, as amended;(b) the Law of 17 December 2010 relating to undertakings for collective investment, as amended;(c) the Law of 18 December 2015 on the failure of credit institutions and certain investment firms, as amended;(d) the Law of 15 March 2016 on OTC derivatives, central counterparties and trade repositories and amending different laws relating to financial services, as amended;2° transposing:(a) Directive (EU) 2024/1619 of th...
Bank
No description available.
The CSSF publication highlights AMLA's public consultation on draft Regulatory Technical Standards (RTS) under Articles 16(4) and 17(3) of Regulation (EU) 2024/1624, specifying minimum group-wide AML/CFT requirements and additional measures for subsidiaries and branches in third countries. This matters because it aims to harmonize cross-border AML frameworks, ensuring groups maintain consolidated ML/TF risk views and robust controls, particularly in high-risk third-country operations, impacting EU financial groups' compliance structures. Private sector input is encouraged to align standards with practical operations.[https://www.cssf.lu/en/Document/public-consultation-by-amla-on-the-draft-rts-on-group-wide-minimum-requirements-and-additional-measures-for-subsidiaries-and-branches-in-third-countries/][https://www.amla.europa.eu/amla-consults-group-wide-requirements-and-business-wide-risk-assessment_en]
What Changed
- - Group-wide AML/CFT frameworks: Establishes minimum standards for design and implementation across groups, including cross-border structures and third-country operations, to enable consolidated...
- Third-country subsidiaries and branches: Introduces additional measures for entities in non-EU countries, extending requirements beyond traditional groups to other...
- Information sharing and parent identification: Defines provisions for intra-group data sharing and criteria to identify the EU parent undertaking when multiple entities report to a third-country head...
- Interlinked mandates: Cross-references obligations between Articles 16(4) and 17(3) for complementary requirements on organizational...
Suggested Considerations
- Register for 20 May 2026 public hearing to engage directly on practical application across group structures.[https://www.amla.europa.eu/events/public-hearing-draft-rts-group-wide-minimum-requirements-and-additional-measures-subsidiaries-and-2026-05-20_en]
- Assess current group-wide AML/CFT frameworks against proposed minimums, identifying gaps in third-country controls, risk consolidation, and data sharing protocols.
Compliance Impact
Urgency: High – Firms with third-country exposure must act now on consultation (closes 15 July 2026) to influence final RTS, as these will mandate binding minimums for group-wide AML/CFT, potentially requiring significant framework overhauls for risk consolidation and controls. Non-engagement risks misaligned systems post-adoption, increasing supervisory scrutiny under harmonized EU standards; early assessment prevents rushed...
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankAsset ManagerPayment Provider
No description available.
AMLA has launched a public consultation on draft Guidelines for business-wide risk assessments (BWRA) under the new Anti-Money Laundering Regulation (EU 2024/1624), with submissions open until 15 July 2026. These guidelines establish minimum requirements for all obliged entities across financial and non-financial sectors to systematically identify and manage money laundering and terrorist financing risks inherent to their operations.
What Changed
- The draft Guidelines introduce four minimum requirements for conducting adequate business-wide risk assessments applicable to all obliged entities. The framework mandates that entities:
- Identify risk exposure across their business model, customers, products, services, transactions, delivery channels, and geographical exposure
- Maintain consolidated risk views across group structures, eliminating silos between branches and subsidiaries
- Utilize internal and external data sources to build comprehensive risk landscapes, including monitoring customer behavior changes and tracking international typologies
- Apply proportionality based on entity size, business model, and risk profile, while ensuring consistent application of policies across the organization
The guidelines specifically address evaluation...
Suggested Considerations
- *Immediate (by 15 July 2026):
- Review draft Guidelines and assess alignment with current BWRA practices
- Identify gaps between existing risk assessment frameworks and proposed minimum requirements
- Prepare formal consultation responses, particularly if your organization operates in non-financial sectors
- Register for relevant public hearings (28 May for BWRA Guidelines; 20 May for group-wide RTS) to engage directly with AMLA
Key Dates
- Final adoption of guidelines and technical standards
- Consultation launched
- Public hearing on draft RTS on group-wide requirements
- Public hearing on draft Guidelines on business-wide risk assessment
- Consultation deadline for submissions
Compliance Impact
Urgency: HIGH
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
All Firms
concerning the audit profession
BankWealth ManagerAsset Manager
Application of the Guidelines of the European Securities and Markets Authority for the criteria on the assessment of knowledge and competence under the Markets in Crypto Assets Regulation (MiCA) (ESMA35-24871704-2922)
Circular CSSF 26/909 specifies how the CSSF applies ESMA's Guidelines (ESMA35-24871704-2922) for assessing **knowledge and competence** criteria under MiCA, targeting staff involved in crypto-asset services. It matters because it enforces MiCA's staff certification requirements, ensuring Luxembourg CASPs meet EU-wide standards for consumer protection and operational integrity amid the full MiCA rollout on 30 December 2024.
What Changed
- - Adoption of ESMA Guidelines: CSSF mandates application of ESMA's criteria for evaluating staff knowledge and competence in crypto-asset services, including roles in custody, trading, portfolio...
- Assessment Framework: Firms must implement standardized tests and processes to verify staff qualifications, aligning with MiCA Article 62 on CASP authorization, focusing on technical crypto...
- No New Standalone Rules: This circular builds on prior CSSF MiCA circulars (e.g., 25/890 on crypto-asset classification), integrating competence checks into licensing dossiers and ongoing supervision.
Suggested Considerations
- Assess Staff Competence: Implement ESMA-guided evaluations (e.g., exams, certifications) for all relevant personnel handling crypto services; document results in governance frameworks.
- Update Policies and Training: Integrate competence criteria into HR, onboarding, and annual reviews; roll out MiCA-specific training on reporting, breaches, and governance.
- Licensing Dossier Enhancement: Include competence attestations in CSSF applications; appoint dedicated compliance/risk officers with verified qualifications.
- Ongoing Monitoring: Conduct regular audits, penetration tests, and incident planning; confirm compliance annually via management body statements.
- Early CSSF Engagement: Schedule dialogues and info sessions; create MiCA readiness scorecards for board and regulator discussions.
Key Dates
Circular CSSF 26/909 published; immediate application of ESMA competence guidelines.; [User-provided content]
Compliance Impact
Urgency: High – With publication today (1 April 2026) and MiCA's CASP regime live since 30 December 2024, firms face immediate supervisory scrutiny during licensing and VASP transitions ending 1 July 2026. Non-compliance risks authorization denial, enforcement, or operational halts, especially as CSSF audits dossiers for competence gaps amid Luxembourg's role as MiCA hub.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Crypto ExchangeBankFintech Press release 26/07
Bank
No description available.
Asset ManagerWealth ManagerBank
No description available.
BankWealth ManagerAll Firms
No description available.
BankWealth ManagerAsset Manager
Table listing the professional activities and the mandates performed
This CSSF publication is an updated table (in XLSX format) listing standardized professional activities and mandates for members of the management body/governing body and conducting officers, as required under points 105 and 107 of Circular CSSF 18/698. It matters because it ensures consistent, transparent reporting of senior personnel roles in Luxembourg investment fund managers (IFMs), supporting governance, conflict-of-interest management, and CSSF supervisory oversight. Compliance professionals must use this list to standardize disclosures in authorization files and ongoing reporting.
What Changed
- The document was originally published on 14 January 2019 and updated on 12 March 2026, reflecting revisions to the predefined list of professional activities and mandates[Source URL].
- Alignment with Circular CSSF 18/698 requirements for IFMs (management companies for UCIs and AIFs), specifying reportable roles like those in collective portfolio management, risk management,...
- Emphasis on detailed documentation of mandates to demonstrate fitness, properness, and avoidance of conflicts, including for shareholders with qualifying holdings.
- No entirely new requirements introduced, but the update likely incorporates evolving governance expectations, such as enhanced delegate oversight and AML/CFT compliance officer designations.
Suggested Considerations
- Download and use the XLSX table: Incorporate the exact list of activities/mandates into internal templates for reporting management body and conducting officer roles[Source URL].
- Update authorization and notification files: Include detailed CVs, criminal record extracts, wealth declarations, and organization charts for relevant personnel/shareholders; notify CSSF of changes (e.g., qualifying holdings, guarantees).
- Conduct fit-and-proper assessments: Ensure declarations cover all listed mandates, demonstrating no conflicts and adequate resources; perform initial/ongoing due diligence on delegates.
- Annual compliance review: Document roles in compliance monitoring plans, training, and reporting to senior management/CSSF; align with delegate oversight (e.g., risk-based monitoring of compliance, audit functions).
- Policy updates: Revise governance policies to reflect the updated list, including AML/CFT officer designations and own funds proofs.
Key Dates
- Publication of underlying Circular CSSF 18/698, setting baseline requirements
- Original publication of the list
- Latest update to the list, requiring immediate review and integration into reporting processes[Source URL]
financial year); - Compliance deadline for Circular 18/698 obligations, including governance reporting (e.g., 5 months after year-end)
Compliance Impact
Urgency: High – The March 12, 2026 update coincides with today's date, demanding immediate review to avoid supervisory findings during CSSF inspections or authorization processes. Non-compliance risks authorization delays, fines, or reputational damage, as Circular 18/698 emphasizes robust governance in a heightened scrutiny environment for IFMs (e.g., delegate oversight, AML).
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerBankAll Firms
Administrative sanction imposed on a réviseur d’entreprises agréé
The CSSF imposed an administrative sanction on 2 December 2025 against an approved statutory auditor (*réviseur d’entreprises agréé*) for breaches of professional obligations, likely related to continuing education requirements under Luxembourg's Audit Law, mirroring patterns in recent similar cases. This enforcement action underscores the CSSF's rigorous oversight of audit professionals, emphasizing compliance with ongoing training mandates to maintain audit quality and market integrity. Compliance professionals should note it as evidence of heightened scrutiny on non-delegable professional duties.
What Changed
This is not a regulatory change or new requirement but an enforcement action applying existing rules under point f) of Article 43(1) read with point a) of Article 43(2) and Article 44 of the Law of 23 July 2016 on the audit profession (Audit Law), alongside CSSF Regulation N°16-10 on continuing education.
Suggested Considerations
- Immediate self-audit: Statutory auditors must verify personal compliance with continuing education hours under CSSF Regulation N°16-10, documenting hours against Article 3(1) requirements and submitting evidence if requested.
- Remediation plan: If shortfalls identified, complete deficit training promptly and notify CSSF of corrective measures, as seen in related governance cases where entities implemented remediation.
- Internal training programs: Audit firms should enhance monitoring of auditor CPE (continuing professional education) logs, integrating CSSF controls akin to Article 10 of the Audit Law.
- Fit-and-proper reviews: Boards and compliance officers assess auditor qualifications, escalating any gaps to CSSF per professional obligations.
- Record retention: Maintain verifiable CPE records for at least the reference period plus CSSF inspection windows (typically 3-5 years).
Key Dates
- Likely reference period end for continuing education non-compliance (inferred from identical prior case)
- Date of administrative sanction imposition by CSSF
- Publication date of the sanction notice (today's date, aligning with CSSF practice for transparency under Article 48(2) of the Audit Law)
Compliance Impact
Urgency: Medium. This matters as a signal of CSSF's proactive controls on auditor CPE, with fines starting at EUR 1,500 for initial breaches but scaling with severity/duration; repeated actions (e.g., multiple 2025 sanctions) indicate rising enforcement tempo, risking broader audit ecosystem scrutiny. Affected parties face direct fines and reputational harm, while others must prioritize CPE to avoid chain-reaction liabilities in financial reporting.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
All Firms
Administrative sanction imposed on a réviseur d’entreprises agréé
The CSSF imposed an administrative sanction on 2 December 2025 against an approved statutory auditor (*réviseur d’entreprises agréé*) for breaches of professional obligations, likely related to continuing education requirements under Luxembourg's Audit Law, mirroring patterns in recent similar cases. This enforcement action underscores the CSSF's rigorous oversight of audit professionals, emphasizing compliance with ongoing training mandates to maintain audit quality and market integrity. Compliance professionals should note it as evidence of heightened scrutiny on non-compliance with minimum continuing education hours.
What Changed
No new regulatory changes are introduced; this is an enforcement action applying existing rules under point f) of Article 43(1) read with point a) of Article 43(2) and Article 44 of the Law of 23 July 2016 concerning the audit profession (Audit Law), alongside CSSF Regulation N°16-10 on continuing education for statutory auditors. Breaches typically involve failing to meet the minimum total hours of continuing education by the reference period end (e.g., December 31, 2024, as in a comparable August 2025 case).
Suggested Considerations
- Statutory auditors must immediately verify compliance with Article 3(1) of CSSF Regulation N°16-10, ensuring minimum continuing education hours are met for relevant periods.
- Audit firms should conduct internal audits of training logs and implement remediation plans, including supplementary training if deficits exist.
- All affected parties must report any identified breaches to CSSF proactively and retain evidence of corrective actions, as CSSF controls under Article 10 of the Audit Law can trigger fines.
Key Dates
- Reference period end for continuing education compliance (inferred from similar case)
- Date of administrative sanction imposition by CSSF
- Publication date of the sanction notice
Compliance Impact
Urgency: Medium. This matters due to the pattern of CSSF enforcement on audit continuing education (e.g., EUR 1,500 fine in August 2025 case for similar breaches), signaling ongoing supervisory controls that could expand to on-site inspections. Non-compliance risks fines, public naming (or anonymous publication per Article 48(2) Audit Law), and reputational damage, but lacks immediate firm-wide deadlines, reducing to medium urgency for proactive reviews.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
All Firms
No description available.
BankWealth ManagerAll Firms
Administrative sanction imposed on an investment firm
The CSSF imposed an administrative sanction on 8 October 2025 against an unnamed investment firm, as detailed in a publication released on 4 March 2026. This enforcement action underscores CSSF's rigorous oversight of investment firms, particularly in areas like AML/CFT compliance, conduct rules, and organizational requirements, serving as a warning for similar entities to strengthen cooperation and internal controls. It matters because it highlights escalating fines for repeated or material breaches, potentially influencing supervisory expectations across Luxembourg's financial sector.
What Changed
- No new regulatory changes or requirements are introduced; this is an enforcement action applying existing rules.
- Failure to cooperate with CSSF requests, e.g., not submitting required AML/CFT questionnaires by deadlines, violating Article 5(1) of the amended Law of 12 November 2004 on AML/CFT.
- Non-compliance with investment policies, organizational requirements, or conduct rules under the UCI Law (e.g., Articles 41, 43, 109), including improper broker exposures or valuation failures.
- These reflect ongoing enforcement of established frameworks like the AIFM Law, UCI Law, and AML/CFT Law, with fines calibrated by factors like breach duration, firm size, cooperation level, and prior...
Suggested Considerations
- Enhance cooperation protocols: Implement automated tracking for CSSF requests (e.g., questionnaires) with escalations for reminders; document all responses.
- Review investment compliance: Audit broker exposures, valuation processes, and subscription/redemption controls against UCI Law Articles 41-43, 109; suspend dealings if uncertainties arise.
- Strengthen governance: Conduct gap analyses on internal controls, risk assessments, and reporting for depositary/oversight functions per AIFM Law Article 19(9) and CDR 231/2013.
- Training and monitoring: Roll out firm-wide training on AML/CFT obligations (Article 5(1)) and perform reconciliations of assets/records; prepare for on-site/off-site CSSF inspections.
- Self-reporting: Proactively disclose prior breaches to mitigate fine severity.
Key Dates
- Date of prior depositary oversight fine
- Deadline for submitting CSSF AML/CFT Questionnaire (breach example from similar case)
- Date of fine imposition for UCITS investment policy breaches
- Date of fine imposition in comparable AIFM non-cooperation case
- Date of the sanction in question
Compliance Impact
Urgency: High - This matters due to CSSF's pattern of publicizing nominative sanctions (e.g., Max Gain Capital, Zeus Asset Management), signaling increased scrutiny on investment firms amid AML/CFT and conduct risks. Fines (EUR 10,000–127,500) represent material hits (up to 10% of turnover), with factors like poor cooperation amplifying penalties; firms with similar exposures face elevated inspection risk, especially post-2025 enforcement wave.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerBroker DealerWealth Manager
No description available.
The CSSF published guidance on 2 March 2026 specifying minimum documents and information required for assessing shareholding structures of authorised Investment Fund Managers (IFMs) during initial authorisation and subsequent modifications, covering both qualified and non-qualified shareholders. This matters because incomplete submissions will not be processed, potentially delaying authorisations or amendments amid ongoing CSSF scrutiny of governance and ownership in Luxembourg's fund sector.
What Changed
- - Minimum Document Requirements: Establishes a mandatory list of documents for each new shareholder candidate, differentiated by type (e.g., natural person, legal person, beneficial owner,...
- Additional Mandatory Submissions: For changes involving qualified holdings (entry, increase/decrease, removal), requires updated group structure charts, MEF (in some cases), financing information,...
- Enforcement Mechanism: From 2 March 2026, applications lacking these minimums are deemed incomplete, halting analysis until fully submitted.
- No prior formalised list existed in this detail for IFMs, shifting from case-by-case to standardised requirements.
Suggested Considerations
- Review Guidance: Download and study the XLSX document (Version 1.0) detailing per-shareholder/per-change requirements.
- Prepare Complete Packages: For initial authorisation or amendments, compile minimum docs (e.g., IDs for beneficial owners/PEPs, group charts, financing details, MEF, fees); use *MEF templates where noted.
- Submit Fully: Ensure all minimums included in future filings to avoid delays; anticipate CSSF requests for extras.
- Internal Processes: Update compliance checklists, train teams on shareholder due diligence, and integrate into authorisation workflows.
Key Dates
Publication and effective date; Guidance applies immediately; incomplete applications received on/after this date will not start processing until complete
Compliance Impact
Urgency: High – Effective immediately on publication (2 March 2026), with strict non-processing of incomplete files risking significant delays in time-sensitive authorisations/amendments. Matters for maintaining operational timelines in competitive fund markets, where CSSF oversight of IFM ownership ties to broader governance expectations (e.g., board composition, qualifications).
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset Manager
Version 1.0
This CSSF guidance (Version 1.0, published 2 March 2026) specifies the minimum documents and information required for assessing shareholding structures of authorised Investment Fund Managers (IFMs) during initial authorisation or modifications involving qualified and non-qualified shareholders. It standardises submissions to ensure completeness, with incomplete applications rejected until fully provided, enhancing regulatory efficiency and scrutiny of ownership changes. Compliance professionals must prioritise this to avoid delays in authorisation processes for Luxembourg-domiciled IFMs.
What Changed
- - Minimum Document Lists: Introduces detailed checklists in an XLSX format covering candidate shareholder documents (e.g., ID, CV, declarations of honour (DH), criminal records (CR) for natural...
- Differentiation by Shareholder Type: Requirements vary by natural/legal person, beneficial owner, direct/indirect qualified/unqualified shareholders, and involvement in financing (e.g., "Yes, if PEP...
- Other Mandatory Submissions: For qualified holding changes (entry, increase/decrease, removal), requires updated group structure charts, Market Entry Forms (MEF), financing details, and fee forms;...
- Enforcement Mechanism: From 2 March 2026, incomplete submissions halt analysis until remedied; CSSF may request additional info.
Suggested Considerations
- Prepare Complete Packages: For each new shareholder candidate, compile type-specific docs (e.g., ID/CV/DH/CR for direct unqualified shareholders; financing proof if indirect qualified lacks resources).
- Submit Core Items: Always include updated group structure chart, MEF (template available), acquisition financing details, fee form; classify request type (e.g., prior authorisation for qualified changes).
- Initial/Modification Filings: Use XLSX guidance as checklist; ensure beneficial owner verification per Circular CSSF 19/732.
- Ongoing: Notify CSSF of changes; anticipate ad-hoc requests for extras like PEP declarations.
Key Dates
Publication and immediate applicability; New guidance effective; incomplete applications received on/after this date not processed until complete
Compliance Impact
Urgency: High – Immediate effect from 2 March 2026 means any ongoing or planned IFM authorisation/modification applications risk delays or rejection if non-compliant, potentially disrupting fund launches or ownership restructurings in Luxembourg's key investment management hub. Matters due to standardised scrutiny on fit-and-proper ownership, aligning with AIFMD governance and reducing administrative back-and-forth.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset Manager
Exigences applicables au réviseur d’entreprises agréé spécial auprès des établissements de crédit émetteurs de lettres de gage
Circular CSSF 26/907, published on February 18, 2026, establishes requirements for **approved special statutory auditors (réviseurs d'entreprises agréés spéciaux) serving credit institutions that issue mortgage bonds (lettres de gage)**. This circular formalizes the governance and audit standards applicable to a specialized auditor role within Luxembourg's credit institution framework, ensuring enhanced oversight of entities engaged in mortgage bond issuance.
What Changed
- The search results provided do not contain the full text of Circular CSSF 26/907, as it is available only in French and the PDF content was not included in the available materials.
- Statutory auditor qualifications and requirements for the specialized role of approving auditors (réviseurs agréés spéciaux) overseeing credit institutions that issue mortgage bonds
- Governance standards for auditors in this specialized capacity
- Audit and oversight responsibilities specific to mortgage bond issuance activities
The circular aligns with broader Luxembourg regulatory modernization efforts evident in concurrent CSSF guidance,...
Suggested Considerations
- *Obtain and review the full French text of Circular CSSF 26/907 from the CSSF website
- *Assess current auditor qualifications against the new requirements for approved special statutory auditors
- *Update audit engagement letters and terms to reflect any new standards or responsibilities
- *Document compliance with the circular's requirements in governance and audit files
- *Communicate with appointed auditors to ensure alignment with the new framework
Key Dates
- Circular CSSF 26/907 published
in available search results; firms should consult the full French text for any transition periods or effective dates
Compliance Impact
Urgency: HIGH
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Bank
No description available.
BankAsset ManagerWealth Manager
AML/CFT standardised data collection taking place in 2026
The CSSF Circular Letter 2026-02-12 announces a standardized data collection exercise on AML/CFT for supervised entities, scheduled for 2026, aimed at enhancing regulatory oversight of money laundering and terrorist financing risks. This matters because it signals intensified CSSF scrutiny on AML/CFT compliance, requiring firms to prepare structured data submissions that could inform future supervisory actions, risk assessments, and enforcement. As part of broader CSSF AML/CFT initiatives, non-compliance risks fines or heightened inspections.
What Changed
- - Introduction of standardized AML/CFT data collection: CSSF mandates uniform reporting formats for collecting data on AML/CFT risks, controls, and practices across supervised sectors, building on...
- Alignment with ongoing AML/CFT enhancements: Complements recent governance-focused circulars (e.g., Circular 26/906 on central administration and risk management for payment/e-money institutions) by...
- No explicit new obligations beyond preparation for data submission, but implies deeper integration of tax-related AML indicators and sub-sector risk updates, as seen in related CSSF activities.
Suggested Considerations
- Assess and document AML/CFT data readiness: Inventory current risk assessments, transaction monitoring logs, KYC processes, SAR filings, and third-party oversight records in standardized formats; map to proportionality factors (e.g., transaction volumes, outsourcing).
- Update governance and controls: Ensure compliance functions have independence, direct board reporting, and audit coverage of AML/CFT; test ICT resilience for monitoring continuity.
- Conduct internal reviews: Perform gap analyses against Circular 26/906 (e.g., fund safeguarding, escalation protocols) and recent conference topics (e.g., terrorist financing, tax indicators); remediate deficiencies with board-approved plans.
- Prepare for submission: Designate resources for data compilation; cooperate fully with CSSF/FIU requests, including transfer-of-funds information under EU 2015/847.
- Engage auditors: Leverage approved auditors for validation of AML/CFT effectiveness ahead of collection.
Key Dates
AML/CFT standardised data collection exercise; Firms must submit required data during this period; preparation recommended immediately given today's date (12 February 2026)
Issuance of related Circular 26/906; Establishes governance baselines (e.g., compliance independence, risk proportionality) informing data collection expectations
CSSF AML/CFT Conference for Specialised PFS; Provided updates on sub-sector risks, terrorist financing reviews, and FIU insights relevant to data preparation
Conference materials published; Available for download to guide compliance alignment
Compliance Impact
Urgency: High – With data collection in 2026 underway today (12 February 2026), firms face immediate preparation needs amid recent enforcement (e.g., EUR 102,000 fine on depositary for AML-related gaps) and conferences signaling sub-sector focus. This elevates AML/CFT as a supervisory priority, potentially triggering on-site inspections, fines, or remediation orders for inadequate data/risks; proactive alignment prevents escalation in a risk-based regime.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankPayment ProviderAll Firms
No description available.
This CSSF communiqué announces the availability of updated UCI Reports (SAQ, SR, and ML) under Circular CSSF 21/790 on the eDesk platform's CISERO module for specific 2026 year-ends, with key enhancements focused on valuation, NAV determination, and risk-based streamlining. It matters for Luxembourg UCIs as it reflects evolving supervisory priorities, aligns with EU directives like Directive (EU) 2024/927, and imposes refined self-assessment obligations to bolster resilience in stressed conditions and liquidity management.
What Changed
- - SAQ Updates (Valuation Section): New questions on valuation policies for stressed market conditions/exceptional circumstances; coverage for new sub-funds/strategies; independent validation of...
- SAQ Simplifications and Clarifications: Removed questions on sub-funds with significant non-standard OTC derivatives, unquoted assets, or external valuer OTC FDIs (including NAV proportions); refined...
- SAQ NAV Determination: Updated Liquidity Management Tools (LMTs) sub-section to align with Annexes of AIFM/UCITS Review Directive (Directive (EU) 2024/927); added question on compliance with ESMA...
- SR Streamlining: Removed procedures in investment compliance (e.g., eligibility assessments for closed-ended funds, structured instruments, non-plain vanilla OTC derivatives; credit quality for money...
- Reports for year-ends after 30 April 2026 available three months prior.
Suggested Considerations
- Access updated Reports on eDesk CISERO module immediately and review changes vs. 31 December 2025 versions.
- Update valuation policies/procedures to explicitly cover stressed conditions, new sub-funds/strategies, model validations, and backtesting; document compliance.
- Revise NAV processes for LMT alignment with Directive (EU) 2024/927 Annexes and ESMA performance fee guidelines; confirm for open-ended UCIs.
- Dirigeants/management: Complete/validate SAQ addressing new/clarified questions; prepare for REA SR/ML review.
- REAs: Perform streamlined SR procedures; issue ML on prior weaknesses with remediation timelines.
Key Dates
Reports (SAQ, SR, ML) made available on eDesk CISERO for year-ends 31 January, 28 February, 31 March, 30 April 2026
Entry into application of AIFM/UCITS Review Directive LMT requirements
end +5 months (UCITS/Part II UCIs); SAQ/SR submission deadline
end +6 months (SIFs/SICARs); SAQ/SR submission deadline
end (post-30 April 2026); Future Reports availability
Compliance Impact
Urgency: High – Immediate access required for imminent submissions (e.g., 31 January 2026 year-end due ~June 2026); new valuation questions demand policy reviews to avoid supervisory findings, especially amid stressed markets; SR simplifications reduce burden but shift focus to SAQ self-assessment, heightening dirigeants' accountability. Non-compliance risks CSSF follow-up on modified audits or weaknesses, per Circular 21/790.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset Manager
Administrative sanction imposed on Corestate Capital Holding S.A.
The CSSF published an administrative sanction on 6 February 2026 against Corestate Capital Holding S.A., likely for breaches in regulatory compliance such as depositary duties, oversight, or governance under Luxembourg financial laws, marking a repeat enforcement action following a prior sanction in June 2025. This matters for compliance professionals as it underscores CSSF's aggressive enforcement on alternative investment fund managers (AIFMs) and depositaries, signaling heightened scrutiny on safekeeping, oversight, and internal controls to prevent systemic risks in Luxembourg's fund sector. It highlights the regulator's willingness to impose public nominative sanctions, amplifying reputational damage alongside fines.
What Changed
No new regulatory changes or requirements are introduced; this is an enforcement action enforcing existing obligations under laws like the AIFM Law of 12 July 2013 (e.g., Articles 19(8), 19(9), 19(11) on safekeeping and oversight duties), the Law of 5 April 1993 on the financial sector, and Commission Delegated Regulation (EU) No 231/2013 (CDR 231/2013, e.g., Articles 92, 94, 96 on risk assessment, valuation verification, and cash flow monitoring).
Suggested Considerations
- Conduct immediate gap analysis: Review safekeeping processes for ownership verification (Article 19(8)(b) AIFM Law), ensuring transaction documentation, segregated account proofs, and full holding chain records are available at transaction points.
- Enhance oversight duties: Implement risk assessments per Article 92(1) CDR 231/2013, valuation compliance checks (Article 94), and cash remittance monitoring (Article 96); appoint delegates with due diligence.
- Strengthen governance: Update internal controls, procedures, and conflict-of-interest policies (e.g., director overlaps); ensure key documentation availability and evidence of controls.
- Firm-wide audit: For repeat offenders like Corestate, perform root-cause analysis on prior sanctions and submit remediation plans to CSSF if inspected.
- Training and reporting: Train staff on CSSF expectations; improve cooperation mechanisms to avoid AML/CFT fines for non-submission of requests.
Key Dates
- Prior administrative sanction imposed on Corestate Capital Holding S.A., indicating ongoing non-compliance issues
- Publication date of the current administrative sanction on Corestate Capital Holding S.A., effective immediately as a public enforcement notice
Compliance Impact
Urgency: High – This represents CSSF's pattern of public nominative fines (e.g., EUR 102,000 on JTC for depositary breaches, EUR 10,000 on Capitalis for AML non-cooperation), with escalation risks for repeat violations like Corestate's back-to-back sanctions. It matters due to Luxembourg's dominance in European fund assets (over EUR 5 trillion), where governance lapses can trigger outflows, license revocation, or cross-border ESMA scrutiny; firms must act preemptively to mitigate fines (typically EUR 10,000–102,000) and reputational harm from nominative publication.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerAll Firms
Administrative sanction imposed on Corestate Capital Holding S.A.
The CSSF published an administrative sanction on 6 February 2026 against Corestate Capital Holding S.A., likely imposing a fine for regulatory breaches, marking a repeat enforcement action following a prior sanction on the same entity dated 20 June 2025. This matters as it underscores CSSF's intensified supervisory scrutiny on Luxembourg-based investment managers, particularly regarding governance, asset safekeeping, and oversight duties under AIFM Law, signaling heightened enforcement risks for similar firms. Compliance teams should review it for patterns in depositary and transparency violations evident in recent CSSF cases.
What Changed
No new regulatory changes or requirements are introduced; this is an enforcement action highlighting non-compliance with existing obligations under Luxembourg's AIFM Law (notably Articles 19(8), 19(9), 19(11), and 51) and related delegated regulations like CDR 231/2013. Key breaches from analogous recent CSSF sanctions include inadequate safekeeping of assets (e.g., missing ownership verification and records), failure to oversee AIFM valuation policies and cash remittance timelines, improper delegation to custodians without due diligence, and weak internal governance such as conflicts of...
Suggested Considerations
- Conduct immediate gap analysis on depositary functions: Verify ownership chains, transaction documentation, segregated account reconciliations, and custodian delegations per AIFM Law Articles 19(8) and 19(11).
- Enhance oversight processes: Implement risk assessments for AIF strategies, valuation policy checks, and cashflow monitoring per CDR 231/2013 Articles 92, 94, and 96.
- Strengthen governance: Review internal controls, procedures, and conflicts (e.g., director overlaps with affiliates); ensure availability of control evidence.
- For issuers like Corestate: Confirm compliance with half-yearly financial reporting and dissemination under Transparency Law Article 4.
- Firm-wide: Perform mock CSSF on-site inspections focusing on 2022-2025 periods, given inspection timelines in recent cases.
Key Dates
- Prior administrative sanction imposed on Corestate Capital Holding S.A
- Publication date of the current administrative sanction on Corestate Capital Holding S.A
Compliance Impact
Urgency: High – This represents repeat enforcement on Corestate (second sanction in under a year), aligning with CSSF's pattern of nominative publications for severe, ongoing breaches in depositary and governance areas, as seen in JTC (EUR 102,000 fine for similar safekeeping/oversight failures) and BigRep SE (EUR 10,000 for reporting lapses). It elevates risks of fines, reputational damage, and market jeopardy assessments under AIFM Law Article 51, urging preemptive remediation amid CSSF's active 2023-2026 inspection cycle.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerAll Firms
Press release 26/03
BankWealth Manager
Administrative sanction imposed on Genève Invest (Europe) S.A.
The CSSF imposed an administrative sanction on 23 July 2025 against Genève Invest (Europe) S.A., a Luxembourg-regulated entity, for breaches of professional obligations, as detailed in a publication released on 4 February 2026. This enforcement action underscores the CSSF's focus on robust internal controls and compliance with investment rules, serving as a warning to investment firms on the consequences of organizational and conduct failures. Compliance professionals should note it as evidence of heightened CSSF scrutiny on fund managers handling client assets and counterparties.
What Changed
This is not a regulatory change or new requirement but an enforcement action highlighting existing obligations under Luxembourg law. Key breaches likely mirror patterns in recent CSSF sanctions, such as non-compliance with UCI Law provisions on investment policies (e.g., Articles 41, 43), sound accounting procedures (Article 109), and rules of conduct (Articles 111, CSSF Regulation 10-04), including improper cash deposits with unauthorized brokers and inaccurate asset valuation.
Suggested Considerations
- Immediate review of counterparty due diligence: Verify licenses and financial stability of brokers/prime brokers; cease deposits with unauthorized or suspended entities per UCI Law Article 41.
- Enhance valuation and accounting controls: Ensure assets (e.g., cash deposits) are valued at probable realization value per Article 28(4) UCI Law and prospectus terms; implement automated monitoring for ongoing compliance.
- Conduct internal audits: Assess organizational requirements, investment policies, and conduct rules (CSSF Regulation 10-04); remediate gaps proactively, as seen in mitigated sanctions for cooperative firms.
- Update governance and reporting: Document risk assessments and report prior breaches to CSSF to demonstrate cooperation, potentially reducing fine severity.
Key Dates
- Date of administrative sanction imposition on Genève Invest (Europe) S.A
- Publication date of the sanction document by CSSF
Compliance Impact
Urgency: High – This sanction, published today (4 February 2026), signals ongoing CSSF off-site and on-site probes into fund operations, similar to fines imposed in July 2025 on Zeus Asset Management (€18,136 for UCI breaches) and a bank (reprimand for AML gaps). It matters due to escalating enforcement—fines calibrated to turnover (e.g., 10% in Zeus case)—and risks of reputational damage, especially for wealth managers with broker exposures. Non-compliance could trigger investigations, as CSSF considers infringement duration, cooperation, and history.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerWealth ManagerAll Firms
No description available.
BankWealth ManagerAsset Manager
No description available.
CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes.
What Changed
- The circular consolidates and updates governance rules, focusing on:
- Management bodies: Responsibilities, composition, qualifications, organization, and functioning, including CSSF authorization of members based on professional experience, standing (e.g., police...
- Internal control functions: Responsibilities, characteristics, organization, and execution of work for compliance officers and internal auditors, with notifications to CSSF including detailed...
- Conflicts of interest: Key requirements for a management policy applicable to all staff and management body members.
- New product approval: Defined key steps in the process.
Suggested Considerations
- Gap analysis: Assess current frameworks against circular requirements on management bodies, internal controls, conflicts of interest, product approval, and fund safeguarding.
- Updates and notifications: Review/revise governance arrangements (e.g., policies, structures); notify CSSF of management body members, compliance officers, and internal auditors with required documentation (professional experience, police records, etc.).
- Implementation: Establish robust risk identification/management/monitoring/reporting processes, internal controls, and proportional arrangements (e.g., IT, outsourcing).
- Documentation: Develop conflicts policy, new product approval procedures, and safeguarding rules; ensure management body authorization.
- Ongoing: Maintain sound/prudent management amid growth; integrate with Law of 10 November 2009 requirements.
Key Dates
- Publication date of Circular CSSF 26/906
- Compliance deadline: Institutions must assess/review central administration, internal governance, and risk management frameworks to ensure full compliance
Compliance Impact
Urgency: High - With ~5 months from publication (20 Jan 2026) to compliance (30 Jun 2026), firms face tight timelines for assessments, policy overhauls, and CSSF notifications, especially given repealed circulars and sector growth pressures. Non-compliance risks supervisory actions, as this fosters "sound and prudent management" in a high-volume industry; proactive reviews are essential to avoid disruptions.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Payment ProviderFintech
Central administration, internal governance and risk management
Circular CSSF 26/906, published on 20 January 2026, consolidates and clarifies Luxembourg's rules on central administration, internal governance, and risk management specifically for payment institutions, electronic money institutions, and account information service providers. It repeals prior circulars (IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155) to address growth in transaction volumes by mandating robust governance, control functions, and risk processes, enhancing safety, efficiency, and trust in these services. This matters for compliance professionals as it strengthens defenses against financial crime, operational risks, and supervisory scrutiny in a high-growth sector.
What Changed
- - Consolidation and repeal: Replaces outdated circulars with unified requirements under the amended Law of 10 November 2009 on payment services, covering central administration (decision-making must...
- Governance enhancements: Board approves strategy, risk appetite, AML/CFT policies, outsourcing, and information security; management implements via procedures; proportionality based on business...
- Operational controls: Strict access to systems (need-to-know, least-privilege, 4-eyes validation); counterparty due diligence for custodians/insurers; full responsibility for agents, distributors,...
- AML/CFT focus: Elevates compliance function independence, direct board reporting, risk-based resourcing, and oversight of third parties/opaque structures to close gaps exploited by criminals.
Suggested Considerations
- Assess and update governance frameworks: Review central administration location, board/management responsibilities, risk strategy, AML/CFT policies, compliance charter, and funds safeguarding principles to align with the circular.
- Confirm control functions: Ensure compliance function (CCO) has independence, resources, direct board access, and authority for investigations; justify/secure CSSF approval for part-time/dual roles.
- Implement operational safeguards: Establish daily reconciliations (or justified weekly), segregation/insurance for client funds, system access controls (4-eyes, board validation for significant movements), and third-party due diligence/monitoring.
- Document proportionality: Tailor governance to business risks (staff, volumes, products, outsourcing); update new product approval, conflicts policies, and business continuity/incident reporting.
- Retain records and report: Board-approve all key policies; prepare for CSSF inspections on outsourcing (per Circular CSSF 22/806) and ICT risks.
Key Dates
Publication date of Circular CSSF 26/906
Compliance deadline; Institutions must assess, review, and ensure their central administration, internal governance, and risk management frameworks fully comply with the circular
Compliance Impact
Urgency: High – With a 30 June 2026 deadline (five months from publication), firms face immediate pressure to review and remediate governance gaps amid sector growth and heightened AML/CFT scrutiny; non-compliance risks supervisory actions, fines, or license issues, especially as it closes criminal exploitation vectors like weak controls and third-party risks.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Payment Provider
Application of the Guidelines of the European Banking Authority on the management of environmental, social and governance (ESG) risks (EBA/GL/2025/01)
Circular CSSF 26/905 mandates the application of EBA Guidelines (EBA/GL/2025/01) on managing **ESG risks** for Luxembourg-supervised institutions, requiring integration of environmental, social, and governance risk identification, measurement, management, and monitoring into internal processes. This aligns with CRD amendments (Articles 74, 76, 87a) and emphasizes proportionality to institutions' business models, with plans including timelines, targets, and milestones toward EU climate goals like net-zero by 2050. It matters for compliance as it embeds ESG into prudential supervision, potentially impacting capital, risk frameworks, and supervisory reviews.
What Changed
- - Institutions must establish proportionate strategies, policies, processes, and systems for ESG risk management, covering short-, medium-, and long-term horizons, including transition and physical...
- Develop plans per Article 76(2) CRD with specific timelines, intermediate quantifiable targets, and milestones to address ESG financial risks, consistent with EU objectives (e.g., 55% GHG reduction...
- Incorporate ESG into internal governance, risk appetite, and supervisory review processes (SREP), with scenario analysis requirements (to be detailed in future EBA guidelines).
- Applies minimum standards and methodologies for ESG risk identification, measurement, monitoring, and impact assessment on institutions' exposures.
- No requirement for full alignment with specific sustainability trajectories, but plans must consider transition risks and institutions' ESG product offerings, loan policies, and targets.
Suggested Considerations
- Map and integrate ESG risks into governance, risk management frameworks, and business strategies, proportionate to scale/risk exposure.
- Develop and document ESG risk management plans with quantifiable targets, milestones, timelines, and scenario analyses (broad requirements now; detailed later).
- Conduct assessments of ESG risks in portfolios, including sustainability products, transition finance, and loan origination policies, for SREP submission.
- Embed in internal processes per Articles 74, 76, 87a CRD: identify/measure ESG risks (minimum standards), monitor over time horizons, and report to CSSF.
- Review and update existing policies/systems for compliance by applicable dates; prepare for CSSF supervisory evaluation of plan robustness.
Key Dates
- Circular published by CSSF
- Application date for Less Significant Institutions (other than SNCIs)
- Application date for SNCIs (dependent on CRD transposition)
Compliance Impact
Urgency: High - With application starting 1 April 2026 (just over 2 months from publication), firms face immediate pressure to gap-analyze current ESG frameworks against EBA standards, especially for SREP integration and long-term risk planning. Non-compliance risks supervisory scrutiny, capital add-ons, or enforcement, as ESG is now a core prudential pillar amid EU sustainability push; smaller institutions get a head-start but must act swiftly given proportionality demands.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankAll Firms
2026 update
BankWealth ManagerFamily Office
Administrative sanction imposed on the alternative investment fund manager Max Gain Capital S.à r.l. (“AIFM”)
The CSSF imposed a €10,000 administrative fine on Max Gain Capital S.à r.l., an alternative investment fund manager, on 11 September 2025 for failing to submit a mandatory annual financial crime questionnaire by the April 2025 deadline. This enforcement action demonstrates the CSSF's active monitoring of AML/CFT compliance obligations and its willingness to sanction non-cooperation, even for procedural failures unrelated to substantive money laundering violations.
What Changed
- This is not a regulatory change but rather an enforcement action clarifying existing obligations:
- Mandatory Annual Questionnaire Requirement: All CSSF-supervised professionals must submit an annual questionnaire on financial crime covering the preceding calendar year.
- Cooperation Obligation: Article 5(1) of the amended Law of 12 November 2004 on AML/CFT imposes a non-negotiable duty to cooperate with CSSF supervisory requests.
- Enforcement Escalation: The CSSF will issue reminders before imposing sanctions, but continued non-compliance triggers administrative fines under Article 8-4 of the AML/CFT Law.
Suggested Considerations
- regulated entities must:
- *Identify Reporting Obligations: Confirm whether your firm is subject to the annual financial crime questionnaire requirement under Article 5(1) of the AML/CFT Law
- *Calendar Management: Establish internal processes to ensure questionnaires are submitted by 4 April each year for the preceding calendar year
- *Documentation: Maintain records demonstrating timely submission and preserve evidence of compliance
- *Escalation Protocol: If unable to meet deadlines, proactively contact the CSSF to request extensions or clarification rather than ignoring reminders
Key Dates
- Deadline for submission of financial crime questionnaire for the year ending 31 December 2024
- CSSF issued two reminders to Max Gain Capital after the missed deadline
- CSSF imposed the €10,000 administrative fine
- CSSF published the administrative sanction decision
Compliance Impact
Urgency: HIGH
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerAll Firms
Administrative sanction imposed on JTC (Luxembourg) S.A.
The CSSF imposed a €102,000 administrative fine on JTC (Luxembourg) S.A. on 23 July 2025 for breaches in its professional obligations as a depositary of non-financial assets under the AIFM Law, identified during an on-site inspection from February 2023 to January 2024 covering activities up to December 2022. This enforcement action highlights CSSF's scrutiny of depositary functions, particularly risk assessment and oversight controls, serving as a warning for similar entities to strengthen compliance amid rising supervisory focus on AIFM depositaries.
What Changed
This is an enforcement action, not a regulatory change; it enforces existing requirements under Article 51(1) (1st and 7th indents) and Article 51(2) (1st sub-paragraph, 3rd indent) of the amended Law of 12 July 2013 on AIFMs (AIFM Law), and related provisions like Article 92(1) of Commission Delegated Regulation (EU) No 231/2013 (CDR 231/2013).
Suggested Considerations
- related entities) must:
- Conduct immediate gap analyses on risk assessment processes for AIF strategies and AIFM organization per Article 92(1) CDR 231/2013.
- Implement robust verification processes for AIFM compliance with asset delegation rules.
- Ensure availability of key documentation and evidence of controls for the depositary function, addressing pre-2022 gaps if applicable.
- Develop and test oversight processes, leveraging self-identified improvements and action plans as mitigating factors, as JTC did prior to inspection.
Key Dates
January 2024; Period of CSSF on-site inspection on depositary obligations, covering activities up to December 2022
Date CSSF imposed the €102,000 administrative fine on JTC (Luxembourg) S.A
Date of official CSSF publication announcing the sanction
Compliance Impact
Urgency: High – This matters due to the fine's size (€102,000), reflecting breach accumulation, severity, and duration, despite JTC's partial remediation; it signals intensified CSSF on-site scrutiny of depositary functions post-2023 inspections, with potential for higher penalties absent proactive controls. Depositaries face elevated enforcement risk, especially with unavailability of evidence pre-2022, urging swift remediation to avoid similar outcomes under Article 51 AIFM Law.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset Manager
Long Form Report – Practical rules concerning the self-assessment questionnaire to be submitted by investment firms – Mission and related reports of the réviseurs d’entreprises agréés (approved statutory auditors)
Broker DealerAll Firms
Update of Circular CSSF 24/853 on the Long Form Report (as amended by Circular CSSF 25/870) – Practical rules concerning the self-assessment questionnaire to be submitted by investment firms Mission and related reports of the réviseurs d’entreprises agréés (approved statutory auditors)
Circular CSSF 26/904 updates Circular CSSF 24/853 (as amended by Circular CSSF 25/870) by introducing a revised Long Form Report (LFR) for investment firms, featuring a digital self-assessment questionnaire (SAQ) and enhanced auditor reports focused on AML/CFT and risk management. This matters because it aligns reporting with CSSF's risk-based supervision under CSSF 4.0, reduces redundancies, applies proportionality based on business models, and mandates digital submission to improve efficiency and data analysis.
What Changed
- - Revised LFR Structure: Comprises four parts in a single digital document: (1) yearly SAQ completed by investment firms; (2) descriptive elements verified by approved statutory auditors (REAs); (3)...
- Digital Format: Completion and submission via CSSF's online portal, supporting CSSF 4.0 digital strategy for efficient processing.
- Proportionality and Scope: Applies individually to investment firms (no consolidated LFR if under CSSF consolidated supervision); focuses on incremental, relevant information tied to business models,...
- Enhanced AML/CFT Focus: Requires descriptions of commercial policy, ML/FT risk management, roles/responsibilities, branch/subsidiary/tied agent compliance; REA must assess adequacy of...
- REA Responsibilities: Verify/ensure adequacy of SAQ elements, assess descriptions, perform control procedures, and provide assessments on AML/CFT policy implementation across entities.
Suggested Considerations
- Investment Firms: Complete and submit the digital SAQ yearly via CSSF portal, providing descriptions of business model, ML/FT risks, commercial policy, monitoring, AML/CFT roles, and entity-level compliance; ensure data on fund transfers (e.g., missing payer/payee info) is included.
- REAs/Auditors: Verify SAQ adequacy, assess descriptions, perform corroborative controls, supplement with findings (e.g., AML/CFT audit declarations), independently assess ML/FT risks/organization, and integrate into single LFR document.
- General: Review existing processes for proportionality (focus on incremental info); update AML/CFT policies/documentation for branches/subsidiaries/tied agents; prepare for digital submission; document risk assessments thoroughly.
- Ongoing: Monitor compliance with related regs like Regulation (EU) 2023/1113 (effective 30 December 2024, per draft bill 8387).
Key Dates
- Applicability of revised LFR to all investment firms; submissions begin for this period onward on a yearly basis
- Yearly production required via CSSF portal; firms should align with existing annual reporting cycles for auditors (typically post-year-end)
Compliance Impact
Urgency: High - Applies immediately to FY ending 31 December 2024 reports, requiring swift updates to reporting processes, digital tools, and AML/CFT documentation amid CSSF's risk-based shift; non-compliance risks supervisory actions, as LFR directly informs CSSF oversight on key prudential/AML areas with no transition period specified.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerBroker DealerAll Firms
Update of Circular CSSF 24/850 on the practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS, as well as the engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.
Circular CSSF 25/903 updates Circular CSSF 24/850, refining practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg regarding their annual descriptive report, self-assessment questionnaire, and the roles of approved statutory auditors (réviseurs d’entreprises agréés). It specifies requirements for auditors' engagement, management letters, and separate annual reports. This matters for support PFS as it enhances supervisory oversight, ensures consistent reporting quality, and strengthens internal controls, directly impacting compliance and audit processes amid CSSF's focus on robust PFS supervision.
What Changed
- - Updates to Descriptive Report and Self-Assessment Questionnaire: Refines content, format, and submission requirements for support PFS's annual submissions, emphasizing more detailed disclosures on...
- Auditor Engagement Rules: Introduces specific practical guidelines for approved statutory auditors, including mandatory scope of work, independence confirmations, and standardized procedures for...
- Management Letter and Separate Report: Establishes detailed rules for auditors to issue an annual management letter (addressing findings, recommendations, and remediation) and a separate report for...
- Enhanced Documentation and Evidence: Requires support PFS and auditors to provide verifiable evidence (e.g., checklists, testing samples) supporting self-assessments, with stricter CSSF validation...
Suggested Considerations
- *Review and Update Processes: Support PFS must map current reporting against new templates in CSSF 25/903 and revise internal procedures for descriptive reports and self-assessments.
- *Engage/Confirm Auditors: Select or confirm approved statutory auditors compliant with new engagement rules; execute updated engagement letters incorporating circular requirements by Q4 2025.
- *Implement Templates and Testing: Adopt CSSF-provided templates for reports, management letters, and separate reports; conduct sample-based testing of controls as specified.
- *Training and Governance: Train compliance/audit teams on changes; ensure board approval of self-assessments and auditor findings.
- *Submit on Time: Prepare and file all documents by 30 April deadlines, retaining evidence for CSSF inspections.
Key Dates
Submission Deadline; Support PFS must submit descriptive report, self-assessment questionnaire, management letter, and separate auditor report to CSSF by 30 April following the financial year-end (first applicable: 30 April 2026 for FY 2025)
Preparation Milestone; Auditors must be engaged and initial scoping completed by year-end 2025 for FY 2025 compliance
Effective Date; Applies to annual reporting cycles starting for financial year 2025 onwards
Compliance Impact
Urgency: High. This is high urgency for support PFS due to the impending 30 April 2026 deadline for FY 2025 submissions, with non-compliance risking supervisory fines, license reviews, or reputational damage under CSSF's PFS enforcement regime. It matters as it tightens audit accountability, potentially increasing costs (e.g., auditor fees) while reducing reporting errors—critical for smaller support entities with limited resources.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
All FirmsFintechPayment Provider
Practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS.Engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.
Circular CSSF 24/850, as amended by Circular CSSF 25/903, establishes practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg to submit annual descriptive reports and self-assessment questionnaires, while also defining the roles of approved statutory auditors (réviseurs d’entreprises agréés) in issuing management letters and separate reports. This guidance standardizes supervisory reporting and audit processes to enhance oversight of support PFS, which provide essential back-office services to authorized PFS. It matters because non-compliance risks supervisory sanctions, reputational damage, and operational disruptions for entities reliant on support PFS structures.
What Changed
- - Standardized Reporting Templates: Introduces detailed formats and content requirements for the annual descriptive report and self-assessment questionnaire, covering governance, risk management,...
- Auditor Engagement Rules: Mandates approved statutory auditors to perform specific procedures, issue a management letter highlighting control weaknesses, and prepare a separate report confirming...
- Amendments via CSSF 25/903: Updates clarify submission procedures, expand self-assessment criteria (e.g., adding cybersecurity and outsourcing risk questions), and refine auditor independence...
- Frequency and Scope: Annual submissions required without exceptions; scope limited to support PFS (not primary PFS), emphasizing substance over form in service descriptions.
Suggested Considerations
- Annual Reporting Cycle:
1. By year-end, conduct internal self-assessment using the prescribed questionnaire template (available via CSSF portal).
- February to review submissions, test controls, and issue management letter (flagging deficiencies) plus separate compliance report.
- Governance Updates: Review and update internal policies on risk assessment, auditor selection, and remediation of management letter findings; ensure board oversight of submissions.
- Auditor Coordination: Verify auditor qualifications per CSSF register; implement any remediation plans from prior-year management letters before next cycle.
- Record-Keeping: Maintain 5-year audit trail of all supporting documentation for CSSF inspections.
Key Dates
- Effective date of original Circular CSSF 24/850
- Effective date of amendments in Circular CSSF 25/903, applicable to 2025 reporting cycle onwards
- Deadline for submission of descriptive report, self-assessment questionnaire, management letter, and separate auditor report to CSSF (first applicable for FY 2024 reporting due 31 March 2025)
- Support PFS must engage auditors and provide necessary data to enable timely report preparation
Compliance Impact
Urgency: High – This is a recurring annual obligation with a firm 31 March deadline, where delays trigger automatic CSSF notifications and potential fines (up to €250,000 per Law 1993). It matters for support PFS as it intensifies scrutiny on operational resilience in a post-SFI (2021) landscape, where CSSF prioritizes substance in delegated functions; failure risks de-authorization or client outflows. Early implementation of templates and auditor pipelines is essential to avoid first-year pitfalls.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankWealth ManagerAll Firms
Authorisation and organisation of entities acting as UCI administrators
Circular CSSF 22/811, as amended by Circular CSSF 25/900, establishes CSSF requirements for the authorisation, governance, internal organisation, and oversight of entities acting as UCI (Undertakings for Collective Investment) administrators in Luxembourg. It matters because it standardises practices amid regulatory, technological, and market evolutions, ensuring robust controls, risk management, and supervision for fund administration activities critical to Luxembourg's fund industry.
What Changed
- - Authorisation Requirements: Prior CSSF authorisation is mandatory for appointment as UCI administrator, via full application under sectoral laws or a simplified administrative procedure;...
- Scope of UCI Administration: Defines three core functions—registrar, NAV calculation/accounting, and client communication—requiring only one designated service provider per function per UCI (or...
- Governance and Controls: Mandates sound governance principles, control frameworks, escalation processes for errors/incidents, adequate resources (human, ICT), business continuity, and compliance with...
- Delegation Rules: Delegation of tasks allowed but not of monitoring/oversight; requires written contracts, due diligence, and prior CSSF notification (3 months generally, 1 month for certain agents);...
- Contracts and Reporting: Written contracts between UCI administrator and UCI/IFM; annual activity reporting due 5 months after financial year-end, starting from financial years ending post-30 June...
Suggested Considerations
- Submit authorisation application to CSSF with Annex A information before commencing UCI administration; notify substantial changes and keep file updated.
- Establish/implement governance, controls, escalation processes, resource adequacy, ICT/business continuity per circular; ensure single provider per function.
- For delegations: Conduct due diligence, execute written contracts detailing roles/obligations, notify CSSF in advance, retain oversight without delegating monitoring.
- Conclude written contracts with UCI/IFM; submit annual UCIA activity reports.
- UCIs/IFMs: Supervise coordinators, ensure information exchange/cooperation with administrators.
Compliance Impact
Urgency: High – Non-compliance risks CSSF sanctions, as authorisation is prior and ongoing; critical for Luxembourg fund ecosystem given evolutions in tech/markets/DORA. Firms must act promptly if unauthorised or misaligned, especially with annual reporting since 2023 and DORA integration; impacts operational models, delegations, and reporting immediately for active administrators.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
Asset ManagerBankAll Firms
Provisions relating to credit institutions and investment firms of EU origin established in Luxembourg by way of branches or exercising activities in Luxembourg by way of free provision of services
Circular CSSF 07/325, as amended by Circulars CSSF 21/765, CSSF 22/827, and most recently CSSF 25/898, establishes supervisory requirements for EU credit institutions and investment firms operating in Luxembourg via branches or free provision of services (FOPS). It matters for compliance professionals as it defines CSSF's host authority role, notification obligations, reporting, and enforcement powers, ensuring alignment with CRD and MiFID II while adapting to evolving EU rules.
What Changed
- - CSSF 21/765: Updated provisions following amendments to CSSF Regulation No 12-02, refining notification and operational requirements for branches and FOPS.
- CSSF 22/827: Further amendments to align with CRD and MiFID II changes, including enhanced notifications for programme alterations (e.g., one-month prior written notice for changes in operations,...
- CSSF 25/898: Latest update (noted in CSSF Newsletter No 298, November 2025), incorporating recent legal/regulatory developments, such as refined reporting via eDesk portal, AML/CFT compliance...
Suggested Considerations
- Notifications: Submit initial branch/FOPS notification to home authority (including operational programme); notify changes (e.g., services, locations) at least one month in advance to both home authority and CSSF.
- Reporting: Complete and sign SAQ (accurate, concise, true/fair view) via eDesk within six months post-year-end; provide REA-appraised AML/CFT and conduct reports, detailing branch procedures/controls.
- Supervision cooperation: Facilitate home/CSSF on-site inspections (with professional secrecy guarantees); ensure branch compliance with Luxembourg laws (e.g., LFS Article 46(2)).
- Ongoing: Maintain branch infrastructure, update for legal changes, and align with CSSF user guides for eDesk authentication.
Key Dates
- Notify CSSF and home authority in writing of programme changes (e.g., operations, services, additional places of business) per CRD Article 36(3) and MiFID II Article 35(10)
- Home state authority communicates notification file to CSSF for branch/FOPS establishment
end; - Submit electronically signed SAQ (via eDesk), annual AML/CFT and conduct of business report (per Circular CSSF 19/731, to be repealed by CSSF 25/902), reviewed by REA
Compliance Impact
Urgency: Medium - Matters due to recurring annual reporting (e.g., SAQ, AML/CFT within six months post-year-end) and prior notifications for changes, with CSSF enforcement powers (e.g., measures under LFS Article 46(2)) for non-compliance. Recent CSSF 25/898 update (Nov 2025) requires immediate review of processes for digital submissions, but no retroactive changes or hard deadlines post-2025; grandfathering for pre-existing setups reduces immediate pressure.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankBroker Dealer
Adoption of the EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions)
Circular CSSF 25/896 adopts the EBA Guidelines EBA/GL/2024/14 and EBA/GL/2024/15, mandating Luxembourg financial institutions to establish robust internal policies, procedures, and controls for complying with EU and national restrictive measures (sanctions). This matters because it sets binding EU-wide standards to prevent sanctions violations and circumvention, with absolute obligations for immediate asset freezing and reporting, amid escalating geopolitical tensions.
What Changed
- - Institutions must develop, implement, and maintain up-to-date policies, procedures, and controls for identifying, investigating, and applying restrictive measures without delay, including risk...
- Management body responsibilities expanded: approve sanctions compliance strategy, oversee implementation, conduct at least annual assessments of exposure and controls, ensure remedial actions, and...
- Screening and monitoring requirements: Maintain updated sanctions lists with immediate integration of changes; screen customer base, transactions, and datasets accurately; enable immediate...
- Training and testing: Deliver regular, documented role-specific training; perform ongoing system testing for screening calibration, list accuracy, transaction monitoring effectiveness, and reporting.
- Proportionality applies based on institution's size, activities, and exposure; PSPs and CASPs explicitly addressed with tailored controls.
Suggested Considerations
- Conduct annual exposure assessments to sanctions risks and circumvention; update policies accordingly.
- Appoint senior management/board-level responsibility for approving and overseeing sanctions strategy, including annual reviews and deficiency reporting.
- Implement reliable screening systems for customers, transactions, and lists; define screenable datasets; test systems regularly for effectiveness (e.g., immediate freezing, accurate hits).
- Provide documented training to relevant staff on sanctions, institutional exposure, and internal processes.
- Establish processes for immediate action on matches: suspend transfers, freeze assets, report to Ministry of Finance/CSSF/FIU without delay; maintain whitelists only under strict conditions.
Compliance Impact
Urgency: High – With less than 12 months until the 30 December 2025 deadline (as of January 2026), firms face binding requirements for absolute compliance, including personal accountability for management bodies; non-compliance risks enforcement by CSSF, reputational damage, and fines amid frequent EU sanctions updates (e.g., Regulations 2025/1469, 2025/1476). This elevates sanctions from operational task to strategic board priority.
AI-generated analysis. May contain errors or omissions — verify with the
original CSSF source
before acting. Full disclaimer.
BankPayment ProviderCrypto Exchange