Live Updates
🇱🇺 CSSF Guidance high

Circular CSSF 26/906

| Luxembourg
AI Analysis

Executive Summary

Circular CSSF 26/906, published on 20 January 2026, consolidates and clarifies Luxembourg's rules on central administration, internal governance, and risk management specifically for payment institutions, electronic money institutions, and account information service providers. It repeals prior circulars (IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155) to address growth in transaction volumes by mandating robust governance, control functions, and risk processes, enhancing safety, efficiency, and trust in these services. This matters for compliance professionals as it strengthens defenses against financial crime, operational risks, and supervisory scrutiny in a high-growth sector. #

What Changed

- Consolidation and repeal: Replaces outdated circulars with unified requirements under the amended Law of 10 November 2009 on payment services, covering central administration (decision-making must be in Luxembourg), management body responsibilities, internal control functions (compliance, risk management, internal audit as independent second/third lines), conflicts of interest management, new product approval processes, and client funds safeguarding (e.g., segregation, daily/weekly reconciliations based on risk). - Governance enhancements: Board approves strategy, risk appetite, AML/CFT policies, outsourcing, and information security; management implements via procedures; proportionality based on business scale, complexity, transaction volumes, outsourcing, and distribution networks. - O

What You Need To Do

  • Assess and update governance frameworks
  • Confirm control functions
  • Implement operational safeguards
  • Document proportionality
  • Retain records and report

Key Dates

20 January 2026 - Publication date of Circular CSSF 26/906 .
30 June 2026 - Compliance deadline Institutions must assess, review, and ensure their central administration, internal governance, and risk management frameworks fully comply with the circular. DEADLINE

Compliance Impact

Urgency: High – With a 30 June 2026 deadline (five months from publication), firms face immediate pressure to review and remediate governance gaps amid sector growth and heightened AML/CFT scrutiny; non-compliance risks supervisory actions, fines, or license issues, especially as it closes criminal exploitation vectors like weak controls and third-party risks.

Who is Affected

Primary: Payment institutions, electronic money institutions, and account information service providers under Luxembourg supervision.Extended reach: Their agents, distributors, branches, representative offices, outsourcing partners (including IT/cloud providers), and custodial banks/insurers.Supervisors and auditors: CSSF for approval of structures (e.g., part-time compliance roles); internal audit/compliance functions must ensure access to outsourced activities.

References

Summary

Central administration, internal governance and risk management

Sectors

Payments & E-Money

Topics

Senior Managers / GovernanceAML / Financial CrimeOperational Resilience / Outsourcing

Relevant Firm Types

Payment Provider
View Original on CSSF Back to Feed