New Circular CSSF 26/906 “Central administration, internal governance and risk management” applicable to payment and electronic money institutions
Executive Summary
CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes. #
What Changed
- The circular consolidates and updates governance rules, focusing on:
- Management bodies: Responsibilities, composition, qualifications, organization, and functioning, including CSSF authorization of members based on professional experience, standing (e.g., police records), and irreproachable conduct.
- Internal control functions: Responsibilities, characteristics, organization, and execution of work for compliance officers and internal auditors, with notifications to CSSF including detailed personal and professional information.
- Conflicts of interest: Key requirements for a management policy applicable to all staff and management body members. (https://elvingerhoss.lu/insights/publications/circular-cssf-26906-central-administration-internal-governance-and-risk-0)
- New product approval: Defined key steps in the process.
- Safeguarding funds: Common sense rules for compliance. It aligns with EU/national laws requiring clear structures, risk processes, and controls proportional to institution size/complexity, including IT systems, outsourcing, and business continuity.
Suggested Considerations
- Gap analysis: Assess current frameworks against circular requirements on management bodies, internal controls, conflicts of interest, product approval, and fund safeguarding.
- Updates and notifications: Review/revise governance arrangements (e.g., policies, structures); notify CSSF of management body members, compliance officers, and internal auditors with required documentation (professional experience, police records, etc.).
- Implementation: Establish robust risk identification/management/monitoring/reporting processes, internal controls, and proportional arrangements (e.g., IT, outsourcing).
- Documentation: Develop conflicts policy, new product approval procedures, and safeguarding rules; ensure management body authorization.
- Ongoing: Maintain sound/prudent management amid growth; integrate with Law of 10 November 2009 requirements.
Key Dates
Compliance Impact
Urgency: High - With ~5 months from publication (20 Jan 2026) to compliance (30 Jun 2026), firms face tight timelines for assessments, policy overhauls, and CSSF notifications, especially given repealed circulars and sector growth pressures. Non-compliance risks supervisory actions, as this fosters "sound and prudent management" in a high-volume industry; proactive reviews are essential to avoid d
Who is Affected
References
AI-generated analysis. May contain errors or omissions — verify with the original CSSF source before acting. Full disclaimer.
Summary
No description available.