🇱🇺 CSSF Guidance high

New Circular CSSF 26/906 “Central administration, internal governance and risk management” applicable to payment and electronic money institutions

Published 20 January 2026 | Luxembourg

AI Analysis

Executive Summary

CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes. #

What Changed

The circular consolidates and updates governance rules, focusing on: - Management bodies: Responsibilities, composition, qualifications, organization, and functioning, including CSSF authorization of members based on professional experience, standing (e.g., police records), and irreproachable conduct. - Internal control functions: Responsibilities, characteristics, organization, and execution of work for compliance officers and internal auditors, with notifications to CSSF including detailed personal and professional information. - Conflicts of interest: Key requirements for a management policy applicable to all staff and management body members. (https://elvingerhoss.lu/insights/publications/circular-cssf-26906-central-administration-internal-governance-and-risk-0) - New product approval:

What You Need To Do

Gap analysis
Updates and notifications
Implementation
Documentation

Key Dates

20 January 2026 - Publication date of Circular CSSF 26/906.

30 June 2026 - Compliance deadline: Institutions must assess/review central administration, internal governance, and risk management frameworks to ensure full compliance. DEADLINE

Compliance Impact

Urgency: High - With ~5 months from publication (20 Jan 2026) to compliance (30 Jun 2026), firms face tight timelines for assessments, policy overhauls, and CSSF notifications, especially given repealed circulars and sector growth pressures. Non-compliance risks supervisory actions, as this fosters "sound and prudent management" in a high-volume industry; proactive reviews are essential to avoid d

Who is Affected

Primary: Luxembourg-authorised payment institutions (PIs) and electronic money institutions (EMIs) under the Law of 10 November 2009 (Articles 11, 13 for PIs; 24-7, 24-9 for EMIs).Key roles: Management body members, compliance officers, internal auditors.Broader: Support PFS or related entities if overlapping with PI/EMI activities; firms assessing governance against CSSF standards.

References

Summary

No description available.

Sectors

Payments & E-Money

Topics

Senior Managers / Governance Operational Resilience / Outsourcing

Relevant Firm Types

Payment ProviderFintech

View Original on CSSF Back to Feed