The national authorities responsible for the regulation and supervision of the banking sector in Luxem-bourg are the Commission de Surveillance du Secteur Financier (the “CSSF”) and the Banque centrale du Luxembourg (the “BCL”).

The CSSF

The CSSF is responsible for the prudential supervision of the Luxembourg financial sector Since 21 July 2021, following the entry into force of the “Authorisation Law,” the CSSF is solely competent to grant, refuse and withdraw authorisations for a range of entities under its supervision (including, among others, credit institutions, investment firms, specialised and support PFS, payment institutions and electronic money institutions, and certain branches and third country firms).The CSSF is also the (i) national resolution authority for the resolution of credit institutions and certain investment firms in the framework of the Single Resolution Mechanism and the Single Resolution Fund under EU Regulation 806/2014 of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending EU Regulation 2010/1093 of 24 November 2010, as amended (“SRMR”) and (ii) the CSSF, through its resolution board (“RB”) (see answer to question 31 for the powers of the RB), acts as the resolution authority of failing national or transnational banks with the view to limiting their systemic impact as provided by the law of 18 December 2015 on the failure of credit institutions and certain investment firms (the “BRRD Law”) (transposing EU Directive 2014/59/EU of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (“BRRD I”), as amended by EU Directive 2019/879 of 20 May 2019 as regards the loss-absorbing and recapitalisation capacity of credit institutions and investment firms and Directive 98/26/EC (“BRRD II”)). The CSSF further performs resolution tasks under Regulation (EU) 2021/23 for central counterparties. From 2025, the CSSF is responsible for supervising compliance with the Digital Operational Resilience Act (DORA) in Luxembourg.

The BCL

The BCL is part of the European System of Central Banks and is specifically responsible for, inter alia:

(i) the supervision of liquidity of credit institutions, in cooperation with the CSSF;

(ii) control over the smoothness and efficiency of payments systems;

(iii) the empowerment of financial stability; and

(iv) the implementation of monetary policies.

Within the Eurozone’s Single Supervisory Mechanism (SSM), the ECB directly supervises significant banks, with national authorities including the CSSF and BCL involved within their respective remits for less significant institutions and system functions:

In accordance with the provisions of the law of 5 April 1993 on the financial sector, as amended (the “LFS”), the following activities trigger the requirement of a banking license:

• accepting deposits or other repayable funds from the public and granting credit for their own ac-count;
• currency exchange dealers’ activities consisting of operations involving the purchase or sale of foreign currencies in cash; and
• dealing on own account or underwriting of financial instruments and/or placing financial instruments on a firm commitment basis, where the undertaking meets the conditions in Article 4(1)(1)(b) of Regula-tion (EU) No 575/2013 (CRR) (e.g. applicable size thresholds), thus triggering authorisation as a credit institution.

Pursuant to the relevant provisions of the LFS, professionals of the financial sector performing lending operations (such as financial leasing and factoring operations) fall under the scope of the license requirements. However, those professionals should seek for a license as a professional of the financial sector and not as a credit institution. It is worth noting that the granting of loans could be an activity exempted from licensing requirements, in so far as, among others, loans are not granted to the public or credit purchaser activities governed by the Law of 15 July 2024 on the transfer of non-performing loans.

No different categories of banking licenses exist under Luxembourg law. A banking license under Luxembourg law authorises the holder of such license to perform all activities permissible for a credit institution under the LFS (Annex I), subject to complying with applicable sectoral frameworks (for example, MiFID II/MiFIR for investment services and PSD2/PSR for payments) rather than separate banking licence categories. Within the Single Supervisory Mechanism, licences are processed in co operation with the CSSF and decided by the ECB..

That being said banks are able to issue covered bonds in accordance with the Law of 8 December 2021 on the issuance of covered bonds (the “Covered Bonds Law”). The Covered Bonds Law permits any credit institution incorporated in Luxembourg to issue covered bonds provided that the statutory eligibility, cover pool and risk management criteria are met by the relevant institution.

In addition to the above, the LFS lays down specific authorisation regimes for professionals performing the following activities of the financial sector (“PFS”):

• provision of any investment service or activity listed under the LFS (e.g private portfolio management, investment advice, dealing on own account);
• performance of activities such as registrar agents, professional depositaries of financial instruments and central account keepers;
• performance of activities such as communication, IT systems and e-archiving; and
• approved publication arrangement (“APA”) or approved reporting mechanism (“ARM”).

Under the Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (MiCAR) framework, supplemented by the law of 6 February 2025, Luxembourg has begun issuing crypto asset service provider (CASP) authorisations, with the CSSF designated as the competent authority. Credit institutions may provide MiCAR crypto asset services via notification rather than a separate CASP licence, subject to MiCAR requirements.

Pursuant to the provisions of the LFS any entity holding a credit institution license may perform all other banking and financial activities falling under the scope of the LFS, including portfolio management and advice as well as payment services and issuance of electronic money, each activity conditioned on compliance with its dedicated EU/Luxembourg framework.

• For investment services (eg, dealing on own account, execution, portfolio management/advice), credit institutions must meet applicable MiFID II/MiFIR and the Luxembourg Law of 30 May 2018 requirements, but no separate “broker dealer” licence is needed beyond the banking licence.
• For payment services and e money issuance, credit institutions may provide these services un-der their banking licence, but must comply with the Luxembourg Law of 10 November 2009 on payment services (as amended) and related PSD2/EMD rules (e.g. safeguarding, conduct, SCA).
• Funds received for payment services or e money are treated under PSD2/EMD, not as “depos-its,” and are subject to the specific safeguarding regime rather than deposit taking rules.

No. However, the CSSF created an “innovation hub”, being a dedicated point of contact for any person wishing to present an innovative project or to exchange views on the major challenges faced in relation to financial innovation in Luxembourg in order to establish a direct and permanent communication with the market participants on fintech related regulatory questions, enabling continuous, direct engagement while keeping the full regulatory framework in place. This allows the CSSF to monitor developments and expectations in the fintech ecosystem without granting time limited waivers or reduced licensing tiers.

Under the EU’s MiCAR framework, supplemented by the law of 6 February 2025, there is now a dedicated legal regime governing the issuance of crypto-assets (including asset‑referenced tokens and e‑money tokens) and the provision of crypto‑asset services in the EU, directly applicable in Luxembourg. Credit institutions can provide crypto‑asset services without obtaining a separate CASP authorisation, provided they give a prior notification to their home competent authority and comply with the MiCAR requirements for those services. The notification must be made at least 40 working days before first providing the ser-vices, and the bank is then deemed a CASP for supervisory purposes under MiCAR.

For issuance activities:

• Credit institutions issuing asset referenced tokens follow a MiCAR notification/white pa-per approval path tailored to banks; the competent authority must also take into account any negative opinion by the ECB or the relevant central bank on risks to payment sys-tems, monetary policy transmission or monetary sovereignty. Once approved/notified, the white paper is valid EU wide.
• For e money tokens, supervision of issuers aligns with the e money regime, with special rules where tokens are significant; credit institutions issuing significant EMTs remain su-pervised by their banking competent authority (with EBA’s role focused on EMIs issuing significant EMTs).

For custody and other crypto asset services by banks:

• A Luxembourg credit institution may perform in scope crypto asset services (e.g., custo-dy, trading platform operation, exchange, execution, reception/transmission of orders, placing/underwriting, advice, portfolio management, and transfer services) on the basis of the MiCAR notification, without a separate CASP licence, but must comply with MiCAR’s organisational, conduct, prudential and safeguarding requirements, including DORA cross references and AML/CFT obligations.

Luxembourg banks can, therefore, provide crypto asset services after a MiCAR notification to the CSSF (as home NCA) and must comply with MiCAR’s prudential, conduct, ICT/DORA, and AML/CFT obliga-tions.

MiCAR expressly notes that crypto-assets covered by its regime are not deposits and are not covered by deposit guarantee schemes (DGS) under the Deposit Guarantee Schemes Directive. According to the CSSF FAQ, credit institutions are not allowed to open traditional bank accounts in virtual assets and hence cannot take deposits in virtual currencies, facilitate or execute the settlement of payments in virtu-al currencies. However, credit institutions may open accounts, which are comparable to securities ac-counts for the safekeeping of traditional financial instruments, that allow customers to deposit virtual as-sets. Such accounts are segregated from the bank’s own assets. Client protection for crypto-assets comes, thus, from MiCAR’s custody/segregation regime (and, where relevant, MiFID II if the token is a financial instrument), not from depositor insurance.

Pursuant to the CSSF FAQ, credit institutions that directly invest in virtual assets shall adopt a conservative approach when risk-weighting such assets under the Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and in-vestment firms, as amended, commonly known as the capital requirements regulation (“CRR”). The CSSF expects Luxembourg credit institutions that directly invest in virtual assets to apply a conservative Pillar 1 treatment, typically assigning a 1,250% risk weight to gross exposures or deducting them from capital. The potential recognition of netting effects or the classification as cash or financial instruments shall be duly documented and validated by the authorised management. In addition, operational risks that are not fully covered by CRR risk weights have to be capitalised under Pillar 2 (please see our answer to question 18 for further details on the Pillar 2 regime).

Furthermore, credit institutions that use specialized virtual assets exchange and custody platforms may contractually transfer the corresponding counterparty risk towards the said specialised virtual asset ser-vice providers to customers. The CSSF FAQ provides that, to be effective from a risk perspective, such transfer of counterparty risk would require customers to directly contract with the virtual asset service provider. However, a credit institution that does not effectively transfer the counterparty risk to its customers has to comply with the large exposure limits framework provided for in the CRR for the counter-party risk it incurs on custody or exchange platforms. In that regard, credit institutions are invited to dis-cuss with CSSF the approach they intend to choose when determining the exposure value and the con-centration measure under the large exposure framework.

Regarding credit institutions established within the Eurozone or a country participating to the Single Supervisory Mechanism framework, the application for a bank license shall be submitted via the European Central Bank-run “IMAS Portal” as of February 2022. The European Central Bank (the “ECB”) has exclusive competence to grant bank licenses in accordance with (i) the Council EU Regulation 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions, and (ii) EU Regulation 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities. Information requirements are set out in Commission Delegated Regulation (EU) 2022/2580 and Commission Implementing Regulation (EU) 2022/2581, and in the ECB Guide to assessments of licence applications; the IMAS Portal form reflects these and shall be completed accordingly. The application for a banking license will be assessed by the ECB in close cooperation with the CSSF while the maximum assessment period is 12 months.

The general application process requires information regarding, inter alia, the programme of operations indicating the type and volume of business envisaged, the administrative and accounting structure of the institution, evidence showing the existence in Luxembourg of the central administration, the shareholdings as well as the professional repute and experience of the management.

Regarding the establishment of a branch in Luxembourg of third-country credit institutions, the application for a bank license shall be submitted to the CSSF and it shall be subject to the same authorisation requirements that are applicable for banks established under Luxembourg law.

European Union based credit institutions

Pursuant to the LFS, credit institutions authorized in a member state of the European Union (the “Home Member State”) other than Luxembourg may exercise their activities in Luxembourg through, inter alia, the provision of services, the establishment of a branch or a tied agent, provided that such activities (i) are covered by their authorization granted by the Home Member State; and (ii) fall within the scope of activities listed under Annex I of the LFS or section A or C of Annex II of the LFS. Similarly, any credit institution authorized in Luxembourg may carry on business in another Member State (the “Host Mem-ber State”) through the provision of services subject to a notification requirement addressed to the CSSF consisting of the activities listed in Annex I of the LFS that it intends to perform in the Host Member State. The CSSF is responsible for communicating the notification to the competent authority of the Host Member State within one month of its reception. Luxembourg based credit institutions wishing to provide activities in a Host Member State through, inter alia, the establishment of a branch or a tied agent, would have to comply with specific requirements set forth under the LFS.

Third-country based credit institutions

Third-country credit institutions may exercise their activities in Luxembourg through the establishment of a branch, which shall obtain a bank license (see also answer to question 9). By way of derogation, under Luxembourg’s national equivalence regime (the “National Third-Country Regime”), where the CSSF has recognised a third country as as applying supervision and authorisation rules equivalent to those laid down in the LFS, a credit institution authorized in that country may provide services in Luxembourg on a cross-border basis without establishing a branch or via an authorized branch under the regime, provided that (i) the services are within the scope of activities requiring authorisation both under the LFS and the institution’s home-state licence and (ii) all applicable Luxembourg rules (e.g. conduct of business, AML/CFT, sanctions, data protection) are complied with; this national route confers no EU passport and remains subject to change as Luxembourg transposes recent EU legislation. Pursuant to the CSSF Regulation 20-02 of 29 June 2020, as amended, jurisdictions which are deemed equivalent for the application of the National Third-Country Regime are as follows: (i) Canada, (ii) the Swiss Confederation, (iii) the United States of America, (iv) Japan, (v) Hong Kong Special Administrative Region of the People’s Republic of China, (vi) Republic of Singapore, (vii) the United Kingdom of Great Britain and Northern Ireland, (viii) People’s Republic of China and (ix) Australia. Services provided strictly at the sole initiative of a Luxembourg client (reverse solicitation) remain outside the scope of local authorisation, whereas any marketing or solicitation in Luxembourg will trigger the local regime. Finally, the forthcoming transposition of Directive (EU) 2024/1619 (CRD VI) introducing a harmonised EU regime for third-country branches, covering authorisation, classification, prudential and conduct requirements, and limits on certain cross-border activities without establishment, will require Luxembourg to align its regime, which may recalibrate the National Third-Country Regime and narrow cross-border options other than genuine reverse solicitation. In Luxembourg, the formal process of implementation of CRD VI began in October 2025, with sub-mission of the relevant bill of law no 8627 to Parliament.

A license for credit institution may only be granted to a legal person incorporated under Luxembourg law and which is established in the form of a public-law institution, a public limited company (société anonyme), a partnership limited by share (société en commandite par actions) or a cooperative society (société cooperative).

A Luxembourg subsidiary is authorised under the SSM common procedure (CSSF/ECB) and must meet stringent requirements on qualifying holdings, fit-and-proper management, governance, risk and internal controls, and full CRR/CRD prudential, reporting, and AML/CFT/DORA obligations, with EU passporting once licensed; an EU/EEA bank may operate in Luxembourg via a passported branch or cross-border services without local incorporation, with prudential lead at home and host oversight by the CSSF for conduct/AML and reliance on the home deposit guarantee scheme; a third-country bank needs a CSSF-authorised Luxembourg branch (no separate legal personality or EU passport) and must satisfy local governance, booking, reporting, conduct and AML/CFT standards and prudential expectations proportionate to its activities, with limited alternatives via national equivalence or genuine reverse solicitation (please see our answer to question 10 for further details).

Luxembourg has no domestic bank “ring fencing” law separating retail from investment banking, but EU prudential and resolution rules applied by the ECB/SRB and the CSSF often create de facto local ring fencing. In practice, entity level capital and liquidity requirements (with limited waivers), large exposure and intragroup limits, Pillar 2 and resolvability measures, and host state con-duct/AML/DGS obligations all reinforce local self sufficiency. This can trap capital and liquidity in the Luxembourg entity, constrain group treasury and back to back booking, require duplication or contractualisation of shared services, and increase governance and reporting overhead. MiFID client asset segregation is relevant insofar as a Luxembourg bank provides investment services or custody/prime brokerage. MiFID II/MiFIR require safeguarding clients’ financial instruments and money (including segregation and disclosures) to protect client ownership -especially in insolvency- but these are investor protection/organisational rules, not structural separation or prudential ring fencing tools; they complement the CRR/CRD capital liquidity regime and resolution requirements.

The LFS and CSSF Circular 12/552 (as amended most recently by CSSF Circular 24/860) on central administration, internal governance and risk management, govern in an extensive manner the corporate governance of Luxembourg-based banking institutions, imposing rules relating to their:

• central administration;
• internal governance; and
• risk management.

The supervisory body shall have the overall responsibility for the institution. It shall define, monitor and bear responsibility for the implementation of robust central administration, governance and internal con-trol arrangements, which shall include a clearly structured internal organisation and independent internal control functions with appropriate authority, stature and resources with respect to their responsibilities.

The central administration of a banking institution is divided into the decision-making centre, which is comprised of the authorised management and the heads of the business functions, and the administrative centre, which includes the administrative, accounting and IT organisation and shall ensure, among others, proper administration, execution of operations, complete recording of operations and accurate production of information. The members of the management body must have already acquired an adequate level of professional experience through the performance of similar activities and thus be of high professional repute. The latter is assessed on the basis of police records and any source that evidences their good reputation and/or offers a guarantee for the irreproachable conduct of their duties. The prudential approval procedure sets out the fit and proper approval process for the appointment of key function holders and members of the management body in credit institutions. Recent amendments to CSSF Circular 12/552 have enhanced the provisions with respect to the diversity and independence of the management body.

Furthermore, internal governance arrangements pursue to eliminate or limit conflicts of interest. The Luxembourg legal framework requires that the organisation chart of the credit institution is established based on the principle of segregation of duties, pursuant to which the duties and responsibilities will be assigned so as to avoid making them incompatible for the same person. In that context the management body is required to document data related to loans provided to the management body and share these data with the CSSF upon its request. For banks performing MiFID investment services (e.g., marketing/placing their own instruments), Commission Delegated Regulation (EU) 2017/565 requires comprehensive conflicts of interest policies and controls by introducing rules aimed to mitigate the conflict of interest between the credit institution and its clients. In that context, article 41(2) provides that when a credit institution is engaged in the marketing of its own instruments, clear and effective arrangement should be at place for the identification, prevention and/or management of the potential conflict of inter-est. In the same context, and as analysed in the answer to question 17, special rules regulate the remuneration policy of credit institutions.

Credit institutions are also required to have dedicated internal control functions, such as a risk control function, a compliance function and an internal audit function. The internal control functions are permanent and independent functions, each with sufficient authority. The degree of the measures required is subject to the principle of proportionality, meaning that more complex, riskier and significant institutions must have in place enhanced internal governance and risk management arrangements.

Luxembourg banks’ operational resilience is anchored in EU law and CSSF rulemaking. The EU’s DORA sets harmonised requirements for Information and Communication Technology (ICT) risk management, business impact analysis, ICT continuity and recovery planning, major ICT incident reporting, digital resilience testing and stringent oversight of ICT third party providers supporting critical or important functions, with boards setting the ICT risk tolerance and overseeing implementation. The CSSF complements DO-RA through its regulatory framework, notably circulars on ICT and security risk management (e.g. Circular 20/750) and on outsourcing, which require identification, governance and notification of outsourcing of “critical or important” processes and ICT services, thereby embedding third party dependency mapping and control into banks’ resilience arrangements. In parallel, the Basel Committee’s Principles for Operational Resilience guide banks to identify critical operations and set board approved “tolerances for disruption,” tying governance, business continuity and incident response to the ability to deliver critical operations through severe but plausible shocks, an approach that aligns with and informs Luxembourg/CSSF expectations under DORA.

Luxembourg banks must manage outsourcing under the CSSF’s consolidated framework in Circular 22/806 (as amended by Circular 25/883), which aligns with DORA and sets governance, risk, contractual, notification, and oversight requirements across all third party arrangements, with stricter rules for “critical or important” functions and for ICT/cloud outsourcing. The management body remains fully responsible for compliance and oversight of outsourced functions, and firms must identify, assess, monitor, and manage risks across all third party arrangements, maintain GDPR compliance, and apply sound governance for outsourcing (including intragroup), proportionately to risk. For “critical or important” outsourcing, banks must keep a complete register, notify the CSSF (including material changes), ensure robust contractual rights (e.g., access, audit, reporting, sub outsourcing controls), and meet specific third country conditions where banking/payment activities would require authorisation in Luxembourg, including supervisory cooperation arrangements. Audit rights may be exercised via pooled audits, but firms cannot rely solely on third party certifications over time for critical/important outsourcing; they must define audit frequency on a risk basis per recognized standards. Exit strategies are mandatory for critical/important out-sourcing and must include roles, resources, timelines, success criteria, and service level indicators that can trigger transition or termination; ongoing monitoring must align to these indicators. Part II of 22/806 imposes additional ICT outsourcing requirements (cloud and non cloud), including restricting Cloud Ser-vice Provider (CSP) access, segregating day to day “resource operation” from the cloud provider, and proportionality carve outs where activities are not, and are unlikely to become, critical or important. Complementing CSSF rules, the ECB’s Cloud Outsourcing Guide (for ECB supervised significant institutions) interprets DORA by requiring that abrupt CSP discontinuation not cause disruption beyond maximum tolerable downtime/data loss for critical functions, supported by data/application portability, multi site/backup strategies, robust exit plans, incident reporting/monitoring clauses, and recommended standard contractual clauses. The ECB also sets expectations on governance, security, and exit for cloud outsourcing that go beyond minimum DORA text in places (e.g. independent monitoring, expanded audit/access clauses), reinforcing heightened controls when cloud supports critical or important functions.

I. Luxembourg banks are subject to an EU led ESG/climate framework applied through the SSM and national CSSF supervision, requiring integration of environmental, social and governance risks in-to governance, strategy, risk management, disclosures and prudential processes. The ECB has set supervisory expectations that banks conduct a sound materiality assessment, embed climate and environ-mental (C&E) risks into governance/strategy/risk management, and incorporate these risks into stress testing, enforcing interim deadlines and using periodic penalty payments where needed. The updated CRD VI requires banks to prepare prudential transition plans addressing C&E risks from the shift to climate neutrality and mandates supervisors to assess these plans, with the EBA Guidelines on the management of ESG risks (applicable from 11 January 2026) operationalising expectations on strategies, policies, scenario analysis and integration across traditional risk categories. On disclosures, large institutions must publish Pillar 3 ESG information on physical and transition risks using uniform templates, with CRR III extending proportionate ESG disclosures to all institutions and the EBA issuing a temporary “no action” approach on strict enforcement during the transition; these prudential disclosures interface with entity/product disclosures under SFDR/Taxonomy and sustainability reporting under CSRD, the latter being subject to forthcoming amendments following the introduction of the “Omnibus” simplification pack-age. Locally, the CSSF prioritises transparency, governance and risk management of sustainability risks, conducts on site inspections (including MiFID II sustainability topics for banks offering investment ser-vices), and is designated as national supervisor for SFDR/Taxonomy compliance under the 25 February 2022 law (SFDR and Taxonomy Regulation Implementing Law). More broadly, Luxembourg’s governance baseline (CSSF Circular 12/552) aligns with these ESG expectations by requiring robust internal governance and risk frameworks, which the SSM applies through ongoing supervisory reviews and actions to ensure banks’ capital planning and controls adequately reflect ESG risk drivers.

The aim of the procedures and arrangements implemented in relation to remuneration is to help ensure that risks are managed in an efficient and durable manner. Credit institutions must maintain sound, risk-aligned and gender-neutral remuneration policies and comply with the requirements concerning the governance arrangements and remuneration policies of Directive 2013/36/EU (“CRD IV”) and Directive 2019/878/EU (“CRD V”), as transposed into the LFS with the Law of 20 May 2020 (the “CRD V Law”). Furthermore, credit institutions must comply with the disclosure requirements of the CRR, as amended by Regulation (EU) 2024/1623, the (“CRR III”), the criteria set out in the relevant EU regulatory technical standards, the European Banking Authority (the “EBA”) guidelines on remuneration policies and best practices and the applicable CSSF circulars. Most importantly, the rules governing the remuneration poli-cy apply on a consolidated, sub-consolidated or solo basis, depending on specific parameters, to all staff whose activities materially impact the bank’s risk profile (identified per Commission Delegated Regulation (EU) 2021/923), including: a binding bonus cap for material risk takers limiting variable remuneration to 100% of fixed pay (or up to 200% with prior shareholder approval); requirements that at least 50% of variable pay be awarded in non-cash instruments aligned to long-term interests and that a material portion be deferred over multi-year periods (generally 3-5 years, longer for senior roles/significant institutions) with appropriate retention; operable ex ante/ex post risk adjustment tools, including malus (reducing/cancelling unvested awards) and clawback (recouping paid awards) so variable pay can be reduced to zero where warranted (e.g. misconduct, risk management failures, significant losses); proportionality waivers allowing disapplication of the deferral/instrument split for smaller/non-complex institutions and for staff with low variable remuneration, while core requirements (including the cap and risk adjustment) continue to apply; and public Pillar 3 disclosures (CRR Article 450, as updated by CRR III) detailing remuneration governance, risk alignment, all interpreted and operationalised through the EBA Guidelines on sound remuneration policies and supervised/enforced in practice by the ECB/CSSF through SREP and governance reviews, with local expectations anchored in CSSF Circulars 12/552 (internal governance) and 10/437 (remuneration)..

The legal rules governing the capital requirements of credit institutions are imposed at an EU level in the CRR. The so-called Pillar 1 of the Basel III Framework (“P1R”) requires credit institutions to maintain and satisfy at all times a total capital ratio of 8% of their risk-weighted assets, composed of 4.5% of Common Equity Tier 1 capital (“CET1”) (as defined in the CRR), 1.5% of Additional Tier 1 (“AT1”) capital (as de-fined in the CRR), and 2% of Tier 2 capital (“AT2”) (as defined in the CRR). In addition to the P1R ratios, the CSSF is capable of imposing bank-specific capital requirements (Pillar 2 Requirements – “P2R”) that have micro-prudential considerations and cover risks that are underestimated or not covered by, P1R. Both P1R and P2R are binding and obligatory for credit institutions, which is not the case for the Pillar 2 Guidance rules (“P2G”), which constitute suggestions of the CSSF to the banks relating to their own funds.

On top of the P1R and P2R ratios, credit institutions in Luxembourg are required to hold and maintain the following buffers:

• a capital-conservation buffer of CET1 equal to 2.5% of their total risk exposure amount;
• an institution-specific countercyclical capital buffer of CET1 (equivalent to their total risk exposure). The CSSF is responsible for setting the countercyclical buffer rates applicable in Luxembourg on a quarterly basis. According to CSSF Regulation 24-09, a countercyclical capital buffer rate of 0.5% applied to credit institutions for the first quarter of 2025;
• a Global-Systemically-Important-Institutions (“G-SII”) buffer;
• an Other-Systemically-Important-Institutions (“O-SII”) buffer (for the analysis of G-SII and O-SII please see answer 23); and
• a systemic-risk buffer for systemic banks of at least 1% based on the exposures to which the systemic risk buffer applies, which may apply to exposures in Luxembourg as well as to exposures in third countries. The rationale of this buffer, as clarified in the CRD V Law, is the mitigation of systemic risks, to the extent that these are not already covered by the capital buffers for systemically important institutions (G-SIIs/O-SIIs) or the countercyclical capital buffer. No maximum limit applies to this buffer.

Based on the above, and especially since there is no G-SII in Luxembourg, there are no major deviations related to P1R ratios between credit institutions. On the other hand, P2R requirements, since by nature are tailored to the specificities and particularities of each institution, are in principle capable of introducing (major) deviations between the own-funds treatment of credit institutions.

The Leverage Ratio (“LR”) is imposed by the CRR and is directly applicable in Luxembourg. Credit institutions should always maintain their LR at 3% which constitutes the quotient of the division between the CET1 capital of a credit institution and its total exposure measure (as defined in the CRR). The rationale behind this metric is to capture exposures of the credit institution which are not reflected in the P1R ratios, like credit default swaps, or off-balance sheet positions.

The obligation of credit institutions to retain liquid assets is assessed through the LCR and NSFR ratios, which are imposed in the CRR and are directly applicable in Luxembourg.

The LCR certifies that financial institutions hold at all times liquid assets, the total value of which equals, or is greater than, the net liquidity outflows that might be experienced under stressed conditions over a short period of time (30 days). Net cash outflows must be computed on the basis of a number of assumptions concerning runoff and drawdown rates.

The NSFR aims to ensure the resilience of financial institutions over a longer time horizon by requiring financial institutions to raise stable funding at least equal to their stable assets or illiquid assets that can-not be easily turned into cash over the following 12 months. Following the CRR II, the NSFR is applicable for all credit institutions as of 28 June 2021.

CRR III seeks to limit an institution’s risk of excessive reductions in capital, to allow for uniformity of in-ternal calculations between institutions. This implementation pertains to credit risk and it will lead to an increase in thresholds imposed on regulatory capital requirements, which will have an adverse effect on fees and profitability. The areas currently most affected by the output floor changes are real estate lending, followed by corporate lending and retail lending. It is worth noting that the output floor changes are being gradually phased in to give financial institutions sufficient time to implement the necessary procedures to adhere, with the aim of being fully applicable by 2032.

In Luxembourg, banks can access various sources of funding from the national or central bank. The BCL provides monetary policy operations such as Main Refinancing Operations (“MROs”) and Longer-term Refinancing Operations (“LTROs”), which offer liquidity against eligible collateral. Additionally, Luxembourg banks can utilize standing facilities, including the marginal lending facility for overnight liquidity needs and the deposit facility for overnight deposits with the central bank. In extraordinary circumstances, banks may also request Emergency Liquidity Assistance (“ELA”) from the BCL, subject to ECB approval. Moreover, interbank lending and refinancing through the T2 payment system enable banks to manage short-term liquidity needs efficiently.

Credit institutions established in Luxembourg, being either a public limited liability company (société anonyme), or a partnership limited by shares (société en commandite par actions) or a cooperative socie-ty (société cooperative), are subject to the Law of 10 August 1915 on commercial companies, as amended, and the Law of 17 June 1992 on the annual and consolidated accounts of credit institutions, as amended, and thus are required to publish their financial statements.

On top of the general corporate law requirements, credit institutions should comply with disclosure provisions relating to prudential supervision, imposed by the CSSF Circular 19/731 (repealing Circulars 15/602 and 19/710) and the Commission Implementing EU Regulation 2021/451 of 17 December 2020 laying down implementing technical standards for the application of EU Regulation 575/2013 with regard to supervisory reporting of institutions and repealing Implementing EU Regulation 680/2014. According to the latter, credit institutions are required to transmit data relating to their activities on a monthly, quarterly, half-yearly or annual basis, depending on the subject matter. The CSSF Circular 19/731 governs the annual prudential (Pillar 3) disclosure of information by credit institutions; it does not replace statutory publication of annual accounts under company/sectoral law. . The receiver of the above data will either be the CSSF or the ECB depending on whether the supervised credit institution qualifies as significant or not.

Consolidated supervision applies in Luxembourg. On an EU level, the CRR requires credit institutions to report on a consolidated basis figures relating to own-funds and eligible liabilities, capital requirements, liquidity, leverage and solvency ratios, large exposure limits, and arrangements concerning exposures to transferred credit risk.

According to the LFS, the CSSF exercises prudential supervision on a consolidated basis with respect to credit institutions which are a parent institution in Luxembourg, or an EU parent institution, and to credit institutions whose parent company is a financial holding company or a mixed financial holding company in an EU member-state. Within the SSM, the ECB acts as consolidating supervisor for significant groups, while the CSSF consolidates for less significant groups where it is competent on a solo basis.

The main consequence of consolidated supervision is that the supervisor manages to have a more holistic view in the financial situation of the group so as to account for considerations relating to the financial stability and soundness of the credit institution, as if the group were a single entity. In that manner, the supervisor can monitor more closely credit institutions and prevent them from escaping compliance with supervisory standards by moving activities into subsidiaries or by double-leveraging their capital.

According to the LFS, any natural or legal person aiming to acquire, directly or indirectly a qualifying holding (e.g. a holding of 10% or more of the capital or of the voting rights of a credit institution or a holding that makes it possible to exercise a significant influence over the management of the bank) or to further increase, directly or indirectly such a qualifying holding as a result of which the proportion of the voting rights or of the capital held would reach or exceed 20%, 33 1/3% or 50% or so that the credit institution would become their subsidiary, is required to first notify in writing such decision to the CSSF. The CSSF shall also be notified prior to the disposal of qualifying holdings in credit institutions for approval. At the same time, on becoming aware of the acquisition or disposal, credit institutions shall also inform the CSSF accordingly. They shall also, at least once a year, inform the CSSF of the names of shareholders and members possessing qualifying holdings and the amounts of such holdings. Where the proposed acquirer is itself a regulated entity (e.g. a credit institution or certain financial institutions), the CSSF consults and coordinates with the relevant EEA competent authorities as part of the joint assessment process.

Special rules apply in cases where the acquirer is a credit institution or a PFS. In those cases, the authorisation of the CSSF is not required unless the qualifying holding exceeds 40 million euros and 5 per cent of a credit institution’s own funds.

In all the above cases, if the authorisation, approval and or notification procedure is not followed, the CSSF can impose administrative penalties/measures.

Finally, further insight into the specificities of the above provisions is provided by the CSSF Circular 17/669 which transposes the Joint Guidelines of ESMA, EBA and EIOPA on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector.

The LFS and the CSSF Circular 17/669 impose rules governing the eligibility of shareholders acquiring or owning a qualifying holding, relating to the transparency of the direct and indirect holdings in the credit institution and the establishment and guarantee of the sound and prudent management of the credit institution, it being related to the reputation of the acquirer, the reputation and experience of those who will direct the credit institution as a result of the proposed acquisition, the financial soundness of the pro-posed acquirer, the capability of the credit institution to continue to comply with the prudential requirements and to be subject to effective supervision following the acquisition and to AML/CTF Law considerations.

There is no distinction between domestic and foreign shareholding in banks under Luxembourg banking, hence no restrictions on foreign shareholdings in banks apply, subject to any foreign direct investment screening requirements.

Under the EU capital framework, systemically important banks are subject to additional buffers: a G SII buffer for globally systemically important institutions and an O SII buffer for domestically important institutions, calibrated and applied in line with CRD/CRR and the Basel “higher loss absorbency” standards. The G-SII buffer is a mandatory capital surcharge built up of CET1 and applied at the consolidated level of the identified banking groups’ additional capital requirements for systemically important banks. The capital surcharge may vary between 1% and 3.5% depending on the degree of systemic importance of the relevant bank. According to publicly available information, there is no bank established in Luxembourg identified as a G-SII. The O-SII buffer is applied on a consolidated/sub-consolidated or solo basis. In this respect, the CSSF takes its decisions after consultation with the BCL and after requesting the opinion of the Comité du Risque Systémique. As per European Systemic Risk Board (the “ESRB”) changes, from the 6th of October 2023, the combined buffer requirements for Luxembourg are 3 to 3.5%. The CSSF and the BCL have jointly developed a calibration methodology designed to translate the systemic im-portance of the institutions into O-SII buffer rates.

General administrative penalties imposed by the CSSF

Entities subject to the CSSF’s supervision, including credit institutions (and the members of the management body, the effective managers or the persons responsible for a breach of a violation of banking regulations) may be subject to the following administrative penalties imposed by the CSSF, depending on the seriousness of the relevant infringement:

• a warning,
• a reprimand,
• a fine of between 250 and 250,000 euros,
• one or more of the following measures:

a) a temporary or definitive prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity,

b) a temporary or definitive prohibition on participation in the profession by the de jure or de facto, directors or senior management personnel of persons or entities subject to the supervision of the CSSF.

Administrative pecuniary penalties and other administrative measures

In addition to the above, the CSSF has the power to impose the following administrative penalties and other administrative measures for breach of authorization, approval requirements and requirements for acquisitions of qualifying holdings:

(i) issue a public statement which identifies the natural person or relevant responsible entity and the nature of the breach;

(ii) enjoin the natural or legal person responsible to cease and to desist from a repetition of that relevant conduct which is in breach of the banking regulations;

(iii) in the case of a legal person, administrative pecuniary penalties of up to 10% of the total annual net turnover (i.e. the total net turnover of the undertaking in the preceding business year);

(iv) in the case of a natural person, administrative pecuniary penalties of up to EUR 5,000,000;

(v) administrative pecuniary penalties of up to twice the amount of the benefit derived from the breach where that benefit can be determined; and/or

(vi) suspend the voting rights attached to shares or units held by the shareholders or members held responsible for the breaches of authorization, approval requirements and requirements for acquisi-tions of qualifying holdings.

Criminal Penalties

The CSSF is first and foremost responsible for the supervision of the professionals falling within its com-petence for the purposes of the implementation of the LFS. To this end, it may apply all the measures and exercise all the powers, including sanctioning powers, conferred on it, in accordance with the appli-cable legal provisions. Without prejudice to the application of more severe penalties provided for by other legal provisions, where applicable, infringements of the LFS may result in fines of up to EUR 125,000 and/or and a term of imprisonment between eight days and five years.

Specific sanctions to CRR Institutions

The CSSF may also apply other administrative penalties and other administrative measures specific to CRR Institutions (as defined in the LFS) such as the launching of a procedure for the withdrawal of the given credit institution’s authorization in accordance with the CRR rules or imposing a temporary ban against the relevant members of the management body of the credit institution or any other natural per-son held responsible for the breach, from exercising their functions within the given credit institutions.

The CSSF publishes administrative measures and sanctions on its Publication and Data portal, evidencing continued use of warnings, reprimands, pecuniary penalties and restrictive measures against super-vised entities and, where appropriate, responsible persons. Recent entries illustrate ongoing sanctioning activity across the financial sector, including credit institutions, with a notable example being the recent administrative sanction on Rakuten Europe Bank S.A. for non-compliance with professional obligations related to anti-money laundering / counter financing of terrorism.

Despite and along with the relevant measures that shall be taken by the RB in the event of the failure of a bank (as provided for in the BRRD Law, see our answer to question 31 below), client’s assets and cash deposits are protected through the following schemes existing under Luxembourg law:

• the Investor Compensation Scheme (Système d’Indemnisation des Investisseurs Luxembourg), being the recognised Luxembourg Investor Compensation Scheme as referred to in Directive 97/9/EC and chaired by the CSSF. The main purpose of the Investor Compensation Scheme is to ensure cover-age for the claims (funds and financial instruments that its members hold, manage or administer on be-half of their clients) resulting from the incapacity of a credit institution or an investment firm. In case the relevant criteria are met and the institution holding the investor’s assets is no longer able to fulfil its com-mitments, investors are repaid by the Investor Compensation Scheme. The repayment covers a maxi-mum amount of up to EUR 20,000 per investor; and

• the Deposit Guarantee Fund (Fonds de Garantie des Dépôts Luxembourg), being the recognised Luxembourg Deposit Guarantee Scheme referred to in Directive 2014/49/EU of 16 April 2014 on Deposit Guarantee Schemes. The main purpose of the Deposit Guarantee Fund is to ensure compensation of depositors in case of unavailability of their deposits. It collects the contributions due by participating credit institutions, manages the financial means and, in the event of insolvency of a member institution, makes the repayments as instructed by the Conseil de protection des déposants et des investisseurs (being the internal executive body of the CSSF in charge of managing and administering Luxembourg compensation schemes). The membership to the Deposit Guarantee Fund is compulsory for all credit institutions and Luxembourg branches of credit institutions having their registered office in a third country. In case the relevant criteria are met and the institution holding the depositor’s assets is no longer able to fulfil its commitments, depositors are repaid by the Deposit Guarantee Scheme. The repayment covers an amount of up to EUR 100,000 per person and per institution, except for certain types of deposits for which the coverage may be higher than EUR 100,000 but cannot exceed EUR 2,500,000 for a 12-month period after the relevant amount has been credited to a bank account held with a failed institution (i.e. deposits resulting (i) from real estate transactions relating to private residential properties, (ii) that serve social purposes and are linked to particular life events of a depositor or (ii) based on the payment of in-surance benefits or compensation for criminal injuries or wrongful conviction).

The BRRD Law designates the CSSF as the national resolution authority. The CSSF exercises the powers and functions conferred to it under the BRRD Law through the RB (as defined in answer 1). The RB carries out its resolution functions independently from the supervisory functions of the CSSF and closely cooperates with the ECB.

Preparation of a resolution plan and assessment of resolvability prior to any resolution

The RB prepares a resolution plan for each credit institution falling under its competence (except for institutions being part of a group subject to consolidation) and assesses the resolvability of such institutions. The resolution plan is drawn up in accordance with the requirements set under the BRRD Law and should contain measures (including resolution tools) to be taken by the RB in the event the relevant credit institution meets the conditions for resolution.

Conditions for resolution

The RB shall take a resolution action towards a given institution if it determines that the following cumulative conditions are met:

(i) the relevant institution is failing or is likely to fail;

(ii) having regard to timing and other relevant circumstances, there is no reasonable prospect that any alternative private sector measures or supervisory action would prevent the failure of the institution; and

(iii) a resolution action is necessary in the public interest.
Provided that the conditions for resolution are met, the BR has the power to apply a certain number of resolution tools, exercise resolution powers and ancillary powers as described below.

Resolution tools

The following resolution measures may be taken (individually or in any combination, except for the asset separation measure which shall be applied simultaneously with another resolution tool):

(i) the sale of the business tool: In order to give effect to this tool, the RB shall transfer shares or other instruments of ownership issued by of the bank under resolution and all or any of its assets, rights or liabilities to a purchaser which is not a bridge institution;

(ii) the bridge institution tool: The aim of this tool is to maintain critical functions of the bank under resolution through the temporary transfer of good bank assets to one or more banks wholly or partially owned by public authorities and controlled by the RB;

(iii) the separation of assets tool: The impaired assets would be transferred to one or more asset management entities wholly or partially owned by public authorities and controlled by the RB. The relevant management entity should manage such assets transferred to it with a view to maximizing their value through eventual sale or orderly wind-down;

(iv) the bail-in measures: To convert debt into shares or write it down.

The resolution method will depend on the individual bank and the resolution plan that has been prepared for it.

Resolution powers and ancillary powers

Besides the exercise of the resolution tools, the BRRD Law confers a certain number of resolution powers and ancillary powers to the RB, including, among others, the following:

(i) appointment of a special manager to replace the management body of the relevant institution which shall have all the powers of the shareholders and of the management body of the institution under resolution;

(ii) to require any person to provide any information required for the RB to decide upon and pre-pare a resolution action, including updates and supplements of information provided in the resolution plans;

(iii) to conduct on-site investigations for information gathering purposes;

(iv) to take control of the relevant institution and exercise all the rights and powers conferred upon the shareholders, other owners and the management body of that institution;

(v) to transfer shares or other instruments of ownership issued by the relevant institution;

(vi) to transfer to another entity, with the consent of that entity, rights, assets or liabilities of the institution under resolution;

(vii) to reduce, including reducing to zero, the principal amount of eligible liabilities;

(viii) to convert eligible liabilities into ordinary shares or other instruments of ownership;

(ix) to cancel debt instruments (except for secured liabilities, including covered bonds and liabilities in the form of financial instruments used for hedging purposes which form an integral part of the cover pool and which are secured in a way similar to covered bonds);

(x) to reduce, including to reduce to zero, the nominal amount of shares or other instruments of ownership of relevant institutions and to cancel such shares or other instruments of ownership;

(xi) to require the relevant institution or a relevant parent institution to issue new shares or other instruments of ownership or other capital instruments, including preference shares and contingent convertible instruments;

(xii) to amend or alter the maturity of debt instruments and other eligible liabilities issued by the relevant institution (or amount of interest payable under such debt instruments and other eligible liabilities);

(xiii) to remove or replace the management body and senior management;

(xiv) with regards to assets, rights, liabilities, shares and other instruments located in a third country, require that the administrator, receiver or other person exercising control of the institution under resolution and the recipient take all necessary steps to ensure that the transfer, writedown, conversion or action becomes effective;

(xv) suspension of any payment or delivery obligations pursuant to any contract to which an institution under resolution is a party;

(xvi) to restrict secured creditors of an institution under resolution from enforcing security interests in relation to any assets of that institution; and

(xvii) to suspend the termination rights of any party to a contract with an institution under resolution.

Resolution objectives

When applying the resolution tools and exercising the resolution powers, the RB shall consider the following resolution objectives, and choose the tools and powers that best achieve the objectives that are relevant in the circumstances of the case:

• ensuring the continuity of critical functions carried out by the institution;
• avoidance of a significant adverse effect on the financial system, in particular by preventing contagion, including to market infrastructures, and by maintaining market discipline;
• protection of public funds by minimizing reliance on extraordinary public financial support;
• protection of depositors; and
• protection of client funds and client assets.

General principles governing resolution

The RB shall ensure that the resolution action complies with the following general principles:

• the shareholder of the institution under resolution shall bear first losses,
• creditors of the institution under resolution shall bear losses after the shareholders in accordance with the order of priority of their claims under normal insolvency proceedings, save as expressly provided otherwise in the BRRD Law;
• creditors of the same class shall be treated in an equitable manner, except where otherwise pro-vided in the BRRD Law;
• no creditor shall incur greater losses than would have been incurred if the relevant institution had been wound up under normal insolvency proceedings;
• the management body and senior management shall be replaced, except in those cases when the retention of the management body and senior management is considered to be necessary for the achievement of the resolution objectives;
• management body and senior management shall provide all necessary assistance for the achievement of the resolution objectives; and
• covered deposits shall be fully protected.

Luxembourg law provides for a bail-in tool in bank resolution deriving from the BRRD Law and the SRMR (please see our answer to question 31 above for further details on the resolution regime for banks).

The CSSF, as the national resolution authority and acting through the RB, has the power to write-down or convert relevant capital instruments and eligible liabilities of a failing bank under its remit in order to ab-sorb losses and before any resolution action is taken. The bail-in tool should be exercised by the RB in accordance with the priority of claims under normal insolvency proceedings and subject to the following order:

(i) CET1 items;

(ii) AT1 instruments;

(iii) AT2 instruments;

(iv) unsecured subordinated liabilities (subordinated loans, bearer bonds and participation rights which do not meet the requirements for AT1 or AT2 instruments);

(v) other eligible liabilities, in accordance with their ranking provided for in the Luxembourg’s normal insolvency proceedings.

The following liabilities – irrespective of their applicable law – are explicitly excluded from the exercise of a bail-in tool:

(i) covered deposits;

(ii) secured liabilities including covered bonds and liabilities in the form of financial instruments used for hedging purposes which form an integral part of the cover pool and which are secured in a way similar to covered bonds,

(iii) any liability resulting from the safekeeping of client assets or client money;

(iv) any liability resulting from a fiduciary relationship;

(v) liabilities to other credit institutions (excluding entities that are part of the same group) with an original maturity of less than seven days;

(vi) liabilities with a remaining maturity of less than seven days, owed to payment systems, securities delivery and settlement systems or to operators and other participants of such systems, if those liabilities result from the participation in the system; and

(vii) liabilities owed to

(a) employees, for accrued salary, pension benefits,

(b) commercial or trade creditors arising from the provision to the institution or group entity of goods or services that are critical to the ongoing functioning of its operations,

(c) Luxembourg tax and social security authorities with respect to their preferred claims; and

(d) deposit guarantee schemes based on contribution obligations.

The BRRD Law does not provide for the application of the bail-in tool in the context of a mere liquidity crisis. According to the BRRD Law, the RB may apply the bail-in tool for the purpose of either:

(i) recapitalizing an institution that meets the conditions for resolution to the extent sufficient to restore its ability to comply with the conditions for authorization, or

(ii) converting to equity/reducing the principal amount of claims or debt instruments that are transferred either to a bridge institution or under the sale of business tool or the asset separation tool.

The total loss-absorbing capacity (“TLAC”) requirements adopted on 9 November 2015 by the Financial Stability Board (the “FSB”) have been implemented within the EU legislation through the adoption of the EU revised rules on capital requirements, liquidity and resolution (CRR II/ CRD IV/ CRD V/ BRRD II/ SRMR2 (the “Banking Package”) which is applied in Luxembourg through the LFS as amended by the CRD V Law. The TLAC ratio applies to systemically important institutions being G-SIIs which must, at all times, respect an external TLAC requirement of 18% of total risk exposure amount and of 6.75% of leverage ratio exposure measure since January 2022.

Furthermore, banks which are non-G-SIIs but are part of a banking group with total assets in excess of EUR 100 billion shall also comply with an external TLAC requirement of 13.5% of total risk exposure amount and 5% of leverage ratio exposure measure, calculated on a consolidated basis at resolution group level.

Although there is, in principle, no minimum TLAC requirements for banks that are neither a G-SIIs nor part of a banking group with total assets in excess of EUR 100 billion, the RB may decide to apply the requirements laid down in the above paragraph to a given institution under its remit, if the RB assesses that the failure of such an entity is reasonably likely to pose a systemic risk. In practice, because there are currently no Luxembourg headquartered G SIIs, the Pillar 1 TLAC requirement does not apply at the top entity level in Luxembourg.

In Luxembourg, there is no specific “senior managers regime” like those in the United Kingdom or other jurisdictions. However, managers of banks are subject to general legal and regulatory frameworks that impose significant responsibilities. Under the LFS, senior managers, including members of the board of directors and executives, are required to ensure the proper management of the institution and compliance with applicable regulatory standards. This includes duties related to risk management, internal controls, and the overall sound and prudent management of the bank.

Additionally, the CSSF imposes specific requirements for fit and proper assessments for individuals in senior management positions, ensuring that the management of a financial institution has the necessary expertise, experience, and integrity to carry out their responsibilities. In the event of failures in govern-ance or violations of regulatory obligations, managers can be held accountable, including through admin-istrative sanctions, penalties, or, in extreme cases, criminal liability (see answer to question 28).

Over the next 12–18 months, Luxembourg banks will navigate an EU-driven wave of reforms alongside heightened supervisory focus and market shifts, with the most material impacts expected from capital/risk-rule finalisation (CRR III/CRD VI), digital/operational reforms (DORA, PSD3/PSR, instant payments), AML centralisation (AMLA), sustainable finance and data/reporting, fintech, plus continued SSM scrutiny on governance, risk and resilience under persistent geopolitical uncertainty.

• CRR III/CRD VI implementation: Banks must operationalise the final component of Basel III in the EU, including output floor and model constraints under CRR III from 1 January 2025 and CRD VI transposition, which together reshape risk-weighted assets, capital planning and governance expectations in Luxembourg.

• DORA operational resilience: Full application of DORA now drives ICT risk management, incident reporting, testing and third-party oversight across Luxembourg institutions, raising board and control-function expectations and intersecting with payments reforms the CSSF is preparing to align in supervision.

• AML package and AMLA: The new EU AML single rulebook and the establishment of AMLA in Frankfurt (direct supervision of selected high risk/systemic cross border institutions from 2026) will trigger Luxembourg law changes and CSSF updates to sectoral guidance/templates, requiring banks to uplift AML frameworks and reporting during the transition.

• CSRD Implementation: Bill 8370 was submitted to the Luxembourg Parliament in March 2024, with the purpose of transposing the CSRD into Luxembourg law, aiming to improve the quality, consistency, and transparency of sustainability reporting. It is currently still under discussion in Parliament. The Bill is expected to undergo further amendments to reflect the EU’s 2025 “stop-the-clock” deferrals introduced by Directive (EU) 2025/794 by pushing back first-time CSRD re-porting for later “waves” and adding clear transitional clauses. Following the European Parliament’s approval on 16 December 2025 of the Omnibus package, once it is finally adopted and published, Luxembourg is expected to activate enabling provisions in Bill 8370 to narrow CSRD scope, remove listed SMEs from mandatory CSRD reporting, and provide transitional relief for entities that fall out of scope.

• MiCAR/Crypto transition: MiCAR is in force and supplemented by the law of 6 February 2025, setting a transitional path for VASPs to convert to CASPs with the grandfathering period ending on 1 July 2026, affecting banks engaging in token issuance or crypto services and requiring co-ordination with the CSSF on permissions.

• Payments reform (PSD3/PSR) and instant payments: The forthcoming PSD3/PSR package tightens API/data-sharing, SCA and safeguarding, with the CSSF adapting licensing and aligning overlaps with DORA; in parallel, instant euro credit transfers have become mandatory across SEPA since early 2025, requiring operational, liquidity and fraud risk adjustments by Luxembourg banks.

• Securitisation Refit: EU “Securitisation Refit” changes aimed at revitalising the market will be particularly impactful in Luxembourg given its importance as a securitisation hub, requiring updates to disclosure, due diligence and reporting practices.

• Fintech/DLT enablement: The CSSF’s DLT market infrastructure guidance (e.g. Circular 23/832 integrating ESMA templates) and Luxembourg’s “Blockchain IV Law” underpin tokenisation and DLT use in capital markets, creating strategic opportunities and operational/regulatory work for banks interfacing with DLT platforms.

• Supervisory intensity and priorities: The ECB’s 2024–2026 priorities emphasise strengthening resilience to macro financial and geopolitical shocks, with continued scrutiny of governance, risk management and funding/liquidity, while the IMF notes the CSSF has strengthened on site inspections, together signalling sustained supervisory demands on Luxembourg banks.