CSSF ¦ Annual Report 2024: Financial Crime

Financial Crime 2024: CSSF’s Supervision, Findings and Regulatory Developments

The CSSF continued to apply a risk‑based supervisory framework combining off‑site and on‑site measures to monitor compliance with anti‑money laundering and countering the financing of terrorism obligations. In 2024 the authority collected quantitative and qualitative data through the annual Questionnaire on Financial Crime across all supervised sectors, implemented an API to streamline data intake and processed long‑form audit and AML/CFT reports from approved statutory auditors and internal control functions. The CSSF placed particular emphasis on the quality of name screening, timely review of alerts, transaction monitoring effectiveness, beneficial owner identification and documentation of source of funds and wealth. The regulator also stressed the need for clear governance of outsourced AML/CFT tasks and robust second‑line controls. Engagement with the private sector and supervisory colleges remained intensive. The CSSF organised sector‑specific conferences and expert working groups with industry associations and the FIU, and it chaired or participated in numerous AML/CFT colleges at EU level.

On‑Site Inspections: Common Weaknesses and Thematic Priorities

During 2024 the on‑site inspection department completed 32 AML/CFT inspections concentrating on higher‑risk activities — private banking, trade finance, services to funds, PFS providing domiciliation and transfer agent services, payment and electronic money institutions, and VASPs. Recurring critical findings included ineffective sanctions list screening (frequency, delta screening, inadequate fuzzy matching thresholds), weak processing of generated alerts, incomplete ongoing due diligence and transaction monitoring, insufficient documentation of source of funds/wealth and shortcomings in identifying beneficial owners in complex structures. Inspections also revealed shortcomings in compliance monitoring plans and in the supervision of outsourced AML/CFT tasks, including insufficient contractual detail and reporting by delegates.

The CSSF also inspected innovative or largely digital business models (payment service providers, e‑money institutions, virtual asset service providers) and noted that while automation can raise control quality, it relies on high‑quality client and transaction data. The regulator urged professionals to retain oversight of algorithmic and AI tools and to document how such tools improve control outcomes and avoid false negatives or positives. Terrorist financing detection and the need for TF‑specific transaction monitoring rules were flagged as areas requiring strengthened attention.

Bastian Schwind-Wagner_Follow "The CSSF intensified targeted AML/CFT supervision in 2024, identifying persistent gaps in name screening, transaction monitoring, beneficial ownership verification and outsourced controls, while preparing for the substantial EU AML reform that introduces AMLA and harmonised EU rules. The authority urges firms to strengthen governance, data quality and documentation, and to demonstrate effective oversight of automated and outsourced tools."

Sectoral Findings

Credit Institutions and Central Securities Depositories (CSDs)

The CSSF’s supervision of credit institutions and CSDs in 2024 combined detailed off‑site analysis with targeted on‑site inspections, driven by data from the annual Questionnaire on Financial Crime and long‑form audit reports. Key supervisory focus areas included the effectiveness and frequency of sanctions list screening, the quality of customer due diligence (including source of funds/wealth documentation), the adequacy of transaction monitoring systems and the internal governance and resourcing of compliance functions. Supervisory activity produced numerous observation letters and several injunctions where serious deficiencies were found; in one case the CSSF imposed a financial sanction for failures in AML/CFT and governance. The CSSF also intensified dialogue with banks through 170 dedicated AML/CFT meetings, sector conferences and AML/CFT colleges to align expectations and follow up remediation plans.

Given the banks’ systemic role and cross‑border footprints, the CSSF emphasised proper management of outsourced AML/CFT activities, robust second‑line controls and rapid processing of sanctions‑related alerts (including delta screening and updates after list changes). Supervisory findings highlighted the consequences of weak data quality and governance: flawed client databases and high fuzzy‑match thresholds increased the risk of missed hits, while delayed reviews of alerts and inadequate documentation undermined suspicious activity reporting. The CSSF expects credit institutions and CSDs to demonstrate measurable remediation, to evidence effective transaction monitoring tuning and to ensure that compliance monitoring plans are executed, documented and escalated when required.

Investment Firms

Investment firms were subject to a calibrated, risk‑based supervisory programme that combined an automatic ML/TF scoring from the Questionnaire on Financial Crime with expert adjustments informed by on‑site findings and audit reports. The CSSF focused on customer risk assessment, name screening, transaction monitoring and the accurate identification of beneficial owners, and it required investment firms to maintain adequate compliance resources and governance. Supervisory outreach included conferences and targeted meetings; the CSSF issued observation and injunction letters where ML/TF risk assessments, screening procedures or ongoing due diligence were inadequate or not aligned with law and CSSF guidance.

The CSSF also monitored the interplay between investment services and fund servicing or custody activities, paying particular attention to delegated AML/CFT tasks and the contractual and operational controls necessary to preserve supervisory oversight. Where transaction monitoring and name screening were outsourced, supervisors examined reporting chains and KPI flows to the investment firm. In cross‑border situations the CSSF played an active role in AML/CFT colleges, organising and participating in exchanges to coordinate supervision across jurisdictions and to safeguard consistent AML/CFT outcomes across group structures.

Specialised PFS

Supervision of specialised Professionals of the Financial Sector (specialised PFS) in 2024 emphasised domiciliation, transfer agent, trust and company service provider (TCSP) activities and other services exposing entities to elevated ML/TF and corruption risks. The CSSF required specialised PFS to complete the annual Questionnaire on Financial Crime and reviewed internal AML/CFT reports and compliance frameworks. Common deficiencies included incomplete client files, inadequate verification of beneficial owners in complex or nominee structures, weak transaction monitoring for low‑capitalised or heavily leveraged arrangements and insufficient documentation of the economic rationale for structures that could mask tax‑related predicate offence risks.

To improve market practice the CSSF engaged with specialised PFS through working groups, welcome visits and sector conferences, and it issued observation letters and acknowledgement letters following review of compliance officer appointments. The CSSF urged these firms to strengthen their compliance functions, formalise delegated tasking where relevant, adopt clear escalation paths and ensure the compliance monitoring plan is implemented with measurable checks and documented follow‑up. Special attention was given to TF exposure of non‑profit clients, PEP screening, and adherence to sanctions obligations in light of geopolitical developments.

Payment Institutions and Electronic Money Institutions

The CSSF expanded oversight of payment and electronic money institutions, recognising the high digitalisation and transactional volume that raise both opportunities and ML/TF vulnerabilities. Off‑site supervision relied on the annual Questionnaire on Financial Crime, compliance and internal audit reports, and where necessary on on‑site reviews of onboarding, payment flow monitoring, sanctions screening and travel‑rule readiness. Supervisory work highlighted the need for rigorous controls over customer data quality, secure and auditable name screening processes (including prompt delta screening on list updates), and transaction monitoring tuned to rapid, often high‑frequency retail flows.

Regulators advised payment and e‑money institutions to reinforce their second‑line challenge functions and to ensure robust contractual frameworks and KPIs where AML/CFT tasks are delegated to group or third‑party providers. The CSSF also monitored new business models and interfaces (including merchant onboarding and marketplace flows), stressing that compliant automation must be paired with sample testing, exception handling and timely escalation so that high‑volume digital services do not generate persistent blind spots.

Virtual Asset Service Providers

Supervision of virtual asset service providers intensified as the CSSF developed registration‑based oversight and prepared for the EU regulatory regime for crypto‑assets. The register grew in 2024 and the authority collected detailed statistics on custody amounts and transaction volumes, noting substantial activity in major cryptocurrencies. The CSSF’s priorities included Travel Rule implementation, the integrity and completeness of customer and transaction data, custody controls, transaction monitoring calibrated to crypto‑native typologies, and sanctions screening, including the handling of cross‑border transfers and correspondent arrangements.

While automation and blockchain‑native tools can strengthen traceability, the CSSF warned that any automation is only as effective as the data feeding it and the governance around its use. Registered VASPs were asked to demonstrate operational controls over name screening, delta screening after list updates, processes to manage incomplete Travel Rule data, and documented oversight of outsourced or third‑party components. The CSSF also emphasised the importance of high‑quality suspicious activity reports to the FIU and cooperation with other national authorities to address cross‑border illicit flows.

Undertakings for Collective Investment (UCI)

The CSSF’s UCI (undertakings for collective investment) departments maintained a comprehensive AML/CFT programme covering both on‑site and off‑site work, drawing on the SRRC (AML/CFT Summary Report RC), CISERO external AML/CFT reports from réviseurs d’entreprises agréés and the Questionnaire on Financial Crime. Off‑site supervision produced a high volume of observation letters and sector‑wide guidance, while on‑site inspections at alternative investment fund managers focused on investor due diligence, transfer agent processes, AML/CFT delegation, tax predicate risks and proliferation financing exposure at asset level.

Given the diversity of investment structures and cross‑border investor bases, the CSSF asked management companies and fund managers to ensure thorough investor onboarding, clear beneficial ownership mapping, and asset‑level risk controls — especially for investments in vessels, dual‑use goods or jurisdictions with heightened sanctions or export controls. The UCI teams also expanded engagement through a public‑private partnership and sector conferences to share supervisory expectations, provide examples of deficient practices and foster consistent compliance implementation across the fund ecosystem.

Regulatory, European and International Developments

Affecting AML/CFT 2024 was a pivotal year for European AML/CFT law. The final EU package — a new AML Authority (AMLA), an AML Regulation (AMLR), a revised AML Directive (AMLD6) and related measures — crystallised a shift toward harmonisation and stronger supranational oversight. AMLA will have direct supervision over selected financial entities and indirect oversight of non‑financial obliged entities; it will conduct investigations, on‑site inspections and sanctions where warranted. The AMLR imposes enhanced customer due diligence rules, stricter beneficial ownership transparency obligations, and clearer outsourcing limits and liability. Member States must also prepare to implement numerous technical standards, guidelines and implementing acts drafted jointly by AMLA, the EBA and the Commission; the CSSF has participated actively in these processes and encouraged industry engagement.

Internationally, FATF work continued to shape priorities: updates on virtual asset standards, guidance on beneficial ownership of legal arrangements, and thematic reviews (DNFBPs) influenced supervisory expectations. Luxembourg’s strong assessment in the FATF DNFBP horizontal review was noted. The EU and Luxembourg updated high‑risk and non‑cooperative jurisdiction lists and adopted successive targeted financial sanctions (including in response to the Russia–Ukraine conflict and other geopolitical developments). Nationally, Luxembourg adopted legislative and organisational adjustments, including formalising national coordination bodies and issuing CSSF circulars and FAQs clarifying sanctions screening, beneficial owner verification and SRRC reporting requirements.

Dive deeper

• CSSF ¦ Annual Report 2024 - Overview of the CSSF’s activities and initiatives in 2024; Chapter XXI. Financial Crime: pages 122-139 ¦ Link