CSSF ¦ Central Administration and Governance in Payment and E‑money Firms

What CSSF Circular 26/906 Means for AML/CFT

The CSSF’s Circular 26/906 (20 January 2026) consolidates Luxembourg rules on central administration, internal governance and risk management for payment institutions, electronic money institutions and account information service providers. While the circular covers broad governance requirements, its practical impact on anti‑money laundering and counter‑terrorist financing (AML/CFT) is material: it tightens expectations about how firms must structure control functions, allocate responsibilities, safeguard client funds and assess risks across delivery channels and third‑party arrangements. For practitioners focused on financial crime, the circular is a reminder that governance weaknesses are the single biggest enabler of money laundering, terrorism financing and payment fraud. Regulators require governance to be the first line of defence, backed by independent compliance, risk and audit functions with appropriate resources, access and escalation rights.

Clear allocation of responsibilities – reducing gaps that criminals exploit

Circular 26/906 is explicit that robust central administration means more than a registered address: decision‑making and administrative centres must be in Luxembourg. The supervisory body (board) bears ultimate responsibility for approving the business strategy, risk appetite, funds‑safeguarding principles and policies on information security, outsourcing, conflicts of interest and AML/CFT. The management body is accountable for implementing these policies through documented procedures, with the compliance function and internal audit retained as independent, permanent second‑ and third‑line controls.

Why this matters: money launderers and terrorist financiers look for weak governance, unclear responsibilities and gaps in oversight. The CSSF is insisting that firms map decision flows, document escalation and sanctions procedures, and assign named senior responsables for AML/CFT and for safeguarding funds. That reduces ambiguity that otherwise lets suspicious activity slip through.

Bastian Schwind-Wagner _Follow

"The CSSF Circular 26/906 strengthens the regulatory expectation that robust governance, clear accountability and well‑resourced independent control functions are the primary defenses against money laundering, terrorist financing and payment fraud. Firms must ensure their compliance and internal audit functions can act independently, access all necessary information and escalate issues directly to the board and the regulator.

Practical changes include documented proportionality assessments, daily reconciliations for safeguarded funds where justified, strict segregation of duties and tighter oversight of agents and outsourced providers. Implementing these measures reduces operational vulnerabilities and improves the institution’s ability to detect, investigate and report suspicious activity in a timely manner."

Independent compliance and the right of initiative – early identification and escalation

The circular requires a permanent Chief Compliance Officer (CCO) in Luxembourg, normally full‑time and fully dedicated to the function. The compliance charter must give the CCO the right of initiative to open investigations across the institution (including branches, agents and distributors), broad access to records and direct contact with the board chair, specialised committees and the CSSF. The compliance function is explicitly tasked with ongoing identification and assessment of compliance risks, including money laundering and terrorist financing risks, and must maintain a documented compliance monitoring plan with prioritised controls and remediation deadlines.

Why this matters: independence and direct escalation remove two classic failure modes in AML/CFT:

1. compliance tasks subordinated to revenue‑generating lines, and
2. slow or blocked escalation when front office pressure opposes suspicious‑activity controls.

The circular’s insistence on a compliance function that can act on its own initiative and report directly to board level increases the chance that suspicious patterns will be raised early, investigated properly and, where necessary, reported to authorities promptly.

Risk‑based governance and proportionality – focusing resources on the highest AML/CFT risks

CSSF requires institutions to apply the principle of proportionality: governance must reflect the nature, scale and complexity of business, including the number of staff, transaction volumes, product mix, distribution networks and outsourcing concentration. The circular lists factors that push a firm toward “enhanced” governance: high volumes (> EUR 10 billion), significant balance sheets (> EUR 0.5 billion), extensive agent networks or complex outsourcing and the structure of the IT systems architecture (including systems continuity). It also requires the board to approve a risk strategy and appetite covering money laundering and terrorist financing risks and to ensure management information enables oversight of these risks.

Why this matters: the risk‑based approach compels firms to map where AML/CFT exposure is highest (e.g., cross‑border flows, complex legal structures, emerging products, high‑volume retail rails, or outsourced KYC/transaction monitoring). Firms must document proportionality assessments and evidence how controls scale to risk, or explain remediation plans. That documentation becomes a compliance artefact regulators will expect to review.

Safeguarding funds – operational controls that limit criminal misuse

Articles 14 and 24‑10 of the LPS (reflected in the circular) require safeguarding of client funds either via segregation accounts or adequate insurance/guarantees. The circular demands daily controls and reconciliations in higher‑volume or complex operations (weekly reconciliations may be acceptable only following documented, board‑approved risk analysis). Access to accounting and payment‑movement systems must follow “need‑to‑know” and least‑privilege principles and be subject to 4‑eyes validation, with manual or materially significant movements requiring board‑level prior validation.

Why this matters: criminals target weak custody and reconciliation processes to launder proceeds (co‑mingling, unauthorised transfers, or exploiting dormant accounts). Daily reconciliation, segregation safeguards, strict account opening/closing rules, and tightly controlled access reduce vulnerabilities. The circular also stresses counterparty due diligence for custodial banks and insurers – an important mitigation where concentration risk could threaten continuity of protection.

Third‑party risk, outsourcing and distribution networks – hotspots for ML/TF

The circular reiterates that institutions remain fully responsible for activities carried out through agents, distributors, representative offices and branches. It references the CSSF outsourcing circular (Circular CSSF 22/806) and the need to retain adequate governance, including on IT and cloud providers. Compliance and internal audit must be able to access, test and evaluate outsourced arrangements. Non‑standard or potentially non‑transparent activities – complex legal structures, opaque jurisdictions or layered entities – must be subject to in‑depth analysis and ongoing monitoring, with the board requiring clear justification for such structures.

Why this matters: outsourcing and third‑party distribution are perennial financial crime weak spots – outsourcer failures, vendor security lapses, or weak agent AML controls can be exploited to process illicit funds or mask the origin of transactions. The circular’s emphasis on contractual clarity, oversight rights, and the ability of compliance and audit to inspect third‑party operations is a practical step toward mitigating those risks. Firms must ensure KYC, transaction monitoring and suspicious‑activity reporting remain effective across the partner ecosystem.

Internal audit and challenge functions – validating AML/CFT effectiveness

Internal audit must be independent, maintain a risk‑based multiyear audit plan, and specifically include an annual review of fund‑safeguarding arrangements and AML/CFT coverage. Audit reports and summary reports from compliance and internal audit are required to be submitted annually to the CSSF alongside the management body’s compliance attestation.

Why this matters: independent audit provides an objective test of whether AML/CFT controls are designed and operating effectively. The CSSF’s requirement for regular, documented follow‑up on control deficiencies and for management to allocate resources for remediation creates regulatory accountability and shortens timelines for fixing gaps – critical to closing windows criminals rely on.

Preventing structural abuse – “know‑your‑structure” and conflicts of interest

The circular’s “know‑your‑structure” requirement obliges boards to understand group and legal entity layouts, intra‑group links and the purpose of structures used. Conflicts‑of‑interest policies must identify, assess and mitigate conflicts, especially where related parties or group entities are counterparties. Related‑party transactions that materially affect risk must be approved by the board and disclosed.

Why this matters: complex or opaque structures are classic conduits for layering and laundering. Boards must be able to justify structures on economic grounds and document the controls that prevent misuse. Attention to related‑party dealings reduces the risk of privileged channels being exploited to shield illicit flows.

Operational resilience, ICT risk and incident reporting – stopping abuse at system level

Circular 26/906 excludes detailed ICT rules but ties into EU digital operational resilience standards and CSSF ICT circulars. It insists on business continuity, incident classification, and escalation frameworks. Management information systems must work in normal and crisis conditions to provide transparent oversight.

Why this matters: transaction monitoring, alert generation and forensic capability rely on resilient ICT. Outages, degraded monitoring or undisclosed incidents can delay detection of laundering by hours or days – time enough for launderers to move funds. Firms must ensure continuity arrangements keep AML/CFT tooling operational and that incident reporting reaches boards and regulators promptly.

Practical actions for compliance teams

• Revisit governance documentation: update board‑approved risk strategy, AML/CFT policy, compliance charter, and funds‑safeguarding principles to reflect Circular 26/906.
• Confirm the status of the compliance function: ensure the CCO has independence, resources, direct board access and authority to initiate investigations; if part‑time or dual roles are in place, prepare a written, board‑approved justification and seek CSSF approval where required.
• Map high‑risk processes and partners: prepare a documented proportionality assessment covering products, volumes, agent networks, outsourcing concentration, and complex legal structures; use this to prioritise controls and resource allocation.
• Strengthen safeguarding controls: implement daily (or justified weekly) reconciliations, tighten account opening/closing rules, restrict system access on least‑privilege and 4‑eyes principles, and ensure contract clauses with custodians/insurers preserve segregation and quick payout conditions.
• Validate third‑party oversight: ensure outsourcing agreements give audit and compliance inspection rights, clarify incident/termination protocols and concentration risk mitigation, and require ongoing due diligence on custodial counterparties and service providers.
• Elevate reporting and remediation: formalise escalation procedures and a remediation matrix with deadlines, assign owners and ensure the supervisory body approves major remediation plans; prepare timely submissions of the annual CCO and internal audit summary reports to the CSSF.
• Test continuity of AML tooling: validate transaction‑monitoring systems under crisis scenarios and ensure access to historical data needed for investigations and SAR filings during incidents.

Conclusion – governance as the frontline of AML/CFT

CSSF Circular 26/906 tightens the supervisory expectation that governance, control functions and operational processes form the primary defence against financial crime in payment and e‑money businesses. For AML/CFT teams, the circular elevates the importance of independence, documented risk appetite, proportionate resourcing, vigorous oversight of third parties and unambiguous safeguarding of client funds. Firms that treat governance as compliance theatre will find the CSSF demanding tangible proof: board approvals, documented proportionality, robust reconciliation logs, direct lines of communication for compliance and internal audit, and rapid remediation where controls are weak. The upshot is clear – effective AML/CFT begins with firm governance, not just software and alerts.

Dive deeper

• CSSF ¦ Circular CSSF 26/906 Central administration, internal governance and risk management ¦ Link