CSSF ¦ ML/TF Sub-Sector Risk Assessment (SSRA) on TCSP Activities

TCSPs in Luxembourg: High Inherent ML Risk, Strong Mitigations – What Practitioners Must Do Next

The updated 2026 CSSF sub‑sector risk assessment (SSRA) for Specialised PFS providing trust and company service provider (TCSP) activities reconfirms a clear picture: these professionals remain exposed to high inherent money‑laundering (ML) risk, while supervisory and private‑sector controls have reduced residual risk to a medium level. The document is a practical roadmap for compliance teams, risk officers and senior management who must translate sectoral findings into improved day‑to‑day defensive measures.

Why TCSP activities remain high risk

The CSSF identifies three TCSP activity clusters – company incorporation, provision of directorship and secretarial services, and domiciliation – and finds all three carry high inherent ML risk. Primary drivers are the sector’s international nature, complex and sometimes opaque ownership structures, and the role TCSPs play as gatekeepers when they provide domiciliation and director services.

Key points behind that finding:

• Most TCSP client vehicles are legal persons; special purpose vehicles and fund‑related entities are common and frequently linked to cross‑border groups. Beneficial owners often reside outside the EU. These features increase opportunities for concealment of ownership and source of funds.
• Predicate offences generating proceeds that could be channelled through TCSPs include fraud and forgery, tax crimes and corruption/bribery. The 2025 Luxembourg National Risk Assessment (NRA) also highlights fraud and tax crimes as “very high” external threats.
• While TCSPs can potentially be misused for terrorist financing (TF) or proliferation financing (PF), CSSF analysis and reporting show TF and PF threats are lower in practice than ML. The “Vertical Risk Assessment on Terrorist Financing” (VRA TF) and sector data indicate few TF indicators or STRs tied to TCSP activity; PF exposure is possible but currently limited and often tied to trade/dual‑use goods considerations.

Bastian Schwind-Wagner _Follow

"TCSP activities concentrate significant ML risk because they facilitate the creation and administration of cross‑border legal entities and arrangements where beneficial ownership, purpose and source of funds can be obscured. Stronger controls, ongoing monitoring and an engaged board are essential to prevent misuse and to keep residual risk at acceptable levels.

Firms should prioritize entity‑specific risk assessments, robust CDD/EDD and prompt sanctions screening to close the most frequent supervisory gaps identified by the CSSF. Investing in targeted AML training, adequate staffing and automated monitoring where needed will materially reduce regulatory and operational exposure."

What reduces the risk to a medium residual level

The CSSF attributes the reduction to a combination of supervisory and private‑sector measures:

• The supervised professionals have generally strengthened risk‑based frameworks, including risk appetite statements, entity risk self‑assessments and board oversight.
• Customer due diligence (CDD) and ongoing monitoring practices have improved: BO identification, screening against sanctions/PEP lists and periodic reviews are in place across the sector.
• Supervisory activity has intensified: tailored questionnaires, welcome visits, thematic reviews (shelf companies, bearer shares, TF), and a higher number of targeted on‑site inspections.
• Legal and administrative measures – registers such as the RBE (beneficial owners) and RFT (fiducies/trusts), new predicate offences (e.g., sanction evasion as ML predicate since July 2022) and tighter market‑entry checks – have limited certain historic avenues of abuse.

Practical findings from inspections and common weaknesses

The CSSF lists recurring on‑site and off‑site findings that firms must address.

Crucial gaps include:

• Risk appetite and entity risk assessments that are too generic and under‑estimate actual exposure;
• Insufficient or outdated documentation on source of funds/wealth, BO verification and the purpose and intended nature of the business relationship;
• Inadequate transaction monitoring (many rely on manual checks), tardy handling of sanctions hits, and slow or incomplete STR reporting to the Financial Intelligence Unit (FIU);
• Shortcomings in oversight of outsourced AML/CFT tasks and weak segregation of duties or second‑line controls in some firms;
• Compliance culture issues: insufficient resources, limited AML training targeted at staff roles, and slow responsiveness to supervisory information requests.

What firms should do now – prioritized actions that map to CSSF recommendations

The assessment contains focused recommendations.

The ones that practitioners should act on first:

1. Strengthen risk‑self assessments and the board’s ML/TF risk appetite.
   Make the firm’s written risk appetite explicit, board‑approved, and well communicated. Ensure risk self‑assessments are entity‑specific and reference the CSSF SSRA, the 2025 NRA and applicable EU guidance.
2. Improve CDD and EDD for complex ownership and high‑risk clients.
   Document how BOs are identified and verified, insist on credible source‑of‑funds/source‑of‑wealth evidence, and apply meaningful EDD for PEPs, high‑risk jurisdictions and opaque structures. Be able to demonstrate why an ownership chain is legitimate rather than merely documented.
3. Close transaction monitoring gaps.
   If business volumes prevent effective manual review, implement automated monitoring tuned to TCSP typologies (patterns, frequency, third‑party payments). Ensure monitoring covers unusual payments, circular flows and third‑party loans.
4. Make sanctions/TFS screening immediate and defensible.
   TFS screening must occur promptly after list updates. Firms should supplement rules‑based screening with a tested process for handling hits and for timely Ministry of Finance and CSSF notifications where required.
5. Formalize periodic and event‑driven reviews.
   Document periodic client review cadence by risk tier, include re‑screening (sanctions/PEP/adverse media) and ensure event‑driven reviews (ownership changes, reorganisations, material transactions) are promptly triggered.
6. Ensure robust oversight where CDD or AML tasks are delegated.
   Where third parties or group entities perform CDD, maintain documented oversight, sample testing and contractual rights to obtain the underlying client files and CDD evidence.
7. Invest in tailored AML/CFT training and compliance resources.
   Training must be role‑specific, include red‑flags and case studies for TCSP contexts (shelf companies, nominee arrangements, third‑party payments, trade/dual‑use concerns) and be refreshed regularly. Align staffing and technology budgets to the firm’s documented risk appetite.
8. Enhance internal governance
   Give first‑ and second‑line functions authority, independence and resourcing; clarify escalation lines and ensure a well documented “tone from the top”.

Sectoral themes that need ongoing vigilance

• Shelf companies and bearer‑shares
  CSSF reviews show shelf company services are limited and mostly provided to existing clients; bearer share depositary services are declining. Still, firms must maintain strict processes if they provide such services and document transfers/ownership updates to the RBE.
• Third‑party introductions and outsourcing
  Reliance is permitted only where strict conditions are met. Firms must be able to demonstrate the third party’s CDD quality, supervision and record keeping are equivalent to Luxembourg standards.
• Trade‑related and PF risks
  Where client activity involves dual‑use goods, complex trade finance or trade patterns inconsistent with business profiles, firms must apply augmented controls and, if needed, seek domain expertise (export control / OCEIT guidance) to assess PF and sanctions risks.

The CSSF’s regulatory stance and supervisory approach

The CSSF has increased its AML/CFT supervisory presence in the area of TCSP activities, with more thematic reviews, routine questionnaires, welcome visits and targeted on-site inspections. Enforcement powers and publication of administrative sanctions remain important levers. The CSSF expects ongoing improvements and will monitor adherence to the SSRA’s recommendations.

How compliance teams can turn this into work plans

• Immediate: update risk appetite and board‑level sign‑off; map high‑risk clients and conduct prioritized EDD (PEPs, high‑risk jurisdictions, opaque structures); implement daily TFS list update checks and close any reporting backlog.
• Near term: formalize periodic review schedules and event triggers; deploy focused training for client‑facing and compliance staff; begin automation pilots for transaction monitoring if manual review is no longer effective.
• Medium term: complete automation roll‑out (if justified), refresh third‑party oversight contracts and controls, and carry out internal testing of screening and STR processes. Prepare for CSSF exchange requests and ensure audit trails for delegated CDD work.

Bottom line

The CSSF SSRA reiterates a simple but crucial point: TCSP activities are inherently attractive to abuse because they can obscure ownership and move value across borders. Luxembourg’s framework has substantially matured, and supervisory attention is higher. Firms that materially strengthen CDD, EDD, transaction monitoring, sanctions controls and governance – and that keep the board engaged – will be best positioned to reduce residual exposure, demonstrate sound compliance to the CSSF and limit regulatory risk.

Dive deeper

• CSSF ¦ Publication of the update of the ML/FT Sub-Sector Risk Assessment on Specialised Professionals of the Financial Sector providing corporate services (trust and company service provider activities) ¦ Link