AED ¦ New Circular No. 792 quater – Luxembourg Tightens ID Rules

Clearer Steps for Client Identification and Ongoing Vigilance

On January 26, 2026 the Directorate of Registration, Domains and VAT of the Grand Duchy of Luxembourg issued Circular No. 792 quater, updating and clarifying the obligations of professionals under the anti–money laundering and counter‑terrorist financing (AML/CTF) framework. The circular reiterates that professionals supervised by the AED must identify and verify their clients – both natural persons and legal entities or arrangements – using reliable, independent sources and proportionate, risk‑based measures. This article explains the practical implications for compliance teams, highlights key operational changes, and suggests steps firms should take now to align procedures with the circular.

Identification and verification requirements for natural persons

Circular 792 quater affirms that identification and verification for individual clients must be based on identification documents issued by public authorities. Acceptable documents include national identity cards, passports, and any similar authoritative document that is valid, bears the client’s signature, and contains a photographic likeness. Importantly, the circular emphasizes that documents must be understandable and decipherable by both the professional and supervisory authorities. For non‑Luxembourg documents the details (name, forename(s), nationality, date of birth, document number, expiration date, issuing country) must appear in the original language and in a language allowing comprehension by the professional. Regulators may request a translation into one of Luxembourg’s official languages or English, to be supplied within two weeks of notification.

Operational impact – natural persons

Compliance teams need to confirm that intake processes capture the required document attributes and that staff are trained to assess validity, signature presence, and photo integrity. Remote onboarding workflows must ensure secure or recognized electronic identification methods are accepted only if they meet the regulatory standard referenced – including relevant trust services under Regulation (EU) No. 910/2014 – or other approved secure identification processes. Firms should review their translation procedures and document retention practices to ensure translations can be produced within the two‑week window when requested by the supervisory authority.

Bastian Schwind-Wagner _Follow

"Circular No. 792 quater of the AED reinforces the fact that identification and verification must be robust and proportionate to risk, as well as being language-aware. The same standards must be applied to both in-person and remote onboarding. Firms must ensure documents are valid, signed, and clearly understandable, and be ready to provide translations within regulatory timelines.

Compliance teams should update CDD policies, verify remote identification tools against EU trust‑service standards, and maintain up‑to‑date corporate documentation and ownership charts. Continuous vigilance and clear recordkeeping are essential because the professional bears the burden of proof for compliance."

Identification and verification requirements for legal entities and legal arrangements

For legal persons and arrangements the circular requires collecting and retaining documentary evidence that establishes identity, legal existence and governance in a way proportionate to risk. Required items include the entity’s name, registration or national identification number where applicable, legal form, registered office and principal place of business, identity of directors or persons acting for the entity in the business relationship, and the rules governing the authority to bind the entity. Founding documents – statutes, charter, certificate of incorporation, recent company‑register extracts or equivalent proof – and an organizational chart showing ownership structure must be kept in paper or electronic copy. The precise scope of documents is to be determined using a risk‑based approach that aligns documentation depth with the client’s risk profile.

Operational impact – legal entities and arrangements

Firms must ensure onboarding checklists and case files include up‑to‑date incorporation documents, register extracts and a clear map of ownership and control. Where complex ownership chains or opaque governance structures exist, enhanced measures should be triggered: more detailed documentary evidence, verification of beneficial owners, and independent corroboration. The circular clarifies that verification is a continuous obligation – information collected at onboarding must be kept accurate and refreshed according to the risk assessment during the entire business relationship.

Face‑to‑face and remote onboarding – equal obligations

A key point in the circular is that identification and verification obligations apply equally whether onboarding is face‑to‑face or remote. The professional bears the burden of proof for compliance and must retain the supporting documentation. Verification measures and identification mechanisms must be proportionate and documented as deriving from an advance risk analysis; the method and extent of verification should be coherent with that analysis. The circular also distinguishes verification by the professional from authentication by a competent independent authority – the latter is a recognized verification method for cases requiring enhanced vigilance.

Practical steps for compliance teams

First, update client due diligence (CDD) policies and procedures to reflect the circular’s specifics: required document attributes for individuals, translation provisions for foreign documents, and the documentary set for legal entities.

Second, map your current remote identification tools and trust services against the circular’s reference to Regulation (EU) No. 910/2014 and ensure you maintain records proving the reliability and independence of those services.

Third, implement or refresh risk‑based decision trees that define what documentary depth and verification methods apply at low medium and high‑risk tiers, and ensure these are consistently applied and documented.

Fourth, enhance staff training to cover the new clarity and the need for continuous vigilance.

Fifth, review retention and retrieval procedures so requested translations or supporting documents can be produced within regulatory timelines.

Enforcement and supervisory expectations

The circular makes clear that the supervisory authority may request translations and documentation and expects professionals to respond promptly. Because the burden of proof of compliance lies with the professional, firms should treat the circular’s provisions as enforceable standards rather than guidance. Practices that fail to produce understandable identification documents, keep incomplete corporate documentation, or treat remote onboarding as lesser than in‑person onboarding will likely attract supervisory scrutiny.

Conclusion

Circular N°792 quater issued by AED tightens and clarifies Luxembourg’s expectations regarding client identification and identity verification. It emphasises the importance of document quality, language and translation requirements, the need for up-to-date corporate evidence and parity between remote and in-person onboarding. The message for compliance teams is straightforward: reassess and document your risk-based customer due diligence (CDD) measures; ensure your remote identity solutions meet regulatory requirements; strengthen evidence collection for legal entities; and prepare to supply translations and records within supervisory timeframes. Taking these steps will reduce regulatory exposure and strengthen defenses against money laundering and terrorist financing risks.

Dive deeper

• AED ¦ Circular No. 792 quater ¦ Link
• EUR-Lex ¦ Regulation (EU) No 910/2014 e-IDAS ¦ Link