CSSF ¦ Looking back on the 2026 CSSF AML/CFT Conference for Specialised PFS

A clearer threat picture, stronger supervisory tools and practical guidance for specialised professionals of the financial sector

Luxembourg’s 26 January 2026 conference for specialised professionals of the financial sector, convened by the CSSF and the Financial Intelligence Unit (CRF), made two things plain: the supervisory and intelligence authorities have sharpened their view of money laundering (ML) and terrorist financing (TF) risks linked to trust and company service providers (TCSPs), and they expect firms to translate those insights into tangible, risk‑based controls. The latest sub‑sector risk assessment (SSRA) on specialised professionals providing corporate services sits between the national risk assessment (NRA) and firm‑level risk assessments to produce workable guidance for supervisors and industry alike. Practitioners should strengthen documentation, tailor TF analysis separately from ML, and ensure screening, transaction monitoring and suspicious reporting are timely and relevant.

What the SSRA adds – from macro to firm level

The SSRA is presented as the link between the EU and national NRAs and individual entity assessments. It adopts a meso‑level view: more granular than the NRA but broader than an entity’s internal risk model. Its objectives are practical – to reflect the CSSF’s view of ML/TF risks in the TCSP sub‑sector, to inform CSSF supervisory strategy, to support supervised entities when they perform their own risk assessments and to promote public‑private cooperation. The SSRA reiterates that TCSP activities covered by Luxembourg’s AML/CFT law include incorporation, directorship/secretarial services, domiciliation, fiduciary roles and nominee shareholder arrangements. Given the international and intermediary‑heavy nature of many engagements, these activities carry inherent transparency challenges.

Key threat drivers identified

Three features increase ML/TF exposure for specialised PFS: the sector’s heterogeneity, its strong international orientation and the frequent use of intermediaries between the ultimate client and the TCSP. Those features complicate beneficial owner identification and origin of funds checks and create fertile ground for misuse of legal persons, nominee arrangements and complex ownership chains.

The CSSF highlights three predicate offences most relevant to TCSPs: fraud and forgery, tax crimes and corruption/bribery. Fraud and cyber‑enabled fraud are of particular concern because proceeds are often moved through networks of mule accounts, shell companies and cross‑border payment chains. Tax crimes are facilitated by misuse of legal persons and conduit structures. Corruption risks surface where complexity and cross‑border investment flows create opportunities for concealment.

For TF, the authorities note that terrorist actors increasingly rely on criminal activity to raise funds. TCSP services are flagged in international guidance as higher risk for proliferation financing because they can obscure links between transactions and designated persons or entities. The report stresses that sanctioned persons and those acting on their behalf adapt quickly and use elaborate structures to evade detection.

Bastian Schwind-Wagner _Follow

"The CSSF and CRF expect specialised PFS to translate the SSRA and NRA findings into concrete, risk‑based controls that strengthen beneficial ownership transparency, transaction monitoring and sanctions screening. Firms must ensure their suspicious reporting is timely, fact‑based and prioritised so authorities can act effectively.

Senior management accountability and continuous staff training are essential to embed a compliance culture that adapts to emerging threats such as deepfakes, Business Email Compromise – BEC – and sanctions evasion. Where higher risks are identified, firms should apply enhanced due diligence and promptly remediate control gaps."

Regulatory and supervisory expectations

The CSSF expects firms to adopt and document a firm‑wide ML/TF risk appetite and to apply a genuine risk‑based approach. Core supervisory measures include fit and proper checks at licensing and over the lifetime of the entity, off‑site reviews, annual AML/CFT questionnaires, and both thematic and full‑scope on‑site inspections. The CSSF has expanded staff in both off‑site and on‑site teams and will apply remediation and enforcement tools where controls are inadequate.

At firm level, the CSSF and CRF expect robust client acceptance policies, ongoing due diligence, transaction monitoring and targeted financial sanctions screening. Senior management engagement and a culture of compliance are repeatedly emphasised as critical. Where inherent risks are higher, enhanced due diligence must be applied, including deeper scrutiny of beneficial ownership, origin of funds and the role of intermediaries.

TF-specific findings and guidance

A 2025 thematic review of TF within TCSPs revealed that many firms either folded TF into broader ML ratings or treated TF assessments superficially. The CSSF recommends separate TF risk assessments, TF‑focused training with case studies and TF red flags, and transaction monitoring that checks message content and counterparty jurisdictions. The review found no systemic TF deficiencies in the limited sample assessed, including clients linked to non‑profit organisations or beneficial owners in Israel and the UAE, but it warned that legal persons beyond NPOs are also abused for TF and that convergence between organised crime and TF could amplify risks.

Practical deficiencies the CSSF sees repeatedly

During off‑site and on‑site reviews, common weaknesses include poor articulation of an AML/CFT risk appetite, weak first‑line controls, inadequate sanctions/PEP and adverse media screening, insufficient transaction monitoring and incomplete documentation on source of funds and beneficial ownership. The CSSF’s checklist of best practices is uncompromising: name screening must be up to date and immediate when sanctions lists change, transaction monitoring must be proportionate and effective, and filing of STRs/SARs must be prompt and of sufficient quality.

The CRF’s reporting quality push

The CRF presented 2025 data that underscores the importance of report quality. The EU AML Regulation’s Article 69(2) changes the standard for suspicious transaction reporting: obliged entities must base suspicions on facts and information known to them, prioritise assessments when urgency dictates, and provide adequate, accurate and up‑to‑date information. FATF mutual evaluation findings previously flagged that many reports lack relevance or sufficient analysis and are often generated by adverse media hits without proper verification. The CRF’s new feedback template will give reporting entities clearer, sector‑specific responses on report quality, follow‑up and how reports influenced analytical work.

Sanctions, emerging typologies and operational risks

The conference highlighted the legal framework for financial restrictive measures and showed how evasion schemes play out in practice – undervalued share transfers to mask sanctioned ownership, use of straw investors or third‑party repayments, legal proxies and professional enablers. Violations of EU regulations implementing sanctions can constitute predicate offences for ML, triggering CRF attention.

Cyber‑enabled fraud and AI risks are rising. Deepfakes and synthetic video, together with fake identity documents, are already being used to open accounts and commit fraud that then leverages digital payment rails and crypto on‑ramps. Business email compromise (BEC) schemes targeting the investment sector use impersonation and fraudulent payment instructions to divert large capital movements. The CRF warns firms to ensure onboarding, transaction controls and internal procedures address these scenarios and to maintain awareness of typologies published by the FIU.

How the NRA update informs private compliance

Luxembourg’s 2025 NRA update retains high inherent ML risk for specialised PFS providing corporate services. The NRA methodology separates threats, vulnerabilities and mitigating factors to arrive at residual risk. The practical implication for firms is to map their own controls to national findings: where national or sub‑sector assessments highlight specific vulnerabilities, firms must proportion their mitigation measures accordingly. Simplified measures are only appropriate where the national framework and supervisors allow them consistent with the risk assessment.

Concrete priorities for practitioners

Firms should ensure TF is assessed separately from ML, document the distinct TF threat vectors relevant to their business and tailor enhanced due diligence where TF or proliferation risk indicators exist.

Immediate priorities include:

• updating sanctions screening tools and procedures to ensure instant screening after list updates;
• strengthening ongoing customer due diligence and source of funds/source of wealth documentation;
• implementing transaction monitoring rules that capture message‑level indicators and cross‑party country checks; and
• ensuring suspicious reports are timely, fact‑based and include relevant context for CRF analysis.

Final takeaways

Luxembourg’s supervisory and intelligence authorities are converging on a predictable set of expectations:

• explicit, documented risk appetite;
• separate and considered TF assessments;
• robust, timely screening and transaction monitoring;
• high‑quality, prioritised suspicious reporting; and
• senior management accountability.

For TCSPs and other specialised PFS, the pathway to regulatory resilience is clear:

• align internal risk assessments with the SSRA and NRA findings;
• remediate identified control gaps swiftly; and
• invest in training, systems and governance to meet the heightened supervisory focus.

Dive deeper

• CSSF ¦ Looking back on the 2026 CSSF AML/CFT Conference for Specialised PFS ¦ Link