Legilux ¦ The Law of 3 March 2026 from an AFC Perspective

New Luxembourg law tightens controls on delegation, liquidity tools and AML risks for funds

On 3 March 2026 Luxembourg adopted a law implementing Directive (EU) 2024/927 that amends national rules governing UCITS and alternative investment fund managers (AIFMs). While many changes address liquidity management, delegation and reporting, several provisions have direct or indirect implications for anti‑money laundering and countering the financing of terrorism (AML/CFT), tax transparency and supervisory cooperation. Fund managers, depositaries and service providers operating in Luxembourg must assess how these amendments tighten due diligence expectations, expand reporting channels and change the legal character of certain custody arrangements – all measures that affect the fight against financial crime.

Stronger geographic and counterparty screening – aligning with AML lists

The law repeatedly references Directive (EU) 2015/849 and requires checks on whether third‑country counterparties or service providers are identified as high‑risk third countries under Article 9(2) of that directive. Where previously the text referred to the FATF non‑cooperative list, the new wording aligns suitability and onboarding requirements with the EU’s high‑risk third‑country framework and the Council’s tax non‑cooperation conclusions. Practically, this means managers and depositaries must incorporate up‑to‑date EU high‑risk listings into onboarding, delegation and custody selection processes, and take prompt remedial action if a service provider’s country status changes. The legal duty to replace a depositary in a third‑country that becomes high‑risk within a two‑year window is especially notable – it creates a clear remediation timeline and a compliance trigger to reduce geographic AML exposure.

Delegation and custody – clarified treatment of central securities depositories

The amendments distinguish services provided by central securities depositories depending on their role under the CSDR delegated act – notably whether a CSD acts as a “DCT émetteur ” or a “DCT investisseur ”. Services by a DCT émetteur are not treated as delegation of the depositary’s safekeeping functions, whereas services by a DCT investisseur are treated as delegation. This legal classification alters the scope of due diligence, oversight and liability obligations for depositaries and fund managers. Where a CSD arrangement qualifies as delegation, the depositary’s obligation to exercise appropriate skill and care in selecting and monitoring the delegate remains engaged, with attendant AML‑relevant implications for counterparty checks, ongoing monitoring and documentation of controls. Compliance teams should review contractual allocation of responsibilities and ensure AML controls are explicitly covered in delegation agreements.

Bastian Schwind-Wagner _Follow

"Luxembourg’s recent law implementing Directive (EU) 2024/927 significantly tightens oversight of fund delegation, liquidity tools and reporting, and aligns national rules with EU AML/CFT and tax transparency frameworks. The changes increase due diligence expectations for counterparties and delegates, clarify custody treatment for CSDs, and expand supervisory data sharing, creating clearer remediation timelines for third‑country risks.

Fund managers, depositaries and service providers should prioritise updates to onboarding, delegation contracts and internal reporting to meet the amplified supervisory expectations. Demonstrable management substance, robust borrower and asset provenance checks, and readiness to produce granular data to CSSF and European authorities will materially reduce operational and financial crime risks."

Expanded reporting and supervisory cooperation – more eyes on funds and service providers

A major strand of the reform expands reporting duties to the CSSF, to ESMA and to other European authorities, and clarifies data sharing with the ESRB, EBA and EIOPA when systemic risks are present. Fund managers must supply detailed information on markets, instruments, exposures, liquidity tools in use, stress test results, delegation arrangements and the identities and identifiers of delegates and sub‑delegates. The CSSF can request additional reports to monitor systemic risk, and it must pass relevant information to other authorities and European bodies. These amplified reporting channels strengthen the surveillance architecture that can detect patterns consistent with financial crime – unusual concentrations, opaque chains of delegation, or cross‑border exposures to high‑risk jurisdictions will now more readily surface to supervisors. Firms should prepare to deliver granular, well‑structured data, and to respond rapidly to supervisory queries.

Due diligence and governance – elevated expectations on management substance

The law tightens governance expectations by specifying that management of a SICAV, AIFM or management company must be determined by at least two natural persons who are full‑time and domiciled in the EU, or who are executive members dedicated full time to the entity’s activities. Application materials and authorisation filings must describe actual operational structure, key personnel, reporting lines and the resources assigned to delegated tasks, including how the manager will supervise delegates. These requirements reduce the risk that a manager becomes a letterbox entity or that control effectively sits offshore – a key vector for misuse and regulatory arbitrage. For AML purposes, regulators will expect clear evidence that operational control and KYC/AML responsibilities rest with adequately resourced, accountable persons within the EU.

Liquidity tools and side‑pockets – transparency and investor protection dimensions

New provisions require open funds to select at least two liquidity management tools from a prescribed list and to document activation/deactivation procedures, while allowing side‑pocket mechanisms in exceptional circumstances. Where separated assets are created through segregation, segregated holdings can be excluded from certain limit calculations. These rules are meant to protect investors and prevent disorderly redemptions, but they also matter for financial crime risk. Illiquid or segregated pockets can hide valuation or ownership complexity if controls are weak. Managers must ensure that the governance around activating side‑pockets and in‑kind redemptions includes rigorous provenance checks, enhanced AML treatment of asset transfers and transparent disclosure to supervisors and investors.

Specific limits and safeguards for lending funds

The law introduces a comprehensive regime for funds that originate loans. It defines “loan‑originating” funds, sets borrower concentration limits, capping exposures to a single borrower at 20 percent of fund capital for certain borrower types, and prescribes leverage limits for open and closed‑ended lending funds. It also prohibits lending to certain related parties, including the manager, the depositary and delegated entities, and imposes retention rules when loans are transferred to third parties. These constraints reduce conflict‑of‑interest and concentration risks that can be exploited for fraud or illicit value extraction. From an AML perspective, loan origination and transfer are higher‑risk activities that demand robust borrower due diligence, ongoing monitoring of repayment flows, and clear recordkeeping that aligns with supervisory reporting obligations.

Tax transparency and interaction with AML frameworks

Several amendments require counterparties and third‑country entities to be subject to effective tax information exchange arrangements consistent with OECD standards and the Council’s tax conclusions. The text adds explicit references to tax‑related concerns alongside criminal law in certain provisions. Tax opacity is frequently linked to proceeds of crime or concealment strategies, and the law’s focus on tax cooperation reinforces the broader drive for transparency. Compliance functions should ensure that tax‑related risk assessments complement AML risk assessments and that onboarding checks include verification of tax transparency status where the law mandates it.

Practical next steps for compliance and risk teams

Fund managers, depositaries and service providers should take a number of immediate actions to align with the new regime. Update onboarding and periodic due diligence processes to include EU high‑risk third‑country status checks and tax‑cooperation verification. Reassess delegation contracts to ensure AML controls, reporting duties and monitoring mechanisms are contractually defined, particularly where a DCT investisseur is involved. Enhance internal reporting and data aggregation capabilities to meet the expanded supervisory information requests on liquidity, stress tests, exposures and delegation chains. Review governance structures to demonstrate the requisite management substance and to designate clear accountable persons for AML and operational oversight. Finally, build playbooks to respond to changes in third‑country risk status, including documented remediation timelines such as the two‑year replacement window for certain depositaries.

Conclusion

Luxembourg’s legislative update transposes substantive EU policy changes into national law and raises the compliance bar across delegation, liquidity management and supervisory reporting. While primarily framed around investor protection and financial stability, many provisions dovetail with AML and tax transparency objectives. Firms operating in the Luxembourg fund ecosystem must view these changes holistically – enhancing KYC and due diligence, tightening contractual protections, upgrading reporting capabilities and ensuring that governance and resourcing choices reflect the heightened supervisory expectations. Doing so will reduce operational, legal and financial crime risks and support resilient cross‑border fund operations in the evolving European regulatory landscape.

Dive deeper

• Legilux ¦ Loi du 3 mars 2026 ¦ Link
• EUR-Lex ¦ Directive (EU) 2024/927 AIFMD II ¦ Link
• EUR-Lex ¦ Directive (EU) 2015/849 AML Directive ¦ Link