CHD ¦ Draft Law No. 8722: Luxembourg Moves to Strengthen Fraud Detection in AML Framework

A new legal tool for the Financial Intelligence Unit (FIU)

Luxembourg’s draft law No. 8722 proposes a targeted change to the country’s anti-money laundering framework by giving the Cellule de Renseignement Financier, or CRF, a clearer legal basis to share fraud-related information with selected obliged entities. The goal is to stop fraud earlier, before suspicious accounts can be reused to steal from more victims or to move illicit proceeds through the financial system.

The proposal amends both the judicial organisation law and the law on the fight against money laundering and terrorist financing. In practice, it would allow the CRF to notify banks, certain financial professionals, and crypto-asset service providers (CASPs) about account numbers and fraud typologies that present a significant risk.

Fraud now sits at the center of the risk picture

The reasoning behind the draft is rooted in Luxembourg’s latest national risk assessment on money laundering (NRA ML), adopted in April 2025. That assessment identifies scams and fraud as the most serious threat. The numbers support that concern. Police recorded 6,382 fraud cases in 2024, an increase of 3.89 percent year on year.

The draft law describes a fraud environment that has become more industrialized and more technical. Large-scale phishing campaigns, fake parcel and delivery scams, bogus investment offers, and fraudulent charity appeals continue to affect both individuals and legal entities in Luxembourg, including clients of local financial institutions. At the same time, more targeted frauds such as CEO fraud and business email compromise are becoming increasingly sophisticated.

Technology is making the problem worse. The document points to the use of artificial intelligence to generate convincing fake websites, documents, and supporting evidence in a very short time. In some cases, criminals even use deepfake techniques to imitate a person’s appearance.

Bastian Schwind-Wagner _Follow

"Luxembourg’s draft law No. 8722 would give the CRF a clearer legal basis to share fraud-related account information with selected financial professionals and crypto-asset service providers. The aim is to prevent the same fraudulent accounts from being reused across multiple scams and to strengthen early detection within the AML framework.

The proposal responds to rising fraud risks, including phishing, business email compromise, and other social engineering schemes. It also adds safeguards through secure communication channels, strict non-disclosure rules, and a six-month deletion period for received information."

Why the current framework is seen as incomplete

The CRF already receives a significant volume of suspicious transaction reports linked to large-scale fraud and social engineering attacks. It also gets information from police and prosecutors under existing cooperation rules. These exchanges help identify fraudulent foreign accounts and freeze assets where possible.

But the draft explains a key gap. At present, the CRF has no legal basis to warn other financial institutions that a particular account has already been identified as highly suspicious by one institution. That means a fraudster can keep using the same account to target customers of another bank, even after one bank has flagged it.

The same problem arises with information coming from police or prosecutors. Victims’ complaints can help detect fraud patterns, but the information cannot currently be used in a structured way to prevent similar frauds elsewhere. The draft law is designed to close that gap.

How the proposed sharing system would work

The core of the draft is a new article 74-4bis in the judicial organisation law. Under this provision, the CRF would be allowed to share typologies and information showing a significant fraud risk with certain professionals already subject to Luxembourg’s AML and counter-terrorist financing rules.

The scope is deliberately narrow. The intended recipients are credit institutions, financial sector professionals authorized in Luxembourg, and crypto-asset service providers that fall under the relevant AML law. The signal would not be general intelligence for the market. It would be account-level information tied to fraud risk, plus the fraud typology in which the account was used.

The draft also keeps the process controlled. Professionals would have to request these signals through a secure channel, and the request would apply to future CRF signals unless explicitly withdrawn. All exchanges between the CRF and the requesting professionals would take place through a secure system, specifically the CRF’s GoAML platform.

What information may be shared

The draft limits the content of the signals to what is needed for prevention. The CRF could share account numbers that have come to its attention through its legal powers and that present a significant fraud risk. These numbers may include IBANs, virtual IBANs, or other account identifiers.

The measure is broad in terms of account types, because it can cover payment accounts, e-money accounts, and crypto-asset wallets or other similar accounts used in fraud or attempted fraud. The accompanying typology would help professionals understand the fraud pattern, whether it involves large-scale phishing, targeted social engineering, or another form of scam.

The intention is not to build a new investigative file inside each bank. It is to help institutions detect suspicious inflows and outflows sooner, strengthen monitoring, and prevent customers from sending money to accounts already linked to fraud.

Obligations imposed on the receiving institutions

The proposed new article 5-1 in the AML law sets out how the receiving professionals may use the signals. They may use the information only for AML, associated predicate offences, and terrorist financing prevention. The responsibility for using the information remains entirely with them.

The draft also imposes a strict non-disclosure rule. The professionals may not tell the client concerned or any third party that the account has been flagged by the CRF. This mirrors the usual non-tipping-off principle that is already central to AML compliance.

There is also a storage limit. The institutions would have to delete all information received under these signals within six months of receipt. The draft explains this by noting that, from a preventive perspective, fraudulent accounts usually stop being active after that period. The goal is to keep only what is necessary for a limited time.

A preventive model built around feedback

The draft does not treat this as a one-way transmission. The CRF would be required to meet with the relevant professionals at least every six months to discuss whether the signals remain useful and relevant. The CRF would then adapt future signals based on that feedback.

That is an important feature. It suggests the system is meant to be dynamic and practical, not just a static database of suspicious accounts. In a fast-moving fraud environment, relevance depends on keeping the information current and focused.

Why crypto-asset providers are included

One notable aspect of the proposal is the explicit inclusion of crypto-asset service providers. This reflects the legislature’s concern that fraud proceeds may be moved through digital asset services, including services established in Luxembourg. The draft law aims to ensure that suspicious accounts linked to fraud cannot simply be used as a bridge into crypto flows.

This is significant from a financial crime perspective. Fraud and money laundering often overlap, especially when criminal networks use mule accounts, identity theft, and cross-border transfers to obscure the trail. Adding crypto-asset providers to the alert loop is a recognition that fraud prevention now needs to cover both traditional banking and newer financial channels.

A preventive step with limited public cost

The financial statement attached to the draft says the proposal has no impact on the state budget. It does not create new revenues or new spending for Luxembourg’s public finances.

That is consistent with the design of the bill. This is not a major institutional overhaul. It is a legal enabling measure meant to improve the flow of information between authorities and the private sector, with the aim of stopping fraud faster.

What this means for AML and fraud teams

If adopted, the draft law would give Luxembourg’s CRF a more active role in fraud prevention by allowing it to warn selected financial actors about accounts already associated with suspicious activity. For compliance teams, that could become a useful source of risk intelligence, especially when the same account or typology appears across multiple victims and institutions.

The broader message is clear. Fraud is no longer just a consumer protection issue or a criminal law issue. It is now firmly part of the AML risk landscape, and Luxembourg is moving to make its framework reflect that reality.

Dive deeper

• Chambre des Députés (CHD) ¦ Projet de loi 8722, A propos du dossier ¦ Link
• Portail officiel LBC/FT du Grand-Duché de Luxembourg ¦ National risk assessment money laundering 2025 ¦ Link