CSSF ¦ De-risking Practices and ML/FT Risk Management

16 June 2026

CSSF ¦ De-risking Practices and ML/FT Risk Management

CSSF clarifies its position on de-risking and bank account opening difficulties in Luxembourg

The Luxembourg Financial Sector Supervisory Commission, the CSSF, has addressed growing concerns from individuals and legal entities about difficulties in opening bank accounts in Luxembourg. According to the communiqué, some credit institutions have explained these difficulties by pointing to demanding legal requirements on anti-money laundering and counter-terrorist financing, as well as their understanding of the CSSF’s expectations regarding ML/FT risk exposure.

The CSSF’s message: financial institutions must manage ML/FT risk effectively, but they are not expected to avoid it altogether. The distinction matters. A risk-based approach does not mean refusing every customer or business relationship that presents a higher level of risk. Instead, institutions are expected to understand the risks they face, assess them properly, and build internal controls that are suitable and effective.

Managing risk, not eliminating it

The CSSF stresses that guidance from regulators and other stakeholders is meant to support professionals in building appropriate internal control frameworks. It should not be read as a general ban on higher-risk business relationships. A greater level of ML/FT risk does not, by itself, justify refusing to open or maintain a business relationship.

This is an important point for banks and other supervised entities. They may not simply exclude whole categories of clients, products, or services unless this is expressly required by applicable law or regulation, such as the Luxembourg AML law of 12 November 2004 or CSSF Regulation No 12-02. At the same time, the CSSF makes clear that firms are still free to change their business strategy and decide not to offer certain services to specific client categories. That, however, is a business decision, not a regulatory obligation.

The communiqué also links this position to Circular CSSF 21/782 and the later Circulars CSSF 23/842 and CSSF 25/878, which reflect the latest updates to the European Banking Authority’s guidelines on ML/FT risk factors. The overall message is that financial institutions should apply a careful and informed assessment of customer risk. Financial inclusion and effective ML/FT controls are not incompatible. They should be balanced in a proportionate way, including through simplified due diligence where appropriate for low-risk customers.

Bastian Schwind-Wagner
Bastian Schwind-Wagner

"The CSSF has clarified that financial institutions in Luxembourg must manage ML/FT risks properly, but they should not simply avoid higher-risk customers as a matter of principle. The regulator makes clear that a higher risk level alone does not justify refusing a business relationship, and that supervised entities should apply a proportionate, risk-based approach.

At the same time, the CSSF reminds clients that cooperation is essential in the onboarding process, including providing complete and accurate documentation. It also confirms that while it does not intervene in business decisions, firms may still choose to change their commercial strategy, provided this is distinct from regulatory de-risking."

The CSSF does not run institutions’ business models

The CSSF also draws a line between supervision and commercial decision-making. As a general principle, it does not interfere with the business models of financial institutions. It will only push for de-risking in exceptional cases, where a firm has failed to put in place adequate risk management measures and the ML/FT risk has become unmanageable.

That distinction is central. De-risking imposed by a supervisor in rare cases is not the same as an exit strategy adopted by a business to protect profitability. The CSSF warns firms not to confuse the two.

Decisions to accept or reject clients remain the responsibility of each institution. The CSSF will not comment on individual onboarding decisions. It recognises that rising compliance costs and more complex ML/FT risks may lead some firms to conclude that certain client segments are no longer profitable. But when that happens, it is a strategic choice, not a response to legal non-compliance.

Clients also have responsibilities

The communiqué makes another important point: effective risk management requires cooperation from the client. If a person or entity cannot provide the right documents, including information on the origin of funds, or refuses to provide information, account opening may become difficult or impossible.

The CSSF reminds clients that financial institutions are bound by strict legal duties. Providing accurate and complete information is not optional. It is a necessary part of the onboarding process and of the institution’s ability to comply with its obligations.

At the same time, the CSSF encourages firms to consider alternative and proportionate measures when a client has specific or high-risk characteristics, or when standard documentation is hard to produce. This is in line with updated EBA guidance and Circular CSSF 23/842. The message is that rigid exclusion should not replace a thoughtful assessment of whether a relationship can still be managed safely.

Looking ahead to new EU guidance

The communiqué closes by pointing to future regulatory work at the EU level. Under Article 21(4) of AMLR, the EBA and the EU Anti-Money Laundering Authority are required to issue joint guidelines by July 2027 on measures that can be taken to ensure compliance with AML/CFT rules, including for business relationships that are most affected by de-risking.

This suggests that de-risking remains a live policy issue across Europe. Regulators are increasingly aware that over-compliance or blanket refusal practices can undermine financial inclusion without necessarily improving the effectiveness of the AML/CFT framework.

A clear message for the market

The CSSF’s communiqué sends a strong signal to banks and other supervised entities in Luxembourg. Higher ML/FT risk is not a reason to avoid entire categories of customers by default. Institutions are expected to understand their risks, manage them properly, and make proportionate decisions based on facts rather than fear.

At the same time, clients must cooperate fully and provide the information needed for due diligence. Where both sides act responsibly, the result should be a more balanced approach – one that protects the financial system without shutting out legitimate customers.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.
Did you find any mistakes? Would you like to provide feedback? If so, please contact us!
Dive deeper
  • CSSF ¦ Communiqué “De-risking Practices and ML/FT Risk Management” ¦ Link
  • EUR-Lex ¦ Regulation (EU) 2024/1624 ¦ Link
« AMF [FRA] ¦ AMF Enforcement in AML/CFT: What French Supervisory Findings Reveal Between 2022 and 2025
Bastian Schwind-Wagner
Bastian Schwind-Wagner Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.

EU Sanctions Helpdesk

EU Sanctions Helpdesk The EU Sanctions Helpdesk platform supports European operators in complying with European Union restrictive measures (also known as sanctions) imposed worldwide. Aimed primarily at Small and Medium-sized Enterprises (SMEs), the Helpdesk offers resources and personalised help to companies performing sanctions due diligence checks.
get free support

What else?

What else?