17 July 2026
CHD ¦ Bill 8722: Luxembourg’s New AML Fraud Alert Rule
A targeted response to escalating scam networks
Luxembourg’s draft law No. 8722 marks a significant shift in the country’s approach to financial crime prevention. The proposal amends both the law on judicial organisation and the AML/CFT law to give the Cellule de renseignement financier, or CRF, a clear legal basis to share selected fraud-related information with regulated financial professionals.
Fraud and scams have become the leading AML risk identified in the latest national risk assessment (NRA), and the numbers continue to rise. Police recorded 6,382 fraud cases in 2024, an increase of 3.89% year on year. At the same time, the nature of the threat has changed. Criminals are no longer relying only on basic phishing emails or fake parcel messages. They now use business email compromise, CEO fraud, impersonation, deepfakes, and AI-generated documents to make scams more convincing and harder to stop.
The government’s argument is that the CRF already receives large volumes of useful intelligence, but it lacks an explicit legal basis to pass on warnings about suspect accounts in a proactive way. That gap matters because the same account may be reused in frauds targeting different victims and different institutions. If one bank spots the account, another bank may still be exposed unless the information is shared.
What the bill changes
The draft inserts a new article 74-4bis into the law on judicial organisation. Under this new rule, the CRF may signal fraud typologies and relevant information to a limited group of professionals already subject to AML/CFT obligations, namely credit institutions, financial sector professionals, and crypto-asset service providers (CASPs).
The information shared is intentionally narrow. It concerns account numbers that have come to the CRF’s attention and that present a significant fraud risk, along with the fraud typologies in which those accounts were used. The bill does not create a general sharing regime for all CRF intelligence. It is designed as a targeted preventive tool tied to specific fraud patterns, especially large-scale scams against unidentified victims and social engineering attacks against named targets such as businesses, associations, freelancers, and public bodies.
The proposal also makes clear that the exchange must happen through a secure channel. Professionals must request access to the CRF signals, and that request remains valid unless they withdraw it. The CRF, for its part, is expected to hold regular meetings with the participating professionals at least every six months to review the usefulness of the signals and refine future disclosures.
A focus on prevention, not just investigation
The bill reflects a practical recognition that fraud cases are often difficult to prosecute. Many suspicious accounts are controlled by money mules , identity theft victims, or individuals and entities located abroad. By the time investigators identify the network, the funds may already have been moved through multiple layers and jurisdictions.
That is why the draft prioritises prevention. The goal is not to solve every case after the fact, but to stop new transfers before more victims are hit. A bank that receives a CRF warning about a suspect account can update its controls, strengthen monitoring, and increase scrutiny when similar payment flows appear. Crypto-asset service providers (CASPs) can do the same if the suspect account is used to launder proceeds through virtual asset channels.
This approach fits the broader AML logic of risk-based controls. Rather than relying only on fixed rules or reactive reporting, institutions are given timely intelligence that can be used to adjust their own customer and transaction monitoring.
Guardrails on use and retention
The companion amendment to the AML/CFT law creates article 5-1, which governs how professionals may use CRF signals. The information may be used only for AML, related predicate offences, and terrorist financing purposes. The responsibility for using the information remains with the receiving professional. The bill also reinforces the non-tipping-off rule, meaning the client or any third party cannot be told that a CRF signal was received.
Retention is limited as well. The receiving professional must delete the information within six months of receipt. The Conseil d’État (Council of State) interpreted this as a maximum retention period, not a mandatory six-month storage period, which means deletion should happen earlier if the data are no longer needed for the preventive purpose.
These safeguards help keep the mechanism aligned with data minimisation principles and reduce the risk that fraud intelligence turns into a long-term database of sensitive information.
Institutional cooperation as a crime-fighting tool
One of the most notable aspects of the bill is its emphasis on cooperation. The CRF, regulated entities, and public authorities are being asked to work more closely together around fraud intelligence. The Chamber of Commerce welcomed that objective, while also asking for clearer guidance on issues such as the assessment of signal relevance, professional liability, and possible use within corporate groups.
The Council of State supported the principle of the draft but noted that some parts could be streamlined and that the voluntary nature of the mechanism may create a gap if a professional fails to subscribe. Even so, the draft was allowed to move quickly through the legislative process. The Chambre des Députés (Chamber of Deputies) approved it on 14 July 2026, and the Council of State agreed on 17 July 2026 to dispense with the second constitutional vote.
Why this matters for financial institutions
For banks, PSFs, and crypto-asset service providers (CASPs), the practical message is clear. Fraud intelligence is becoming a more direct part of AML/CFT defences. Institutions will need to ensure they have the secure channel, internal procedures, and governance needed to receive, assess, and act on CRF warnings appropriately.
The new framework also signals a wider trend. Fraud, once seen mainly as a cybercrime or consumer-protection issue, is now being treated as a core financial crime risk with direct links to money laundering (ML) and terrorist financing (TF) controls. That means compliance teams will increasingly need to coordinate fraud detection, AML monitoring, payment controls, and customer due diligence (CDD).
For Luxembourg, draft law No. 8722 is a clear attempt to close a long-standing blind spot. It gives the CRF a legal tool to turn intelligence into prevention, while keeping the scope narrow enough to protect confidentiality and proportionality. In a fraud landscape shaped by AI, impersonation, and fast cross-border fund movement, that balance may prove essential.
Dive deeper
- Chambre des Députés (CHD) ¦ Projet de loi 8722 ¦ Link