CHD ¦ Bill 8722: Luxembourg’s New AML Fraud Alert Rule

CHD ¦ Bill 8722: Luxembourg’s New AML Fraud Alert Rule

A targeted response to escalating scam networks

Luxembourg’s draft law No. 8722 marks a significant shift in the country’s approach to financial crime prevention. The proposal amends both the law on judicial organisation and the AML/CFT law to give the Cellule de renseignement financier, or CRF, a clear legal basis to share selected fraud-related information with regulated financial professionals.

Fraud and scams have become the leading AML risk identified in the latest national risk assessment (NRA), and the numbers continue to rise. Police recorded 6,382 fraud cases in 2024, an increase of 3.89% year on year. At the same time, the nature of the threat has changed. Criminals are no longer relying only on basic phishing emails or fake parcel messages. They now use business email compromise, CEO fraud, impersonation, deepfakes, and AI-generated documents to make scams more convincing and harder to stop.

The government’s argument is that the CRF already receives large volumes of useful intelligence, but it lacks an explicit legal basis to pass on warnings about suspect accounts in a proactive way. That gap matters because the same account may be reused in frauds targeting different victims and different institutions. If one bank spots the account, another bank may still be exposed unless the information is shared.

What the bill changes

The draft inserts a new article 74-4bis into the law on judicial organisation. Under this new rule, the CRF may signal fraud typologies and relevant information to a limited group of professionals already subject to AML/CFT obligations, namely credit institutions, financial sector professionals, and crypto-asset service providers (CASPs).

The information shared is intentionally narrow. It concerns account numbers that have come to the CRF’s attention and that present a significant fraud risk, along with the fraud typologies in which those accounts were used. The bill does not create a general sharing regime for all CRF intelligence. It is designed as a targeted preventive tool tied to specific fraud patterns, especially large-scale scams against unidentified victims and social engineering attacks against named targets such as businesses, associations, freelancers, and public bodies.

The proposal also makes clear that the exchange must happen through a secure channel. Professionals must request access to the CRF signals, and that request remains valid unless they withdraw it. The CRF, for its part, is expected to hold regular meetings with the participating professionals at least every six months to review the usefulness of the signals and refine future disclosures.

Bastian Schwind-Wagner
Bastian Schwind-Wagner

"Luxembourg’s draft law No. 8722 gives the CRF a new legal basis to share targeted fraud intelligence with selected AML/CFT professionals. The aim is to stop repeat abuse of the same accounts, especially in phishing, CEO fraud, and other social engineering schemes.

The proposal is tightly limited: only relevant account data and fraud typologies may be shared, and only through a secure channel. Receiving professionals must use the information only for AML purposes, keep it confidential, and delete it within six months."

A focus on prevention, not just investigation

The bill reflects a practical recognition that fraud cases are often difficult to prosecute. Many suspicious accounts are controlled by money mules , identity theft victims, or individuals and entities located abroad. By the time investigators identify the network, the funds may already have been moved through multiple layers and jurisdictions.

That is why the draft prioritises prevention. The goal is not to solve every case after the fact, but to stop new transfers before more victims are hit. A bank that receives a CRF warning about a suspect account can update its controls, strengthen monitoring, and increase scrutiny when similar payment flows appear. Crypto-asset service providers (CASPs) can do the same if the suspect account is used to launder proceeds through virtual asset channels.

This approach fits the broader AML logic of risk-based controls. Rather than relying only on fixed rules or reactive reporting, institutions are given timely intelligence that can be used to adjust their own customer and transaction monitoring.

Guardrails on use and retention

The companion amendment to the AML/CFT law creates article 5-1, which governs how professionals may use CRF signals. The information may be used only for AML, related predicate offences, and terrorist financing purposes. The responsibility for using the information remains with the receiving professional. The bill also reinforces the non-tipping-off rule, meaning the client or any third party cannot be told that a CRF signal was received.

Retention is limited as well. The receiving professional must delete the information within six months of receipt. The Conseil d’État (Council of State) interpreted this as a maximum retention period, not a mandatory six-month storage period, which means deletion should happen earlier if the data are no longer needed for the preventive purpose.

These safeguards help keep the mechanism aligned with data minimisation principles and reduce the risk that fraud intelligence turns into a long-term database of sensitive information.

Institutional cooperation as a crime-fighting tool

One of the most notable aspects of the bill is its emphasis on cooperation. The CRF, regulated entities, and public authorities are being asked to work more closely together around fraud intelligence. The Chamber of Commerce welcomed that objective, while also asking for clearer guidance on issues such as the assessment of signal relevance, professional liability, and possible use within corporate groups.

The Council of State supported the principle of the draft but noted that some parts could be streamlined and that the voluntary nature of the mechanism may create a gap if a professional fails to subscribe. Even so, the draft was allowed to move quickly through the legislative process. The Chambre des Députés (Chamber of Deputies) approved it on 14 July 2026, and the Council of State agreed on 17 July 2026 to dispense with the second constitutional vote.

Why this matters for financial institutions

For banks, PSFs, and crypto-asset service providers (CASPs), the practical message is clear. Fraud intelligence is becoming a more direct part of AML/CFT defences. Institutions will need to ensure they have the secure channel, internal procedures, and governance needed to receive, assess, and act on CRF warnings appropriately.

The new framework also signals a wider trend. Fraud, once seen mainly as a cybercrime or consumer-protection issue, is now being treated as a core financial crime risk with direct links to money laundering (ML) and terrorist financing (TF) controls. That means compliance teams will increasingly need to coordinate fraud detection, AML monitoring, payment controls, and customer due diligence (CDD).

For Luxembourg, draft law No. 8722 is a clear attempt to close a long-standing blind spot. It gives the CRF a legal tool to turn intelligence into prevention, while keeping the scope narrow enough to protect confidentiality and proportionality. In a fraud landscape shaped by AI, impersonation, and fast cross-border fund movement, that balance may prove essential.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.
Did you find any mistakes? Would you like to provide feedback? If so, please contact us!
Dive deeper
  • Chambre des Députés (CHD) ¦ Projet de loi 8722 ¦ Link
Bastian Schwind-Wagner
Bastian Schwind-Wagner Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.