Administrative sanction of 2 May 2025 for non-compliance  
with professional obligations regarding the monitoring of  
transactions in the context of the fight against money  
laundering and terrorist financing  
Luxembourg, 30 July 2025  
Administrative decision  
On 2 May 2025, the CSSF imposed an administrative fine amounting to EUR 4,968,780 (four million  
nine hundred sixty-eight thousand seven hundred eighty euros) on ******************  
, Luxembourg (the “Credit Institution”), representing less than 0.5% of its turnover as of 31  
December 20231.  
This administrative fine is imposed following an on-site inspection carried out at the Credit Institution  
between 8 August 2024 and 12 December 2024. Even if this on-site inspection was carried out  
following the revelation of the fraud perpetrated against a charitable foundation in Luxembourg (the  
Foundation”), it covered nevertheless certain aspects of the anti-money laundering and the  
combatting financing of terrorism (“AML/CFT”) professional obligations of the Credit Institution,  
and more precisely, the obligation to adopt a risk-based approach and to apply, in the context of  
AML/CFT, due diligence measures adapted to its customers according to the level of risk of money  
laundering and terrorist financing, including the monitoring of transactions, with an emphasis on the  
accounts of the Foundation.  
Legal framework/motivation  
The administrative fine was imposed by the CSSF pursuant to Article 8-4(1), (2) and (3) of the Law  
of 12 November 2004 on the fight against money laundering and terrorist financing, as amended  
(the “AML/CFT Law”), read in conjunction with the provisions of Article 2-1(1) of this AML/CFT  
Law, regarding the monitoring of transactions in the AML/CFT context.  
Based on the observations made by the CSSF during the on-site inspection and the responses and  
additional information provided by the Credit Institution, the CSSF concluded that, at the time of the  
on-site inspection, the Credit Institution did not comply with certain legal and regulatory  
requirements, as provided for in the following legislative and regulatory provisions:  
(i)  
the AML/CFT Law;  
1
Latest available annual accounts approved by the Board of Directors of the Credit Institution during the on-site  
inspection.  
ADMINISTRATIVE SANCTION  
1/4  
 
(ii)  
Grand-ducal Regulation of 1 February 2010 providing details on certain provisions of the Law  
of 12 November 2004 on the fight against money laundering and terrorist financing, as amended  
(“Grand-ducal Regulation of 1 February 2010”);  
(iii)  
CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and  
terrorist financing, as amended (“CSSF Regulation 12-02”), which constitutes an implementing  
measure of the AML/CFT Law; and  
(iv)  
Circular CSSF 23/842 on the adoption of the revised guidelines, by the EBA, on money  
laundering and terrorist financing risk factors – complement of Circular CSSF 21/782 (“Circular  
CSSF 23/842”), applicable to not-for-profit organisations (“NPOs”) in the context of customer due  
diligence as required by the Article 3(2a) of the AML/CFT Law.  
In order to determine the type and amount of the administrative sanction, the CSSF duly took into  
account all the legal and factual elements brought forward by the Credit Institution, both during the  
on-site inspection and the non-contentious administrative procedure. The CSSF also considered the  
gravity and the duration of the breaches, the scope of the on-site inspection, the financial situation  
of the Credit Institution at the time of the on-site inspection as well as the latter’s level of cooperation  
and responsiveness concerning the corrective measures to be implemented, in accordance with the  
provisions of Article 8-5(1) of the AML/CFT Law.  
The CSSF also took into account the full cooperation of the Credit Institution and the extent of  
remedial measures, some of which were taken proactively before the on-site inspection started.  
Finally, it is emphasised that it is not up to the CSSF to decide on the Credit Institution’s liability  
regarding the fraud perpetrated against one of its customers nor to opine on whether a transaction  
monitoring system without deficiencies would have allowed to detect the fraud. The supervision  
performed by the CSSF entirely focuses on the compliance with professional, legal and regulatory  
obligations of the Credit Institution and applicable to all its customers.  
Legal bases for the publication  
This publication is made on a nominative basis pursuant to the provisions of Article 8-6(1) of the  
AML/CFT Law. The decision of the CSSF to impose an administrative sanction entered into force  
while the CSSF considered that none of the legal exceptions provided for in Article 8-6(1), second  
paragraph, of the AML/CFT Law is applicable.  
Context and major cases of non-compliance with the  
professional obligations identified  
The CSSF on-site inspection on the Credit Institution intervenes after a preceding CSSF on-site  
inspection carried out in 2018 that covered the entire AML/CFT framework. It resulted in an  
injunction from the CSSF, as a result of which the Credit Institution implemented measures to  
remedy the detected weaknesses.  
ADMINISTRATIVE SANCTION  
2/4  
Nevertheless, the CSSF found during the present on-site inspection that, despite the measures  
already taken, the transaction monitoring system still presented shortcomings in terms of its design  
and implementation, as well as regards the performance of controls. The identified shortcomings  
were not solely the result of the analysis of individual files but were found to be structural and  
systemic in nature. However, a comprehensive and efficient transaction monitoring is of utmost  
importance in the context of AML/CFT, especially for a large credit institution.  
The instances of non-compliance by the Credit Institution regarding its professional AML/CFT  
obligations in terms of monitoring of transactions mainly related to the following points:  
.
The CSSF identified inadequacies in the configuration and in the settings of the ex-post  
transaction monitoring tool scenarios, in particular, incomplete settings relating to outflows for  
certain categories of customers including corporate customers (except for movements involving  
cash, transfers of securities/physical assets or transfers involving religious associations). The CSSF  
noted that these shortcomings were linked to choices made by the Credit Institution when  
implementing its new monitoring tool in accordance with its defined priorities.  
Accordingly, the CSSF noted that the transaction monitoring system implemented by the Credit  
Institution had operated correctly in terms of anti-fraud controls, but its configuration had not  
allowed to highlight suspicious transactions patterns involving large inflows of funds, followed by  
direct outflows in several transfers on the same day and to ensure that transactions were consistent  
with customers’ profiles and the professional’s knowledge of its customer (AML/CFT control).  
In particular, the CSSF found that transfers initiated via the secure channel Multiline, and validated  
by customers using a strong authentication process, were not subject to the same AML/CFT controls  
as other transactions due to an unjustified exclusion in the systems.  
The significant deficiencies identified constitute cases of non-compliance with the provisions of:  
-
Article 3(7) of the AML/CFT Law and Article 1(3) of Grand-ducal Regulation of 1 February  
2010 that require a special attention to “significant transactions relative to a business  
relationship, transactions that exceed certain limits, very high account turnover inconsistent  
with the size of the balance, or transactions which fall out of the regular pattern of the  
account's activity” and for which the characteristics are partly defined in Articles 32(1) and  
39(2) of CSSF Regulation 12-02 (criteria relating to the importance of the amounts or to the  
frequency of the amounts involved, differences compared to the nature, volume or frequency  
of transactions usually carried out in the framework of the business relationship concerned  
or similar business relationships and differences compared to the foreseen transactions  
based on the declarations made by the customer during the acceptance procedure but also  
the coverage of all the customers and their transactions);  
-
Article 3(2)(d) of the AML/CFT Law and Article 32(2) of CSSF Regulation 12-02 that require  
the application of ongoing due diligence of the customers by examining transactions carried  
out throughout the business relationship to ensure that the transactions are consistent with  
the professional’s knowledge of its customer, including the analysis of the economic  
background of the funds involved in transactions presenting an ML/TF risk or which are  
complex transactions, of an unusually large amount or with an unusual pattern in the light  
of the risk profile of the customer;  
ADMINISTRATIVE SANCTION  
3/4  
-
Article 39(6) of CSSF Regulation 12-02 that requires a regular control by the compliance  
officer, in order to adapt the supervisory framework when necessary, in case of development  
of the activities, new customers and evolution of AML/CFT standards and measures.  
Lastly, the CSSF points out that due diligence obligations also apply to NPOs and must be tailored  
to the risks they present. Risks are assessed on the basis of an understanding of the objectives of  
transactions carried out by the customer, in particular by obtaining information such as the list of  
programmes and associated budgets, in order to ensure that transactions are consistent with what  
is to be expected from the customer’s transactional profile, pursuant to point 1, letter c) of the annex  
to EBA Guidelines GL/2023/03 implemented by Circular CSSF 23/842 and as also required by Article  
3(2a) of the AML/CFT Law.  
.
The CSSF also noted inconsistencies in the customer due diligence implemented by the Credit  
Institution with regard to business relationships or transactions involving high-risk countries2, in  
particular that (i) the internal control system of the Credit Institution did not take into account all  
available information3 in order to detect suspicious elements and (ii) some alerts had not been  
generated due to amount limits (albeit low amounts). Finally, the CSSF also identified cases where  
insufficient documentation had been provided to dismiss doubts about alerts issued in presence of  
transactions to high-risk countries, which constitutes a violation of Article 3-2(2) of the AML/CFT  
Law and Articles 31(1) and 39(1) of CSSF Regulation 12-02, which require to obtain information on  
the reasons for the intended or performed transactions, as well as the implementation of enhanced  
customer due diligence measures by increasing the number and frequence of controls applied and  
by determining patterns of transactions that need further examination on a case-by-case basis and  
depending on a risk-based approach.  
The few shortcomings identified in the transaction monitoring system in relation to high-risk  
countries that are also subject to restrictive financial measures, expose the Credit Institution to non-  
compliance with Article 33(1) and Article 39(1) and (1a) of CSSF Regulation 12-02 in terms of  
obligation to detect without delay any countries, persons, entities or groups involved in a transaction  
or business relationship that are subject to restrictive financial measures in the context of the fight  
against terrorist financing, including those introduced in Luxembourg through European Union  
regulations directly applicable in national law, or through the adoption of ministerial regulations.  
Similarly, the Credit Institution is liable for non-compliance with Articles 3 and 6(1) of the Law of 19  
December 2020 on the implementation of restrictive measures in financial matters, as well as Articles  
1 and 2 of Grand-ducal Regulation of 14 November 2022 providing details on the Law of 19 December  
2020 on the implementation of restrictive measures in financial matters in its obligations to inform  
without delay the Ministry of Finance of the implementation of restrictive measures, where  
applicable.  
2
High-risk countries are those which, in accordance with Article 1(30) of the AML/CFT Law, are included on the  
list of high-risk third countries identified pursuant to Article 9(2) of (EU) Directive 2015/849 or designated as  
presenting a higher risk by the Financial Action Task Force (FATF), as well as any other country that the Bank  
considers, as part of its ML/FT risk assessment, to be a high-risk country based on the geographical risk factors  
set out in Annex IV of the AML/CFT Law.  
3 In particular the fact that only the IBAN account number is taken into account and not the beneficiary’s address.  
ADMINISTRATIVE SANCTION  
4/4