Administrative sanction of 19 May 2025 for non-compliance  
with professional obligations related to “anti-money  
laundering / counter financing of terrorism”  
Luxembourg, 02 September 2025  
Administrative decision  
On 19 May 2025, following an on-site inspection, the CSSF imposed an administrative fine  
amounting to EUR 214,000 (two hundred and fourteen thousand) on “****************** S.A.”  
(the “Electronic Money Institution”), authorised as electronic money institution in accordance  
with the provisions of the Law of 10 November 2009 on payment services.  
Legal framework/motivation  
This administrative fine was imposed by the CSSF pursuant to Article 2-1(1) of the amended Law of  
12 November 2004 on the fight against money-laundering and terrorist financing (“AML/CFT Law”)  
read in conjunction with the provisions of Article 8-4(1), (2) and (3) of the AML/CFT Law for non-  
compliance with anti-money laundering / counter financing of terrorism (“AML/CFT”) professional  
obligations.  
In order to determine the type and amount of the administrative sanction, the CSSF duly took into  
account all the legal and factual elements, including those presented by the Electronic Money  
Institution during the contradictory phase of the non-contentious administrative procedure as well  
the gravity and duration of the breaches and the financial situation of the legal person held  
responsible for the breaches at the time of the on-site inspection in accordance with the provisions  
of Article 8-5(1) of the AML/CFT Law, as well as the fact that the Electronic Money Institution has  
taken on board the findings and observations, fully cooperated with the CSSF and informed the CSSF  
of the corrective measures taken after the on-site inspection in order to remedy the identified  
breaches.  
The professional obligations in relation to which the breaches were observed are namely quoted in  
the relevant provisions of:  
(i) the AML/CFT Law,  
(ii) the amended Grand-ducal Regulation of 1 February 2010 (“AML/CFT Grand-ducal  
Regulation”) providing details on certain provisions of the AML/CFT Law, and  
(iii) the amended CSSF Regulation No 12-02 of 14 December 2012 on the fight against money  
laundering and terrorist financing (“CSSF Regulation No 12-02”) which constitutes an  
implementing measure of the AML/CFT Law  
in their version applicable at the time of the on-site inspection.  
ADMINISTRATIVE SANCTION  
Legal bases for the publication  
This publication is made pursuant to the provisions of Article 8-6(1) of the AML/CFT Law on a  
nominative basis, the CSSF having considered that none of the legal exceptions provided for in  
Article 8-6(1) of the AML/CFT Law is applicable.  
Context and major cases of non-compliance with the  
professional obligations identified  
This administrative fine is the result of an on-site inspection carried out by the CSSF at the Electronic  
Money Institution between 26 June 2023 and 31 January 2024 covering the AML/CFT framework.  
During the on-site inspection, the CSSF identified important breaches to the AML/CFT professional  
obligations applicable to the Electronic Money Institution which related in particular to the following  
points:  
Although the Electronic Money Institution had identified via its transaction monitoring tool  
indicators that generated suspicions of money laundering in 6 cases related to counterfeit  
goods, it did not file a declaration to the Financial Intelligence Unit (hereafter the “FIU”).  
Three of these cases related to accounts which have been closed by the Electronic Money  
Institution despite the presence of indicators that generated suspicions of money laundering.  
Those cases constitute a breach of the obligation foreseen in point (a) of Article 5(1) of the  
AML/CFT Law to inform promptly and on its own initiative the FIU when there are reasonable  
grounds of suspicion of money laundering.  
The transaction monitoring process did not operate efficiently as the CSSF had identified  
that the Electronic Money Institution had defined in its procedure timeframes to treat alerts  
generated leading in practice to some alerts being closed with substantial delays. Such  
defined timeframes did therefore not allow the Electronic Money Institution to take rapid  
action in the event of suspicion as foreseen by point (a) of Article 5(1) of the AML/CFT Law  
and Article 39(5) of the CSSF Regulation No 12-02.  
The CSSF identified that a certain number of financial sanction related alerts were closed  
with delay, which implies that for those alerts, the Electronic Money Institution would not  
have been in a position to apply restrictive measures in financial matters without delay if  
need be, thus constituting a failure to comply with point (d) of Article 3(2) of the AML/CFT  
Law and Articles 33(1) and 39(1) of the CSSF Regulation No 12-02.  
In the context of applied customer due diligence measures, the CSSF observed that  
identification documents were missing for some clients and beneficial owners, whose identity  
was therefore not verified thus preventing the Electronic Money Institution from ensuring  
that the respective individuals had been correctly identified. This constitutes a failure to  
comply with points (a) and (b) of Article 3(2) of the AML/CFT Law and Articles 20(1) and  
22(1) of the CSSF Regulation No 12-02.  
As the Electronic Money Institution did not meet physically its clients, and certain safeguards  
were absent, the CSSF furthermore observed that no specific measures to compensate the  
potentially higher risk that a non-face-to-face business relationship involves, in accordance  
ADMINISTRATIVE SANCTION  
with Annex IV, point (2)(c) of the AML/CFT Law, had been implemented, although the  
Electronic Money Institution recognised itself that it was confronted with a lot of fake KYC  
documentation resulting in clients not duly identified and their identity not verified. This  
constitutes a failure to comply with point (a) of Article 3(2) of the AML/CFT Law as well as  
Article 27 of the CSSF Regulation No 12-02.  
As part of a review of a sample of client files, the CSSF identified three cases for which the  
Electronic Money Institution did not conduct sufficient investigations concerning red flags  
related to the discrepancy between the type of merchants and the products sold or irregular  
price differences between branded goods sold on the market and those being sold by the  
client merchants. In all instances, the Electronic Money Institution had incoherent documents  
and information on file but did not proceed to further investigate these cases. As such, the  
Electronic Money Institution failed to comply with point (d) of Article 3(2) of the AML/CFT  
Law and Article 32(1) and (2) of the CSSF Regulation No 12-02, which emphasise the  
obligation to pay attention to unusual transactions and to information differences compared  
to the declarations made by the customer.  
Finally, the blocking process of the Electronic Money Institution was inadequate as the CSSF  
identified that important transactions occurred on some accounts which were blocked for  
suspicion of money laundering, an associated predicate offence or terrorist financing, or  
incomplete KYC documentation and that an appropriate follow-up of blocked and unblocked  
accounts was not performed. This inadequate blocking process prevented the Electronic  
Money Institution from refraining to carry out transactions for clients having incomplete KYC  
documentation or presenting a suspicion of money laundering, an associated predicate  
offence or terrorist financing thus constituting a failure to comply with Articles 3(4) indent 4  
and 5(3) of the AML/CFT Law.  
The outsourcing framework was deficient as the outsourcing agreement between the  
Electronic Money Institution and the third-party delegate lacked a detailed description of the  
outsourced tasks to be implemented which prevented the Electronic Money Institution from  
complying with Article 37(1) and (2) of the CSSF Regulation No 12-02 which foresee regular  
control of compliance with the commitments arising from the outsourcing contract, in  
particular to gain comfort on the compliance of the outsourced tasks and the adequacy of  
the resources used.  
The CSSF further identified that the Compliance Monitoring Plan was too generic as it did  
not define any controls or Key Performance Indicators to ensure an oversight of the  
delegated tasks and that, in practice, the second line of defence did not perform regular  
controls on the obligations of the third-party delegate, thus constituting a failure to comply  
with Article 37(2) and (5) of the CSSF Regulation No 12-02 which foresee that in accordance  
with the risk based approach, the regular control shall ensure that the professional is  
provided with means to test and to monitor regularly and occasionally compliance with the  
obligations incumbent upon the third-party delegate.  
This also constitutes a breach of Articles 39(6) and 42(1a) and (5) of the CSSF Regulation  
No 12-02 which foresee that the Compliance function verifies the controls carried out by the  
first line of defense to ensure compliance with the AML/CFT policy.  
ADMINISTRATIVE SANCTION