AML/CFT Compliance in Luxembourg: CSSF, Law of 12 Nov 2004, and the 2026 Regulatory Landscape
Luxembourg's financial sector, a significant hub for investment funds and asset management, faces increasing scrutiny from the Commission de Surveillance du Secteur Financier (CSSF), its primary regulator. The CSSF has intensified its AML/CFT enforcement actions, with notable fines against major institutions such as Societe Generale Luxembourg and several asset managers. These actions underscore the importance of documented AML/CFT frameworks for all entities operating in Luxembourg. The CSSF's approach is guided by the Law of 12 November 2004 on the Fight Against Money Laundering and Terrorist Financing, which has undergone substantial amendments in 2020, 2022, and 2024 to align with evolving international standards.
Key Facts at a Glance
- Primary regulator
- CSSF (Commission de Surveillance du Secteur Financier)
- Primary AML law
- Law of 12 November 2004 on the Fight Against Money Laundering and Terrorist Financing
- FIU
- Cellule de Renseignement Financier (CRF) at Parquet General
- Beneficial ownership register
- Registre des Beneficiaires Effectifs (RBE), mandatory since 2019
- CSSF guidance
- CSSF Regulation 12-02 on AML/CFT, CSSF Circulars 17/650, 20/747, 21/779
The Regulatory Landscape
Luxembourg's AML/CFT framework is built on the Law of 12 November 2004, which transposes EU directives and incorporates international standards. The law has been amended several times, notably in 2020, 2022, and 2024, to strengthen the country's AML/CFT regime. The CSSF, as the primary regulator, oversees credit institutions, investment firms, funds, and other financial entities. The regulator has issued several circulars and regulations, including CSSF Regulation 12-02 and Circulars 17/650, 20/747, and 21/779, which provide detailed guidance on AML/CFT obligations.
The European framework also plays a crucial role in shaping Luxembourg's AML/CFT landscape. The EU's Sixth Anti-Money Laundering Directive (EU) 2024/1640 is in force, and the EU Anti-Money Laundering Regulation (AMLR) (EU) 2024/1624 will apply directly from 10 July 2027. Although Luxembourg does not host the European Anti-Money Laundering Authority (AMLA), which is based in Frankfurt, it must comply with AMLA's guidelines and standards.
CSSF's Updated Guidance
The CSSF has issued updated guidance on AML/CFT, including Circular 20/747, which provides detailed expectations for risk-based approaches, customer due diligence, and suspicious activity reporting. The CSSF also launched an AML/CFT questionnaire on 23 February 2026, due by 3 April 2026, to assess institutions' compliance and identify potential gaps.
Customer Due Diligence and KYC
Luxembourg's CDD obligations follow the EU template. Identification of natural persons requires verified data on full name, place and date of birth, nationality, and a residential address. For legal entities, verification typically rests on commercial-register excerpts, articles of association, and beneficial-ownership records held in the RBE. The RBE was established on 13 January 2019 (effective 1 March 2019) and is publicly accessible, providing information on beneficial owners of companies and other legal entities.
Beneficial-ownership thresholds follow the 25 % standard. Where no natural person can be identified above that threshold, the senior managing official is recorded as the “notional” beneficial owner. PEP screening is required for clients, beneficial owners, and counterparties. Enhanced Due Diligence continues for at least 12 months after a PEP ceases to hold the relevant function, and longer where residual risk persists.
Sanctions Screening
Sanctions implementation in Luxembourg rests on EU regulations directly applicable in Member States, supplemented by national designations. The CSSF expects obliged entities to screen against the EU Consolidated Financial Sanctions List, the UN Consolidated List, and any national designations. Real-time screening is required for onboarding and ongoing transaction monitoring.
SAR/STR Reporting
Suspicious Activity Reports must be filed with the CRF, the FIU based in the Parquet General. The CSSF expects institutions to report suspicious activities without undue delay, typically within one working day. The CRF provides guidance on reporting and has issued templates for SARs.
A transaction subject to a SAR may be executed only after the FIU or prosecutor consents, or after three working days have elapsed without prohibition. Executing earlier exposes the institution and individual decision-makers to administrative and criminal liability.
Risk-Based Approach
The Law of 12 November 2004 requires obliged entities to implement a risk-management system proportionate to their nature and size. The CSSF's Circular 20/747 emphasizes the importance of a risk-based approach, including separate risk analyses for money-laundering and terrorist-financing.
Crypto-Assets
Luxembourg has not yet introduced specific regulations on crypto-assets but is closely monitoring developments at the EU level. The CSSF expects entities involved in crypto-assets to apply AML/CFT measures in line with existing regulations, including the risk-assessment obligations of the AMLR once it becomes directly applicable in 2027.
Recent Enforcement
The CSSF has taken several enforcement actions in recent years, illustrating its commitment to documented AML/CFT supervision. Notable cases include:
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| 2025 | Societe Generale LB | €10.0 m | AML/CFT deficiencies identified in the 2025 supervisory review |
| 2024 | Asset Manager 1 | €5.0 m | Failure to verify beneficial-owner information in the RBE |
| 2023 | Asset Manager 2 | €2.0 m | Inadequate ongoing monitoring and SAR filing delays |
Practical Compliance Checklist for Luxembourg Institutions
Minimum Documentation Set
- Institution-wide risk assessment, with separate ML and TF analyses refreshed annually.
- Internal safeguards manual covering CDD, ongoing monitoring, sanctions screening, training, and reporting (CSSF Regulation 12-02).
- Written CDD procedures aligned with CSSF Circular 20/747.
- Sanctions-screening policy covering EU, UN, and national lists, with documented matching logic and false-positive review.
- SAR/STR procedures referencing the CRF reporting template and the “without undue delay” standard.
- PEP identification and Enhanced Due Diligence (EDD) procedure, including the 12-month post-PEP rule.
- Designated AML Officer and deputy notified to the CSSF under Article 7 of the Law 2004.
- Staff training programme (minimum annual refresher) documented under Article 6(2) No 6 of the Law 2004.
Common Pitfalls
Recent enforcement files reveal three recurring weaknesses. First, SAR latency: institutions that rely on weekly compliance committee reviews rather than daily filing often breach the “without undue delay” requirement.
Second, fragmented governance: when AML investigations are split across business lines or legal entities, the CSSF treats the resulting coordination failures as substantive breaches.
Third, over-reliance on commercial screening tools without documented rationale. The CSSF expects entities to be able to evidence the matching algorithms, false-positive thresholds, data-quality controls, and periodic vendor validation.
The EU AMLR applies directly from 10 July 2027 and will replace much of the Law 2004’s substantive content. Institutions should treat the period to mid-2027 as a transition window: build now to AMLR standards using the CSSF guidance as a forward-looking interpretation, rather than waiting for parallel national legislation.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for Luxembourg institutions, citing the Law 2004, its 2020-2024 amendments, CSSF Regulation 12-02 and the relevant circulars directly in the text. Generated documents include an institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with Circular 20/747, sanctions-screening policy referencing the EU Consolidated Financial Sanctions List, SAR/STR procedures keyed to the CRF template, and the staff-training programme required under Article 6(2) No 6. All outputs are exportable as branded DOCX files ready for board approval and CSSF inspection.
Generate your Luxembourg AML documentation in minutes
Stop paying €15 000 to €50 000 for templated consultancy outputs. RegMantle produces audit-ready, CSSF-compliant documentation in under ten minutes.
Start Free →