Woman Working

CSSF Circular 26/906: The New Governance Gold Standard

 

Luxembourg raises the bar for Payment and E-Money Institutions, with full compliance mandated by 30th June 2026.



Circular CSSF 26/906 represents a landmark consolidation of Luxembourg’s regulatory expectations for central administration, internal governance, and risk management. It applies to all Payment Institutions (PIs) and Electronic Money Institutions (EMIs) whose home member state is Luxembourg as well as Luxembourg branches of non-EEA institutions and includes Account Information Service Providers (AISPs) as PIs.

Considering the EBA/GL/2017/09 guidelines, this circular is a first step toward a consolidated regulatory compilation. While specific areas like ICT risk, outsourcing, and remuneration remain covered by separate circulars, firms are now required to treat governance as a unified and Board-level priority.
 

What does this mean for CSSF regulated PIs and EMIs in Luxembourg? 

  • Institutions must document a 'Proportionality Assessment' based on the nature, scale, and complexity of their business. However, the downward application of this principle is strictly limited by the segregation of duties. Responsibilities must be assigned to avoid conflicts of interest. Enhanced governance triggers (e.g., transaction volumes > €10bn or assets > €500m) mandate more rigorous structures and specialised committees. 
  • The Supervisory Board bears ultimate and collective responsibility for sound and prudent management and must meet at least quarterly, ideally with a physical majority in Luxembourg. Simultaneously, at least two Authorised Managers must be permanently on-site in Luxembourg to ensure dual control and local oversight. 
  • The "Central Administration" must be located in Luxembourg, supported by robust human and technical resources. A significant market integrity rule is introduced: the Management Body is responsible for ensuring that "banking" terminology (e.g., "bank account", "neo-bank", or "deposits") is strictly prohibited in all communications and marketing to prevent misleading consumers into believing the firm is a credit institution. 
  • A formalised internal control model is mandatory, separating Business Units (1st line), Compliance and Risk Management (2nd line), and Internal Audit (3rd line). These functions must be independent, well-resourced, and have a clear "weight" in the organisation. The circular requires direct, independent reporting lines to the Supervisory Body, ensuring that control functions can challenge the business without interference. 
  • Firms must implement a formal Conflict of Interest policy and maintain a dedicated register. This organisational structure must ensure that duties and responsibilities are assigned to prevent any single individual from having total control over a process, particularly involving the handling of funds or significant administrative tasks. 
  • No new activity, product, or significant change can be undertaken without a formal, written approval process. This requires a thorough analysis by the business units, risk control, and compliance functions, culminating in a formal approval by the Management Body only after all internal control functions have been consulted. 
  • Risk management is elevated to a standalone pillar, requiring the identification and monitoring of all material risks - including operational, liquidity, and reputational risks. The framework must be integrated into daily decision-making to ensure the firm operates within the "Risk Appetite" approved by the Board. 
  • Rigorous standards for fund protection are strictly formalised, requiring the legal segregation of client funds in dedicated "safeguarding accounts" at credit institutions or via insurance/guarantees. Firms must implement mandatory daily reconciliation processes to ensure that internal customer ledgers perfectly match the actual funds held, providing a high-fidelity audit trail. 
  • Once a year, the Management Body must confirm compliance with the circular via a single written sentence signed by all members. If non-compliance exists, the statement must take the form of a "reservation" outlining gaps and remediation plans. This attestation, along with summary reports from Compliance and Internal Audit, must be submitted to the CSSF at the latest by the last day of the third month following the firm’s financial year-end.

This circular consolidates what was already foreseen in previously issued circulars that are now abrogated.

Full compliance is required by 30th June 2026.