Luxembourg Financial Regulatory News:
Circular CSSF 26/906 establishes a consolidated regulatory framework for the central administration, internal governance, and risk management of payment institutions, electronic money institutions, and account information service providers operating in Luxembourg. Repealing several older circulars to align with European Banking Authority (EBA) guidelines, the framework relies heavily on the principle of proportionality, meaning its requirements scale with an institution’s size, risk profile, and complexity. The circular strictly delineates the strategic oversight duties of the supervisory body and the day-to-day operational responsibilities of the management body. It also mandates a robust “three lines of defence” internal control model, requiring the establishment of permanent, independent internal control functions for compliance, risk control, and internal audit. Furthermore, it imposes comprehensive standards for administrative and IT organization, conflict of interest management, and strict protocols for safeguarding payment service users’ funds through dedicated segregation accounts or equivalent guarantees.
1. Introduction: The End of “Compliance-Lite” under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
For the better part of three decades, fintech founders and executives in the Grand Duchy have operated within a fragmented “regulatory sprawl.” Navigating governance meant stitching together a patchwork of historical guidance, some of which—like Circular IML 95/120—predated the very concept of a smartphone. With the publication of Circular CSSF 26/906, the CSSF is effectively dismantling the “post-box” arbitrage that once defined the peripheries of the Eurozone’s fintech scene.
This is not a mere administrative refresh. By repealing the foundational circulars of the previous era—specifically IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155—the regulator has moved toward a “consolidated regulatory compilation.” This transition signals a fundamental shift: for Payment Institutions (PIs) and E-money Institutions (EMIs), governance is no longer an auxiliary “check-the-box” function. It is now the central engine of operational excellence. We are entering an era where “compliance-lite” is a relic of the past, replaced by a mandate of high-substance institutionalization.
2. The “Head Office” Reality Check: Infrastructure as Substance under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
The new mandate reinforces the requirement for a “Central Administration” in Luxembourg, but with a sharp operational edge. The CSSF is making it clear that a siège juridique (legal registered office) is insufficient without an effektiver Sitz (effective seat).
While many firms focus on the presence of bodies, the true shift lies in the administrative center. Compliance now requires that the physical infrastructure—the accounting ledgers, the IT systems, and the management reporting tools—must be substantial enough to ensure that data is available “without delay.” This is a high-bar operational requirement: if your Luxembourgish management cannot pull granular, real-time records because the “brain” of the IT system lives exclusively in a distant parent company or a third-party cloud with no Grand Duchy footprint, you are likely non-compliant.
“The decision-making centre includes the supervisory body and those persons (at least two) members of the management body, responsible for managing the institution and who shall be empowered to effectively determine the direction of its activity.” (Paragraph 7)
3. Proportionality: Navigating the Regulatory Cliffs under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
The “Principle of Proportionality” is often viewed by startups as a shield against complexity. Circular 26/906 clarifies that it is actually a two-way street. While simpler entities like Account Information Service Providers (AISPs) may see downward relief, scaling firms face significant regulatory cliffs.
Growth is no longer just a milestone; it is a trigger for an immediate, pre-funded upgrade to governance stature. Crossing any of the following thresholds necessitates “enhanced” arrangements, such as specialized committees or additional board members:
- Operational Volume: > EUR 10 billion.
- Balance Sheet Total: > EUR 0.5 billion.
- Headcount: > 50 persons.
Crucially, the “proportionality” defense must now be proactive. Institutions are required to document their proportionality assessment in writing and have it reviewed and approved by the supervisory body at least once a year. Founders must recognize that hitting employee number 51 is not a celebration of growth—it is a legal mandate to professionalize.
4. “Tone from the Top” as a Rigid Legal Requirement under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
Perhaps the most significant transition is the institutionalization of “culture.” Once a soft HR concept, internal risk and compliance culture is now a rigid regulatory expectation. Under Paragraph 10, the CSSF demands a “strong and ubiquitous” culture characterized by accountability for acts and behaviors and an “open and critical dialogue.”
This shift formalizes the “tone from the top.” It is no longer enough for the Management Body to sign off on policies; they must embody them. The regulator is looking for evidence that the Board has set an example where risk awareness is part of the staff’s daily psyche, devoid of incentives for inappropriate risk-taking.
“This strong and ubiquitous overall risk and compliance culture shall also be reflected in the strategies, policies and procedures of the institution… characterized by the example that both the supervisory and the management bodies set (‘tone from the top’).” (Paragraph 10)
5. The Identity Crisis: The End of “Neo-bank” Marketing under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
For PIs and EMIs, the days of “banking-adjacent” branding are over. The CSSF has introduced strict terminology restrictions to eliminate consumer confusion. If you do not hold a full credit institution license, using terms that imply you are a bank is now a significant legal liability for the Management Body.
Marketing leads must realize that the concept of “deposits” or “bank accounts” is no longer just a linguistic preference—it is a regulatory breach. The Management Body is now specifically responsible for ensuring all digital marketing, social media, and mobile apps avoid Prohibited Terms:
- Bank / Neo-bank / Banking services
- Deposits
- Bank accounts
This creates an immediate strategic challenge for “Neo-banks” that must now rebrand their core value proposition without using the very words their customers use to describe them.
6. Independent Counter-Powers and the “4-Eyes” Continuity
The Circular solidifies the “Trinity” of internal control: Compliance, Internal Audit, and Risk Management. Strategic leaders should view these not as back-office costs, but as independent counter-powers to the CEO’s growth drive. They must possess the authority and stature to protect the institution’s long-term solvency over short-term gains.
A critical “surprising shift” for lean startups is the continuity requirement regarding the “4-eyes principle.” Under Paragraph 53, the requirement for at least two management body members to determine activity is absolute. If one manager leaves, the institution is technically in breach if they cannot maintain that oversight immediately. There is no “grace period” for lean teams; succession planning is now a mandatory component of operational resilience.
7. Conclusion: Looking Toward 2026 under Circular CSSF 26/906 on Central Administration, Internal Governance and Risk Management Inspired from EBA/GL/2017/09
The countdown has begun. Circular CSSF 26/906 enters into force on January 20, 2026. Between now and then, Luxembourgish fintechs must move beyond the “mailbox” mentality.
Executives must ask: Is our governance a “hollow shell” designed for the licensing phase, or a “robust engine” built for the 2026 era? The bedrock of this transition is the “Know-your-structure” requirement (Sub-chapter 7.1), which demands a documented raison d’être for every entity and intra-group link.
The “Know-your-structure” requirement serves as the non-negotiable foundation for every institution’s future compliance and operational legitimacy.
This news related to Circular CSSF 26/906 can be considered beneficial under CSSF-Circulars and Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News
The pre-filled example templates for many CSSF Circulars should be available at https://ratiofy.lu/templates/ from the summer of 2026.
