Luxembourg Financial Regulatory News:
Circular CSSF 25/903 updates the existing framework (Circular CSSF 24/850) governing the annual reporting obligations for support Professionals of the Financial Sector (PFS) and their approved statutory auditors (REAs). The primary amendment is the mandate that all required annual documents—including the descriptive report, self-assessment questionnaire, separate report, and management letter—must now be submitted exclusively through the CSSF eDesk platform. Additionally, the circular adjusts the audit test rotation plan, specifically introducing a three-year cycle for the specific procedures required of entities classified as low risk. Finally, it formalises the management letter submission process within eDesk, explicitly requiring that the REA include the comments, explanations, and remediation plans of the support PFS’s responsible persons before the document is transmitted to the CSSF.
1. A Clean Break from Legacy Oversight under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
For over a decade, the reporting landscape for Luxembourg’s Support Professionals of the Financial Sector (Support PFS) has been defined by a mosaic of aging circulars and manual workflows. That era ended with the release of Circular CSSF 25/903, which amends and updates Circular CSSF 24/850. By formally repealing Circulars 12/544 and 19/727, the Commission de Surveillance du Secteur Financier (CSSF) has signaled a “clean break” from traditional methods. Support PFS—entities authorized under Articles 29-1 to 29-6 of the Law of 5 April 1993, ranging from IT operators to client communication agents—must now transition to a framework where regulatory burden is no longer a static obligation, but a variable dictated by risk and digital maturity.
2. The eDesk Revolution: Beyond the Flat PDF under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
The move to the CSSF eDesk platform is more than a change in delivery; it is a transition to a structured-data environment. The CSSF now requires all core documents, including the Descriptive Report and the new Self-Assessment Questionnaire (SAQ), to be submitted in their “original file format” (such as Excel or XML) rather than simple flat PDFs. This shift enables the regulator to perform more granular data analysis while eliminating the friction of paper-based trails.
Crucially, the digital workflow enforces a strict division of responsibility through electronic signatures:
“The descriptive report and the self-assessment questionnaire must be electronically approved and signed by the authorised management prior to their transmission to the CSSF… The separate report and the management letter issued by the REA must be electronically signed by the partner in charge of the mandate within the audit firm.”
While digital is the default, the CSSF maintains a small window for the physical: any document requiring a handwritten signature, such as certain cover letters, must still be transmitted on paper, highlighting the hybrid transition period the sector currently occupies.
3. Proportionality in Practice: The Risk-Based Rating System under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
The centerpiece of this modernization is the implementation of a sophisticated rating system. The CSSF now calibrates supervisory intensity by categorizing entities as Low, Medium, or High risk. This introduces a strategic “surprise” for many operators: two entities holding the same Article 29 license may face vastly different reporting workloads based purely on their assigned risk profile.
The risk rating is determined by a specific set of criteria:
- The nature of activities requiring Support PFS authorization.
- Annual turnover.
- The volume and profile of financial sector clients.
- The overall size and complexity of the institution.
For the Support PFS, internal risk-mitigation is no longer just a compliance exercise—it is a competitive strategy. Lowering one’s risk profile effectively reduces the “regulatory tax” of reporting.
4. The Efficiency Win: The Nuance of Test Rotation under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
One of the most impactful operational reliefs introduced is the adjustment to the audit test rotation plan. For entities classified as low risk, the CSSF now allows for a three-year cycle for certain procedures. This rewards stable, less complex entities with reduced audit frequency.
However, the “analytical bite” of this circular lies in the inverse: the CSSF is not easing its grip on the entire sector. Entities authorized under Article 29-1 (Client communication agents) and Article 29-2 (Administrative agents) do not benefit from this relief; their REAs must carry out specific procedures relating to operational, transversal, and AML/CFT aspects every single year.
5. Goodbye RAR, Hello Self-Assessment Questionnaire under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
The legacy Risk Assessment Report (RAR) has been replaced by the Self-Assessment Questionnaire (SAQ). This transition represents a shift from a surface-level update to a profound, evidence-based review of risk management. The SAQ is divided into four thematic pillars: ICT-related aspects, Operational aspects, Transversal aspects, and AML/CFT aspects.
The CSSF’s objective for this change is explicit:
“…to receive on the support PFS’ self-assessment and management of the risks to that it may expose the financial sector.”
This requirement forces Authorized Management to own their risk data, as they must validate the SAQ before it is handed to the auditors for verification.
6. The Auditor’s New Watch: The Separate Report and “Prompt” Reporting under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
The role of the Réviseur d’Entreprises Agréé (REA) is being recast as a secondary line of prudential defense. Under Article 54 of the Law on the Financial Sector (LFS), the REA must now produce a Separate Report to verify the reliability of the entity’s SAQ responses through CSSF-defined procedures.
More significantly, the REA’s mandate now transcends traditional year-end balance sheet verification. Auditors are legally obligated to report “promptly” to the CSSF any facts or decisions that could jeopardize the “continuous functioning” of the institution. Under Section 5, the following 11 triggers require immediate reporting:
- Major conflicts within decision-making bodies.
- Unexpected departure of a key function holder.
- Major financial difficulties in a branch or subsidiary.
- Serious deficiencies in the internal control framework.
- Significant errors in the prudential reporting.
- Granting of an interim dividend despite insufficient own funds.
- Major incidents in the IT organization or infrastructure.
- Activity changes without appropriate infrastructure.
- Frauds likely to generate important losses.
- Important legal disputes.
- Inappropriate assessments regarding merger/split projects.
7. Closing: The Seven-Month Countdown under Circular CSSF 25/903 updating Circular CSSF 24/850 on Descriptive Report and SAQ for support PFS
The timeline for submission remains firm: all documents must be filed via eDesk within seven months of the financial year-end. For the first year of application, covering financial years closing on or after 31 December 2025, the CSSF may exceptionally provide risk categories within one month of the circular’s publication to assist with immediate compliance planning.
While the new framework is more proportional, the increased depth of the SAQ and the “prompt” reporting obligations for auditors necessitate tighter internal coordination. As Luxembourg pivots toward this data-driven model, it raises a compelling question: will this risk-based, digital-first blueprint become the new standard for financial regulation across the European Union?
This news related to Circular CSSF 25/903 can be considered beneficial under CSSF-Circulars and PFS/PSF News. The pre-filled example templates for many CSSF Circulars should be available at https://ratiofy.lu/templates/ from the summer of 2026.
