On 20 January 2026, the Commission de Surveillance du Secteur Financier ("CSSF") published Circular 26/906 on central administration, internal governance and risk management (the "Circular"). The Circular applies to payment institutions and electronic money institutions and, on a proportional basis, account information service providers. Adopted against the background of sustained growth in the payment and electronic money sector, the Circular consolidates and replaces the existing CSSF governance framework by repealing Circulars IML 95/120, IML 96/126, IML 98/143 and CSSF 04/155, and amending Circulars CSSF 11/510 and CSSF 11/520.
Legal basis and Scope
The Circular specifies the application of Articles 11(2) and 24-7(2) of the Law of 10 November 2009 on payment services, as amended (the "Payment Services Law") which apply to payment institutions, electronic money institutions and account information service providers, subject to the principle of proportionality (the "Institutions"). These provisions require the Institutions to maintain both their registered office and effective central administration in Luxembourg and to implement sound and robust internal governance arrangements.
Key changes and clarifications
- Principle of proportionality
The principle of proportionality must be formalised, meaning that institutions must document a written proportionality assessment, taking into account their size, internal organisation and the nature, scale, complexity and risks of their activities. This assessment must be reviewed at least annually by the supervisory body. While governance arrangements may be strengthened or simplified, segregation of duties and collective responsibility at management body level must always be preserved.
- Central administration in Luxembourg
The Circular clarifies what constitutes effective central administration. Luxembourg must be the actual centre of management and administration, with strategic decision-making, day-to-day management and key administrative and control functions organised in Luxembourg and supported by sufficient on-site resources. Institutions must retain effective oversight of all activities, including those carried out through branches, agents or distributors, and ensure direct supervisory access by the CSSF.
- Supervisory body
The supervisory body retains overall responsibility for the institution and is expected to meet regularly. The CSSF recommends quarterly meetings and save in exceptional circumstances, a physical presence in Luxembourg, with meetings in principle held at the registered office and with the physical presence of majority of members, to promote informed and effective decision-making. The supervisory body must not be composed predominantly of executive members, and its decision-making must not be dominated by a single individual.
The supervisory body elects a chairperson from among its members. The chairperson must not perform an executive role unless duly justified and accepted by the CSSF. The presence of independent members is recommended as a matter of good practice. The chairperson is responsible for ensuring the proper functioning of the supervisory body and promoting informed discussion.
The supervisory body must also regularly assess the adequacy and effectiveness of its own functioning and procedures.
- Management body
The management body must consist of at least two members, apply the four-eyes principle at all times and perform day-to-day management as a permanent function, in principle on-site in Luxembourg.
- Internal governance arrangements
Institutions must implement sound and robust internal governance arrangements supported by clear organisational structures, documented strategies, policies and procedures, effective internal controls and defined risk management processes. Governance arrangements must ensure integrity, effectiveness, adequacy and transparency, with leadership from the supervisory and management bodies.
- Promotion of all aspects of diversity
The CSSF encourages the adoption of guiding principles that foster all aspects of diversity within supervisory bodies. Diversity may encompass factors such as age, gender, geographical origin, and educational or professional background. The promotion of diversity should be grounded in non-discrimination and supported by measures that ensure equal opportunities for all.
- Specialised committees
Depending on the application of proportionality, the CSSF may recommend the establishment of specialised committees within the supervisory body. Such committees must be composed of at least three non-executive members and chaired by a member with appropriate expertise in the relevant area.
- Internal controls, conflicts of interest and new activities
The Circular formalises and tightens governance expectations around internal controls, conflicts of interest and new activities. In particular, it expressly embeds the three-lines-of-defence model, strengthens fraud and AML/CFT integration, introduces formal CSSF information requirements for appointments and departures of key control function holders, and requires documented remediation and follow-up of control weaknesses. It also reinforces conflicts of interest management by extending policies to governing bodies and requiring escalation of related-party transactions, and tightens new product governance through mandatory prior management body approval based on documented risk analysis and consultation of internal control functions.
- Safeguarding of funds
Institutions must implement effective safeguarding arrangements for client funds in accordance with Articles 14 and 24-10 Payment Services Law. This includes internal control mechanisms, reconciliations and monitoring of funds received, with information from counterparties such as banks or insurers. Depending on proportionality, reconciliations may be performed daily or weekly, and the CSSF recommends the use of IT-based controls and reconciliation tools.
The Circular sets out detailed requirements governing the use of segregated accounts, restricts the investment of safeguarded funds to secure, low-risk and sufficiently liquid assets, and requires that contractual arrangements for safeguarding through insurance or comparable guarantees be subject to prior review by a legal expert.
- Use of reserved terminology
The use of terminology reserved for credit institutions, including references to "bank", "banking services", "deposits", "bank accounts" or "neo-bank", is prohibited in all communications and marketing of the Institutions.
Next step
Circular CSSF 26/906 consolidates and clarifies governance requirements for payment and electronic money institutions and, on a proportional basis, account information service providers in Luxembourg. It applies from 30 June 2026.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
