Anti-money laundering compliance has become a defining test for Luxembourg’s investment sector. At a closed-door AML/CFT conference on 28 March, the CSSF warned of persistent governance gaps, just as EU reforms raise the bar for compliance.
At its annual AML/CFT conference for investment firms, held at the Luxembourg Chamber of Commerce, financial supervisor CSSF issued a fresh warning: governance weaknesses, outdated monitoring practices and inadequate reporting still plague parts of the investment sector. The conference was not open to media, but the CSSF later made redacted presentation slides publicly available.
The event, which featured speakers from both the CSSF and the country’s Financial Intelligence Unit (CRF), comes amid a period of heightened AML pressure. Over the past year, the CSSF has stepped up enforcement, issuing fines to five alternative fund managers for failing to submit their financial crime questionnaires on time. The Financial Action Task Force (FATF), meanwhile, has urged Luxembourg to do more to detect and prosecute complex money laundering cases.
Weak internal controls
Cyrille Tonnelet, who leads the CSSF’s AML/CFT and licensing division for investment firms, opened the conference with a call for stronger governance standards. Nearly 23 percent of investment firms still fail to separate the roles of the Responsible for Compliance (RR, «responsable du respect des obligations»)—a member of senior management or the board—and the Compliance Officer (RC, «responsable du contrôle»)—the day-to-day operational lead on AML/CFT matters.
“Luxembourg is a significant international financial centre with very significant crossborder activities which may potentially be abused for terrorist financing.”
CSSF
According to the CSSF slides, some firms have named a single person for both of these roles, in breach of longstanding CSSF guidance. The regulator reiterated in its presentation: «RR and RC shall be two different persons.»
Claire Guilbert, partner at law firm Norton Rose Fulbright, told Investment Officer that the confusion over these roles often stems from their overlap in required expertise, but not in function.
“To meet regulatory expectations, firms should ensure that RR and RC responsibilities are not only split but clearly defined,” Guilber said. “The RC must be given sufficient independence, operational access, and explicit powers to carry out monitoring tasks.”
Annual AML reports were flagged as another area of concern. Many firms submitted documents that were «too generic,» the CSSF said, lacking analysis of control weaknesses or failing to outline progress on earlier findings. The regulator reminded firms that the RC’s annual AML report is a distinct requirement. It must not be confused with the broader compliance officer’s annual report.
Monitoring and TF exposure
Several firms continue to rely almost exclusively on their depositary banks for transaction monitoring—a practice the CSSF said is increasingly unsuitable for high-volume environments. Manual monitoring, while still permitted, should be carefully assessed against the firm’s business complexity. Firms were advised to validate the design of their alert systems and ensure proper documentation of escalation procedures.
Terrorist financing (TF) risks also received particular attention, reflecting the findings of Luxembourg’s 2023 review by the Financial Action Task Force. That review concluded that the financial sector needed to improve its understanding of TF exposure, especially in a cross-border context. At the March conference, the CSSF urged firms to reflect TF threats in their internal risk statements, due diligence procedures and staff training programmes.
The inclusion of TF risk in AML/CFT frameworks must go beyond box-ticking, said Guilbert. “The recommended practice is to include terrorist financing in the risk-related policies and procedures of the firm, such as in the risk appetite statement, self-assessment and client risk assessment. But it’s equally about describing the risks appropriately in light of the firm’s business model.”
A 2025 thematic review will target investment firms providing trust and corporate services, such as domiciliation and directorships—an area where risk is considered to be persistently high.
Patchy SAR reporting
The CRF, Luxembourg’s 50-person financial intelligence unit, reported a 38 percent increase in suspicious activity and transaction reports (SARs/STRs) from investment firms in 2024. Notably, four firms accounted for nearly 40 percent of the filings—highlighting a patchy approach to reporting obligations.
According to CRF officials speaking at the CSSF conference, the most common red flags included fabricated loans, forged documentation, and complex third-party involvement in transfers. Increasingly, artificial intelligence is being misused by criminals to create forged documents or scrape personal data for social engineering purposes.
EU reforms ahead
Looking ahead, Vincent Renaud of the CSSF’s legal team outlined the changes coming under the European Union’s new AML/CFT framework. The package—comprising the AML Regulation (AMLR), AML Directive (AMLD6), and the AMLA Regulation—will bring a harmonised rulebook across all EU member states.
From 2028, the new Anti-Money Laundering Authority (AMLA), based in Frankfurt, will take over direct supervision of around forty high-risk entities in the EU. The CSSF expects that firms operating in six or more EU countries could fall under AMLA’s direct supervision.
Overlapping requirements
Luxembourg firms face a particular challenge in navigating overlapping national and EU-level requirements, Guilbert said.
“As for each new EU piece of legislation, the challenge lays with the uncertainty in the end expectations,” she said. “The EU legislation is to be followed or accompanied by local laws and the local regulator’s requirements, which may gold-plate the provisions of that EU legislation and which may come in different stages in time.”
This is especially difficult for cross-border groups operating in multiple jurisdictions. Firms, she said, would appreciate clearer guidance on due diligence requirements, particularly to justify the collection of information from clients and internal stakeholders.
The EU regime will also introduce new obligations related to beneficial ownership transparency, sanctions compliance, and centralised registers for financial accounts and crypto assets.