Luxembourg's CSSF Circular 26/906 on Central Administration, Internal Governance and Risk Management for Payment and E-Money Institutions

On 20 January 2026, Luxembourg’s financial regulator, the Commission de Surveillance du Secteur Financier (CSSF), published Circular CSSF 26/906 (Circular), a sweeping update to the regulatory framework governing central administration, internal governance and risk management for payment institutions, electronic money (e-money) institutions and account-information service providers. The new rules, effective 30 June 2026, consolidate and modernise previous guidance, aligning Luxembourg’s regime with evolving European standards and the latest guidelines of the European Banking Association (EBA). The Circular incorporates the EBA’s guidelines on information required for authorising payment and e-money institutions, and for registering account-information service providers under Article 5(5) of Directive (EU) 2015/2366.

Who is Affected

The Circular extends the scope of the regulatory framework to all payment and e-money institutions whose home-member state is Luxembourg, their branches and Luxembourg branches of institutions outside the European Economic Area. Account-information service providers are also in scope and are treated as payment institutions for these purposes, with proportionality applied based on their size and risk profile. 

Key Changes Introduced by the Circular

Central Administration in Luxembourg

Institutions must have not only a registered office but also their decision-making and administrative centre in Luxembourg, although outsourcing remains possible in line with Circular CSSF 22/806. This includes the supervisory and management bodies, as well as key control and operational functions. 

Internal Governance

The Circular sets out more detailed requirements for a clear, transparent and consistent organisational structure, robust internal controls and effective risk management processes. Institutions must ensure segregation of duties, avoid conflicts of interest and document their proportionality assessments annually. Internal governance arrangements must be tailored to the institution’s size, structure, activities and risk profile.

Supervisory and Management Bodies

The roles, composition and functioning of the supervisory (typically the board of directors) and management bodies are clarified. Both bodies must collectively possess the necessary expertise, independence and diversity and are responsible for setting and implementing strategy, risk appetite and internal controls. Regular self-assessment and training are required. The supervisory body must have enough members with the right mix of professional qualifications, experience and personal qualities to ensure sound management.

Three Lines of Defence

The Circular formalises the “three lines of defence” model, requiring clear separation between (a) business units, (b) support/control functions (compliance, risk) and (c) internal audit. Such defence model was already encompassed by several CSSF circulars¹ that the Circular repeals, although now the model is no longer a matter of “how firms choose to map existing controls”; it becomes a regulatory expectation with defined content. Each function must be independent, adequately resourced and report directly to the management and supervisory bodies. Internal controls must effectively prevent fraud, ensure compliance with antimoney laundering and counter-terrorist financing obligations and be adapted to the institution’s risk exposure, with appropriate staff training. Governance is strengthened via annual-supervisory body review/reapproval and an annual-management body attestation to the CSSF (with reservations if noncompliant).

Safeguarding of Client Funds

Safeguarding is now consolidated into a dedicated chapter 8 of the Circular with specific operational requirements. Enhanced requirements are introduced for the safeguarding of client funds, including daily reconciliations, strict segregation of accounts and robust internal controls. Institutions must appoint a management body member responsible for oversight of safeguarding processes. Institutions are required to have mechanisms in place at all times to safeguard client funds received for payment transactions or in exchange for e-money.

Annual Reporting

In addition to the documents usually produced annually, institutions must submit (a) information and communication technology risk assessments, (b) annual attestations of compliance and (c) summary reports from compliance and internal audit functions to the CSSF within three months of financial year end.

What is Next?

Institutions should review their governance, risk and control frameworks against the new requirements, update internal documentation and plan for implementation by the 30 June 2026 deadline. The CSSF has signaled that further updates may follow as European and international standards evolve.

For fintechs and payment service providers, the Circular represents a significant regulatory shift—one that will require careful planning, board-level engagement and potentially substantial operational changes.