The CSSF regulations and circulars form the core ‘practical’ dispositions with which PSF must comply. They apply to all or some PSF, meet legal obligations specific to the financial industry (combating money laundering and terrorist financing) or organisational requirements for one of the three categories of PSF, and further specify the systems introduced by the CSSF as part of its financial sector supervision (regular reporting) or impose financial ratios (capital adequacy). They provide guidance in establishing and maintaining the relevant financial or financial sector ancillary activities.
The main regulations and circulars issued by the CSSF are presented below. A fast-reference table of the regulations and circulars specifying their respective scopes of application is included in Appendix 1.
These regulation and circular are applicable to all PSF and supersede circular 95/118 on customer complaint handling.
This regulation aims at defining the rules applicable to the requests for the out-of-court resolution of complaints filed with the CSSF and is specifying certain obligations incumbent on professionals in relation to the handling of complaints.
The procedure for handling the requests aims at facilitating the resolution of complaints against PSF without judicial proceedings. It is not a mediation procedure. The CSSF’s intervention shall be subject to the principles of impartiality, independence, transparency, expertise, effectiveness and fairness.
CSSF circular 14/589 provides details concerning the regulation, mentioning namely that the recording of complaints must be computerised and secured, that the respect of the policy must regularly be controlled by the compliance and internal audit functions, and that annual documents (table and report) shall be communicated to the CSSF no later than 1 March of each year and shall cover the previous calendar year.
Learn more about CSSF regulation 13-02 and CSSF circular 14/589
While this regulation can be regarded as central to the practical system introduced by the lawmaker to combat money laundering and terrorist financing, it must be taken as part of a broader regulatory fabric based on the modified law of 12 November 2004 and the Law (Art. 39 and 40). Together, these form the cornerstone of the subject, supplemented by other circulars, particularly CSSF circular 06/274 on instructing party information accompanying transfers of funds.
This regulation gives a formal and legally binding nature to existing professional guidance set out previously by CSSF circulars.
CSSF circular 11/529 specifies the requirements for the risk analysis inherent to each PSF’s business activities that must be set down in writing. The management shall first identify the risks of money laundering or terrorist financing. The management shall further set up a methodology in order to categorise these risks and afterwards define and implement measures to mitigate the identified risks.
This circular is applicable to investment firms. Consequently, CSSF circulars 95/120, 96/126, 98/143, 04/155, 05/178 and 10/466 shall be repealed for them.
This circular gathers the regulatory obligations that investment firms PSF will need to satisfy. As regards professionals performing lending operations as defined in Article 28-4 of the modified law of 5 April 1993 relating to the financial sector, only the chapter on credit risk in the risk management section shall apply.
The Commission de Surveillance du Secteur Financier brought together all the key implementing provisions on internal governance in this single circular, reflecting the guidelines of the European Banking Authority on internal governance of 27 September 2011 and those of the Basel Committee on Banking Supervision on internal audit of 28 June 2012, while supplementing them by the additional provisions included in CSSF circulars 96/126, 98/143, 04/155, 05/178 and 10/466.
The implementing procedures on central administration as specified in CSSF circular 95/120 are also integrated, as well as all the provisions on risk management. Thus, while the majority of the provisions in CSSF circular 12/552 as amended by CSSF circular 13/563 are not new per se, there is a strong emphasis on further formalisation needs to document internal governance arrangements and the way internal control activities are conducted.
This circular is applicable to specialised and support PSF. It has been replaced by CSSF circular 12/552 for investment firms. However the concepts, the principles are the same.
This circular reflects Article 17 of the Law and stipulates that to obtain a licence for PSF status, the entity must not merely have a legal registered office in Luxembourg, but its central administrative office, thus inferring the existence of its decision-making centre and its administrative centre in Luxembourg.
The circular specifies the meaning of ‘central administration’ which corresponds to managerial and business functions, as well as operational and control functions. It further defines the notion of ‘centre’ to and from which extend all the PSF’s components, implying the existence of sufficient technical and human resources necessary for its operations.
These circulars are applicable to specialised and support PSF. They have been replaced by CSSF circular 12/552 for investment firms. However the concepts, the principles are the same.
Reflecting Article 17 (2) of the Law which requires PSF to furnish evidence of good administrative and accounting organisation, these circulars follow on from the previous circular 95/120 and provide guidelines on how such an organisation functions (they should, in fact, be read in conjunction). They further specify the IT security measures that PSF must put in place to meet banking secrecy requirements. The recommendations made in these circulars are to be adapted to each PSF according to operations and size.
This circular is applicable to specialised and support PSF. It has been replaced by CSSF circular 12/552 for investment firms. However the concepts, the principles are the same.
This circular presents and develops the principles of adequate internal control applicable to PSF in accordance with Article 17 (2) of the Law.
To satisfy the following aims:
The circular specifies the respective responsibilities of the entity’s board of directors and management and the internal control system to be introduced.
This circular, which applies solely to investment firms, defines the organisational requirements and rules of conduct in the financial sector (transposing the Directive on Markets in Financial Instruments (MiFID) 2004/39/EC and Directive 2006/73/EC).
Regarding organisational requirements, chapter 3 of this circular includes the board of directors’ responsibility, the authorised management’s responsibility and provides further detail about risk management, compliance and internal audit functions.
In October 2013, the European Securities and Markets Authority (ESMA) published the French version of its guidelines on remuneration policies and practices (MiFID). Circular 14/585 transposes these guidelines into Luxembourg regulation in the form of an annexe V of CSSF circular 07/307.
Circular 07/290 as amended by CSSF circulars 10/451, 10/483, 10/497 and 13/568 applies solely to investment firms, excluding all entreprises only authorised to provide investment advisory services and/or receive and communicate orders from investors without holding any funds and/or securities of their clients. It defines a capital adequacy ratio, seeking to ensure that investment firms have sufficient capital with regard to credit, dilution, operational and foreign exchange risks, risks of basic product price fluctuations and portfolio risks.
The capital adequacy ratio is the ratio between eligible capital and the global capital required to cover the different types of risks. Investment firms must have sufficient capital at all times to cover their global capital requirement on an individual basis and, as applicable, on a consolidated basis. Eligible capital forming the numerator of the ratio includes tier-1 capital, tier-2 capital and tier-3 capital.
In the context of the modified law of 31 May 1999 governing domiciliation of companies, these four CSSF circulars address various aspects of the domiciliation activity in Luxembourg.
CSSF circular 01/28 stipulates the persons and companies authorised to operate as corporate domiciliation agents.
CSSF circular 01/29 lists the minimum content of a corporate domiciliation agreement.
CSSF circular 01/47 defines the professional duties applying prior to and after entering into a domiciliation agreement for corporate domiciliation agents subject to CSSF supervision. It also provides general guidelines for domiciliation agents encountering conflict of interest situations.
Lastly, CSSF circular 02/65 provides further detail to the modified law of 1999 as regards the notion of registered office.
This circular aims to improve the way financial institutions take, manage and control risks, by defining guidelines namely on the structure of compensation and the process of preparing and implementing compensation policies.
From this perspective, CSSF circular 10/437 stipulates the scope of application, the exclusions, the structure of the compensation policy, and the disclosure, monitoring and entry into effect of the guidelines.
This circular implements a risk assessment and management process for the provision of services to the financial sector for support PSF, relying on:
It is expected that the above would be completed with the issuance of an agreed-upon procedures report of findings by the approved statutory auditors, allowing a precise assessment of the organisation, the internal control system, the financial situation and the risks incurred.
This circular applies to all PSF and concerns the tools allowing the management of access rights to IT resources connected to a network and/or the centralised registration and administration of most of these resources.
The PSF must always have full control over the resources under their responsibility and the corresponding access to these resources, primarily for compliance and governance reasons and secondly in order to protect confidential data subject to professional secrecy.
The technical note annexed to the circular provides the mandatory technical rules and focus on preventive controls implementation since corrective controls are not considered as sufficient and should be performed as a contingency solution in case of preventive control failover.