ARTICLE
16 March 2026

CSSF Circular 26/906: A Consolidated Framework For Governance And Risk Management In Payment And E-money Institutions

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The Commission de Surveillance du Secteur Financier (CSSF) published its new CSSF circular 26/906 on central administration...
Luxembourg Finance and Banking
Laurent Massinon and Katerina Chalka
Your Author LinkedIn Connections
Laurent Massinon’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Finance and Banking topic(s)
  • with readers working within the Accounting & Consultancy and Law Firm industries
Herbert Smith Freehills Kramer LLP are most popular:
  • within Transport, Media, Telecoms, IT, Entertainment and Family and Matrimonial topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel

The Commission de Surveillance du Secteur Financier  (CSSF) published its new CSSF circular 26/906 on central administration, internal governance and risk management (Circular) applicable to payment institutions (PIs) and electronic money institutions (EMIs) whose home member state is Luxembourg, including their branches, as well as to Luxembourg branches of PIs and EMIs whose home member state is outside the European Economic Area (Institutions).

The Circular intends to clarify the modalities of application of the requirements laid down in the Law of 10 November 2009 on payment services, as amended (LPS) which requires the Institutions to dispose of robust internal governance arrangements, effective processes to identify, manage, monitor and report risks as well as adequate internal control mechanisms.

While in the past, the CSSF has set out the modalities of application relating to central administration, internal governance and risk management of the Institutions across various circulars, it has now decided to consolidate these key modalities into a single circular2.

General principles

The Circular provides for the guiding principles on central administration and internal governance, including the following:

  1. Institutions in Luxembourg must have both their registered office and their central administration, namely the decision-making and administrative centers, located in Luxembourg. 
  2. Institutions shall apply the principle of proportionality when determining their internal governance arrangements and document their proportionality assessment in writing and have their conclusions approved by the supervisory body at least on an annual basis.
  3. Internal governance arrangements shall ensure sound and prudent management through a clear organisational structure, defined responsibilities, robust internal control mechanisms, risk management processes, business continuity and crisis arrangements, and effective communication. 
  4. Institutions shall promote an internal risk and compliance culture driven by the “tone from the top”, promoting staff accountability and avoiding incentives for inappropriate risk-taking.

Supervisory body, specialised committees and management body 

The Circular sets out the responsibilities, composition, qualifications, organisation, and functioning of the supervisory and management bodies, as well as their regulatory obligations.

Supervisory body

The supervisory body generally refers to the board of the directors of the Institution. 

The Circular consolidates all responsibilities of the supervisory body and specifies the strategies, the guiding principles and the key elements of central administration, internal governance and risk management arrangements, that the supervisory body must approve and formalise in writing, following consultation with the management body and the heads of internal control functions.The supervisory body shall entrust the management body with the implementation of the above strategies and guiding principles and monitor their implementation. The supervisory body shall critically assess, adapt, where necessary, and re-approve, on a regular basis and at least once a year, the internal governance arrangements.

In addition, the requirements regarding the composition of the supervisory body are now more clearly defined. Board members must be sufficient in number and appropriately composed, both individually and collectively, in terms of skills, knowledge, experience and professional repute, to ensure that the supervisory body can fully discharge its responsibilities. Emphasis is also given to training programs and succession planning. 

The supervisory body elects a chairperson from among its members, who must not take on an executive role unless justified and accepted by the CSSF. The CSSF also recommends that meetings of the supervisory body are held at least on a quarterly basis and at the registered office of the Institution in Luxembourg in the presence (onsite) of a majority of its members.

Specialised committees

Applying the principle of proportionality, the CSSF may recommend that Institutions establish specialised committees of the supervisory body, tailored to their organisation, size, and complexity. These committees shall provide the supervisory body with critical assessments in their specific areas of competence. The Circular further emphasises, among others, that:

  1. the permanent members of the specialised committees shall be members of the supervisory body who do not perform any executive function within the Institution; and
  2. the supervisory body cannot delegate its powers and responsibilities to the specialised committees.

Management body

The management body shall be responsible for the day-to-day management of the Institution’s functions, activities and risks. It shall consist of at least two individuals at all times, and the “four-eyes” principle must be applied consistently. The members of the management body shall, in principle, be permanently on site and the CSSF must be able to contact directly in Luxembourg the members of the management body.

The management body shall inform the supervisory body in full, in writing, on a regular basis and at least once a year, of the implementation of the internal governance arrangements. Once a year, the management body shall confirm compliance with the Circular to the CSSF by way of a single written sentence followed by the signatures of all members of the management body (see section V (ii) below).

Importantly, the CSSF explicitly requires the management body to ensure that terminology associated with services reserved for credit institutions, such as banking services, deposits, “bank” or “neo-bank”, bank accounts, and similar expressions, or with activities of other (financial) institutions not covered by a PI or EMI license, is prohibited in all forms. For Institutions that have over time marketed their services as alternatives to credit institutions, this development represents a substantial transition in strategic positioning.

Internal control functions 

The Circular sets out a robust internal control framework for Institutions. 

While independent internal control functions were already required under the previous regime, the new rules provide more detail and additional requirements. 

The Institutions must establish an internal control system based on the “three lines of defense” model:

  1. the first line consists of the business units which take or are exposed to risks, which are responsible for their management;
  2. the second line consists of support functions, such as the financial and accounting function, and especially the compliance and the risk control functions; and
  3.  the third line consists of the internal audit function.

The Circular lays down detailed provisions regarding the compliance and internal audit charters, the scope, the specific responsibilities and the organisation of the compliance and internal audit functions. Depending on the organisation of the institution, the CSSF may request certain institutions, in reference to the principle of proportionality to set up an independent, permanent risk control function.

The heads of internal control functions are accountable to the management body and, ultimately, to the supervisory body for the execution of their duties. Each internal control function shall prepare at least once a year a summary report on its activities and its functioning covering all the activities assigned to it (see section V (iii) below). Any outsourcing of operational tasks of an internal control function is only permitted in accordance with the applicable CSSF circular 22/806 on outsourcing arrangements. 

Additional governance and operational safeguards

The CSSF provides further guidance on the management of conflicts of interest. Institutions are required to implement a comprehensive conflict of interest policy applicable to all staff, as well as members of the management and supervisory bodies. The Circular also requires that transactions with related parties be carried out objectively and in the best interest of the Institution. Transactions are considered as not compliant with such requirement when, inter alia, they are carried out on less advantageous terms for the Institution than those which would apply to the same transaction carried out with a third party, explicitly reflecting the “at arm’s length” standard.

In addition, the Circular explicitly provides for a new product approval process, and the prohibition for the Institutions to undertake any new activity before the approval has been given by the management body, after having heard all parties concerned and in particular the internal control functions.

In accordance with the requirements of articles 14 and 24-10 of the LPS and in line with the guiding principles on the safeguarding of funds approved by the supervisory body, Institutions are required to put in place mechanisms ensuring at all times the safeguarding of clients’ funds. The internal control mechanisms to be established by the Institutions shall include, in particular, processes for controlling executed transactions, as well as processes for reconciling funds, strict access controls subject to the four-eyes principle, and appropriate counterparty risk management framework, where applicable. 

Legal reporting 

In addition to the provisions of CSSF circular 15/614 “Documents to be submitted to the CSSF after the closure of the financial year”, the following reports and attestations are submitted annually to the CSSF with reference to the Circular:

  1. the ICT and security risk annual assessment pursuant to article 105-1(2) of the LPS and amended CSSF circular 25/880 regarding relationship management of payment service users and PSP ICT assessment; 
  2. the annual attestation of compliance signed by all members of the management body; and 
  3. the summary reports from the compliance and internal audit functions, signed by the Chief Compliance Officer and the Chief Internal Auditor respectively.

The information referred to in points (ii) and (iii) shall be submitted as soon as possible and no later than three months after the end of the financial year.

Looking forward 

As highlighted by the CSSF, the payment and electronic money sector has experienced, and continues to experience, significant growth driven by multiple factors, resulting in substantial increases in transaction volumes and values. This expansion underscores the need for strong and effective governance frameworks to ensure the safety, efficiency, and trustworthiness of payment and electronic money services. 

In this context, the Circular represents an important first step towards a consolidated regulatory framework on internal governance in its broadest sense.

Institutions are required to assess and review their central administration, internal governance and risk management frameworks to ensure compliance with the Circular by 30 June 2026.

Further regulatory guidance may also be expected at EU level, as the proposed third Payment Services Directive foresees the adoption by the EBA of guidelines on internal governance arrangements, taking into account the variation of sizes and business models among PIs and respecting the principle of proportionality.

Footnotes

1. The Circular applies to account information service providers for the purposes of which they shall be treated as payment institutions while applying the principle of proportionality.

2. Circulars IML 95/120, IML 96/126, IML 98/143 and CSSF 04/155 will be repealed for PIs and EMIs, and CSSF circulars 11/510 and CSSF 11/520 will be amended.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Laurent Massinon
Laurent Massinon
Person photo placeholder
Katerina Chalka
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More