Luxembourg: Banking Regulation Comparative Guide

1 Legal framework

1.1 Which legislative and regulatory provisions govern the banking sector in your jurisdiction?

The main law governing credit institutions in Luxembourg is the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act'), which covers:

• access to professional activities in the financial sector (including the authorisation of credit institutions established under Luxembourg law, and the authorisation for the establishment of branches and freedom to provide services in Luxembourg by credit institutions governed by foreign law);
• professional obligations, prudential rules and rules of conduct in the financial sector;
• prudential supervision of the financial sector;
• prudential rules and obligations in relation to recovery planning, intra-group financial support and early intervention; and
• sanctions.

As Luxembourg is an EU member state, European banking regulations are also applicable to Luxembourg credit institutions - in particular, Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR). The Banking Act implements into Luxembourg law, among others, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, as amended (CRD).

Many specific laws and regulations (at both a European and Luxembourg level) also apply, depending on the activities pursued by Luxembourg credit institutions (eg, investment services, securitisation, over-the-counter derivative transactions, securities financing transactions, regulation of benchmarks).

Luxembourg credit institutions are also subject to the Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes, as amended (‘BRR Law'), which implements Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (BRRD); and to the Law of 17 June 1992 relating to the annual and consolidated accounts of credit institutions governed by the laws of Luxembourg, as amended (‘Accounts Law').

The legal framework is completed by grand-ducal regulations, Commission de Surveillance du Secteur Financier (CSSF) regulations and CSSF circulars on a variety of specific topics. One of the most important circulars is CSSF Circular 12/552 on the central administration, internal governance and risk management of credit institutions, investment firms and professionals performing lending operations, as amended.

The words ‘credit institution' and ‘bank' are used interchangeably throughout this Q&A.

1.2 Which bilateral and multilateral instruments on banking have effect in your jurisdiction? How is regulatory cooperation and consolidated supervision assured?

A number of international organisations are working on topics that are of relevance to the financial sector as a whole, and to credit institutions in particular.

Luxembourg is a member state of the Organisation for Economic Cooperation and Development (OECD), which works on establishing norms and better policies for a wide range of subjects, such as corruption and tax avoidance. Luxembourg is also a member of the Financial Action Task Force (FATF), which sets standards, makes recommendations and promotes effective implementation of legal, regulatory and operational measures for the fight against money laundering and terrorist financing.

The CSSF is one of the bank supervisors that are members of the Basel Committee on Banking Supervision, which is the primary global standard-setter for the prudential regulation of banks.

The European Commission, the European Central Bank (ECB) and the OECD are members of the Financial Stability Board (FSB), which is an international organisation that monitors and makes recommendations for the global financial system.

The work performed by these organisations typically influences European legislation, which is applicable to credit institutions in Luxembourg. For instance, the Basel Framework is transposed via CRD and CRR; and the FATF Recommendations are implemented at the European level via Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended.

The EU financial system is supervised via the European System of Financial Supervision (ESFS). The ESFS consists of:

• the European Systemic Risk Board, which is responsible for the macro-prudential oversight of the EU financial system and the prevention and mitigation of systemic risk;
• the three European Supervisory Authorities - the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority; and
• national supervisory authorities.

Banking supervision is further ensured via the Single Supervisory Mechanism (SSM), which comprises the ECB and the national supervisory authorities and which, together with the Single Resolution Mechanism, form the EU Banking Union.

The different authorities forming part of the ESFS are required under their respective regulations to cooperate with each other and to ensure the flow of appropriate and reliable information between them. Similarly, the regulations establishing the SSM require cooperation between the ECB and the ESFS, as well as cooperation within the SSM between the ECB and the national supervisory authorities.

Finally, specific EU directives and regulations, such as CRD and CRR, include specific provisions on cooperation between authorities and consolidated supervision. The Banking Act (which implements CRD in Luxembourg) includes a number of provisions with respect to cooperation, coordination and exchange of information between competent authorities (see in particular question 5.1).

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers (including sanctions) do they have?

CSSF: The Luxembourg regulator for the financial sector is the CSSF, which falls under the authority of the Luxembourg Ministry of Finance.

The powers of the CSSF include the right to:

• have access to any document in any form whatsoever and receive a copy of it;
• request information from any person and, where necessary, summon any such person in order to obtain information;
• carry out on-site inspections or investigations with respect to persons subject to its prudential supervision;
• require existing telephone records or other existing electronic communication or data traffic records;
• require the cessation of any practice that is contrary to the provisions of the CRR, the Banking Act and their implementing measures, and take measures to prevent the repetition of such practices;
• request the freezing and/or sequestration of assets with the district court of Luxembourg;
• impose a temporary prohibition of professional activity with respect to persons subject to its prudential supervision, as well as members of the management body, employees and tied agents linked to these persons;
• require approved statutory auditors of the persons subject to its prudential supervision to provide information;
• adopt any type of measure necessary to ensure that the persons subject to its prudential supervision continue to comply with the requirements of the CRR, Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments, the Banking Act and their implementing measures;
• refer information to the state prosecutor for criminal prosecution;
• require approved statutory auditors or experts to carry out on-site verifications or investigations of persons subject to its prudential supervision, at the expense of the person concerned;
• issue a communication to the public;
• suspend the marketing or sale of financial instruments or of structured deposits in certain specific cases;
• require the removal of a natural person from the board of a credit institution;
• subject to certain conditions, require electronic communication and communications network providers to hand over records of electronic communications; and
• generally require from any person subject to its supervision any information that may be useful to the pursuit of its supervisory mission.

The CSSF also has powers of injunction and suspension, whereby it may enjoin a person subject to its supervision, within a specific timeframe, to remedy any situation or cease any practice that is contrary to legal, regulatory or statutory provisions, or to cease any conduct and refrain from repeating any conduct that would be contrary to such provisions. Where the situation in question has not been remedied within the timeframe imposed, the CSSF may:

• suspend the members of the management body or any other persons;
• suspend the exercise of voting rights attached to shares held by shareholders or members in the supervised entity; or
• suspend the supervised entity's business or a particular area of such business.

With respect to financial holding companies and mixed financial holding companies – which must seek authorisation further to amendments to the banking regulation framework introduced by Directive (EU) 2019/878 of the European Parliament and of the Council of 20 May 2019 amending Directive 2013/36/EU as regards exempted entities, financial holding companies, mixed financial holding companies, remuneration, supervisory measures and powers and capital conservation measures (CRD V) – the CSSF can take the following supervisory measures where the conditions for their approval are not met or have ceased to be met:

• suspending the exercise of the voting rights attached to the shares of the subsidiary institutions (including banks) held by the holding company;
• issuing injunctions or penalties against the holding company or the persons responsible for its administration or management;
• giving instructions to the holding company;
• temporarily designating another entity within the group as responsible for ensuring compliance with legal and regulatory requirements on a consolidated basis;
• restricting or prohibiting distributions or interest payments to shareholders;
• requiring the holding company to divest from or reduce holdings in CRR institutions (including banks) or other financial sector entities; and
• requiring the holding company to submit a plan to return to compliance.

The CSSF may issue circulars and regulations on specific topics relating to its supervisory powers.

The CSSF may impose administrative penalties on legal persons subject to its supervision and the members of the management body, the effective managers or the persons responsible for a breach of these legal persons if:

• they fail to comply with applicable laws, regulations, statutory provisions or instructions;
• they refuse to provide accounting documents or other requested information;
• they have provided documentation or other information that proves to be incomplete, incorrect or false;
• they preclude the performance of the powers of supervision, inspection and investigation of the CSSF;
• they contravene the rules governing the publication of balance sheets and accounts;
• they fail to act in response to injunctions from the CSSF; or
• they act such as to jeopardise the sound and prudent management of the relevant supervised entity.

In such cases, the CSSF may impose the following penalties:

• a warning;
• a reprimand;
• a fine of between €250 and €250,000;
• a temporary or permanent prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity; and/or
• a temporary or permanent prohibition on participation in the profession by the directors or senior managers of persons or entities subject to the CSSF's supervision.

These sanctions may be published. The CSSF may also impose a coercive fine of up to €1,250 per day (with a total upper limit of €25,000) designed to compel persons to comply with injunctions it has issued.

The Banking Act further contains a number of specific sanctions that may be imposed for:

• specific breaches of the Banking Act;
• specific breaches committed by CRR institutions; or
• specific breaches relating to the provision of investment services, the performance of investment activities or the provision of data reporting services.

Such sanctions include:

• administrative pecuniary penalties of up to 10% of the total annual net turnover;
• administrative pecuniary penalties of up to €5 million; or
• administrative pecuniary penalties of up to twice the amount of the benefit derived from the breach.

Other sanctions may be set out in specific laws.

ECB: The ECB plays a central role in the supervision of credit institutions within the framework of the SSM. The ECB is, in particular, responsible for:

• granting and withdrawing credit institution licences;
• assessing acquisitions and disposals of qualifying holdings (see question 9.2);
• ensuring compliance with EU prudential requirements;
• ensuring compliance with EU governance requirements; and
• conducting supervisory reviews, on-site inspections and investigations.

The ECB is also responsible for the effective and consistent functioning of the SSM. The ECB directly supervises a number of ‘significant' credit institutions, whereas ‘less significant' credit institutions are supervised by their national supervisory authorities in cooperation with the ECB.

The ECB may adopt regulations. The ECB has the power to impose sanctions in case of failure by institutions to comply with obligations arising from ECB decisions or regulations, as set out in Council Regulation (EC) No 2532/98 of 23 November 1998 concerning the powers of the European Central Bank to impose sanctions, as amended. Such sanctions include fines and periodic penalty payments.

Banque Centrale du Luxembourg (BCL): The BCL is the Luxembourg central bank and forms part of the European System of Central Banks. The BCL implements the decisions taken by the ECB in Luxembourg and is competent for monetary policy operations in favour of Luxembourg credit institutions.

The BCL is also responsible for:

• supervising the general liquidity situation on the markets and of market operators;
• ensuring the efficiency and safety of payment systems and securities settlement systems, as well as the safety of payment instruments; the BCL may ask payment systems and securities settlement systems to provide information and may also perform on-site visits in this respect;
• contributing to ensuring financial stability by cooperating with prudential supervision authorities; and
• collecting statistical information from the competent national authorities or directly from economic agents, including credit institutions; the BCL may perform spot checks on the information provided.

The BCL has regulatory power and may issue regulations and circulars on subject matters relating to its tasks. It also enforces ECB decisions and implements the sanctions imposed by the ECB.

Commissariat aux Assurances (CAA): The CAA is the Luxembourg regulator responsible for the insurance sector. Credit institutions that provide insurance-related services may be subject to the CAA's supervision for those services.

European Banking Authority (EBA): The EBA, which is part of the European System of Financial Supervision (ESFS), also plays a role in the overall supervisory framework, in particular by publishing guidelines addressed to national competent authorities and aimed at harmonising regulatory practices.

1.4 What are the current priorities of regulators and how does the regulator engage with the banking sector?

The CSSF's current priorities are as follows:

• The upcoming visit of the FATF to Luxembourg: The CSSF has organised conferences together with the Luxembourg Bankers' Association to raise awareness within the financial sector about the upcoming visit and explain the methodology which is used by the FATF. The CSSF is also particularly sensitive to AML/CFT compliance by all supervised institutions.
• The registration of virtual asset service providers (VASPs): Since the adoption of two laws of 25 March 2020, the Luxembourg AML/CFT framework requires VASPs to register with the CSSF. Banks which provide certain virtual asset services fall within the scope of this registration requirement. The CSSF is actively encouraging VASPs to submit a registration file and reviews these carefully in order to ensure the Luxembourg VASP and virtual asset market is ‘clean' from an AML/CFT perspective.
• Outsourcing: The CSSF has recently published an update to the requirements for the outsourcing of material IT activities and is expected to publish a new circular shortly to overhaul the Luxembourg framework for outsourcing applicable to regulated institutions including banks.

2 Form and structure

2.1 What types of banks are typically found in your jurisdiction?

The Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') covers two types of banks: universal banks and banks issuing mortgage bonds.

As of 1 January 2022, the Luxembourg banking sector was composed of 125 banks, including:

• 80 universal banks;
• two banks issuing mortgage bonds;
• 13 branches of third country credit institutions; and
• 30 branches of credit institutions established in the European Union.

Corporate banking, private banking, investment funds servicing and custody are the main business areas for banks in Luxembourg.

2.2 How are these banks typically structured?

A Luxembourg credit institution must be a legal entity incorporated under Luxembourg law in the form of a public law institution, a public limited liability company, a corporate partnership limited by shares or a cooperative society.

2.3 Are there any restrictions on foreign ownership of banks?

There are no restrictions on the foreign ownership of banks. To the extent that a foreign entity acquires or disposes of a Luxembourg bank, the provisions on acquisitions and disposals of qualifying holdings (see question 9) apply.

Where a bank incorporated under Luxembourg law is part of a third-country group which has two or more institutions (as defined under Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR)) in the European Union (EU), the third-country group must have a single intermediate EU parent undertaking. Where such intermediate EU parent undertaking is established in Luxembourg, it must be a credit institution authorised in accordance with the provisions of the Banking Act or a financial holding company or mixed financial holding company approved under the Banking Act. The requirement to have an intermediate EU parent undertaking does not apply where the total value of the assets of the third-country group in the EU is less than EUR 40 billion.

2.4 Can banks with a foreign headquarters operate in your jurisdiction on the basis of their foreign licence?

It is possible for banks established in a foreign jurisdiction to operate in Luxembourg. However, a distinction is made between banks established in an EU member state and banks established in a jurisdiction outside of the European Union (a third country).

Banks established in an EU member state: Banks established and authorised in another EU member state may operate in Luxembourg via cross-border provision of services, via the establishment of a branch in Luxembourg or via the use of a tied agent, to the extent that the activities to be exercised in Luxembourg are covered by their licence and are listed in Annex I or Sections A or C of Annex II of the Banking Act (see question 3.1). In this case no authorisation from the Luxembourg authorities is required and the European passporting regime applies. Financial institutions as defined under Article 4(1)(26) of CRR may also operate in Luxembourg, subject to several specific conditions.

Banks established in a third country: Third-country banks that wish to establish a branch in Luxembourg in order to exercise their banking activities are subject to the same licensing requirements as Luxembourg credit institutions. Where the applicant third-country bank intends to perform activities involving the management of funds of third parties, it must have own funds which are separate and distinct from the assets of its shareholders. The branch must also have at its permanent disposal an endowment capital or capital base equivalent to that required of a person governed by Luxembourg law performing the same activities. Luxembourg branches of third-country banks are subject to specific reporting requirements.

Credit institutions from a third country which are not established in Luxembourg, but which occasionally and temporarily come to Luxembourg in order, among other things, to collect deposits and other repayable funds from the public and to provide any other service subject to the Banking Act, must obtain authorisation. Obtaining authorisation requires that the credit institution from the third country be subject to equivalent authorisation and supervisory rules as those of the Banking Act in its home jurisdiction.

Specific conditions apply where a third-country bank intends to provide investment services in Luxembourg. If the third-country bank intends to provide investment services to eligible counterparties and to professional clients within the meaning of Section A of Annex III of the Banking Act (ie, professional clients per se, which are certain types of entities that are considered to be professional clients by virtue of the Banking Act), it may establish a branch in Luxembourg that is subject to the same licensing requirements as Luxembourg law credit institutions and investment firms. However, it may also operate in Luxembourg without establishing a branch if:

• it is authorised in its home jurisdiction to provide the investment services it intends to provide in Luxembourg;
• either the European Commission (under Article 47 of Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFIR)) or the Commission de Surveillance du Secteur Financier (CSSF) has adopted an equivalence decision confirming that the legal and supervisory regime of the third country establishes prudential and business conduct rules that are equivalent to those of MiFIR, Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms or the Banking Act, as applicable; and
• cooperation arrangements have been established between the European Securities and Markets Authority or the CSSF, as applicable, and the relevant competent authority of the third country.

If the third-country bank intends to provide investment services to retail clients or to professional clients within the meaning of Section B of Annex III of the Banking Act (ie, clients that are not professional clients per se, but that have requested to be treated as professional clients), it must establish a branch in Luxembourg which is subject to the same licensing requirements as Luxembourg law credit institutions and investment firms and to a number of additional conditions.

Third-country groups incorporating a bank in Luxembourg may need to establish a single intermediate EU parent undertaking (see foreign ownership of banks).

3 Authorisation

3.1 What licences are required to provide banking services in your jurisdiction? What activities do they cover?

No person established under Luxembourg law can carry out the business of a credit institution without holding a written authorisation from the minister of finance. Entities authorised as a credit institution in Luxembourg hold a so-called ‘universal banking licence'.

Credit institutions are authorised to:

• perform the following banking activities:
• • acceptance of deposits and other repayable funds;
  • lending;
  • financial leasing;
  • provision of payment services;
  • provision of guarantees and commitments;
  • trading for own account or for account of customers in money market instruments, foreign exchange, financial futures and options, exchange and interest-rate instruments and transferable securities;
  • participation in securities issues and provision of services related to such issues;
  • advice to undertakings on capital structure, industrial strategy and related questions and advice, as well as services relating to mergers and acquisitions;
  • money broking;
  • portfolio management and advice;
  • safekeeping and administration of securities;
  • credit reference services;
  • safe-custody services; and
  • issuance of electronic money;
• provide the following investment services and perform the following investment activities:
• • receipt and transmission of orders in relation to financial instruments;
  • execution of orders on behalf of clients;
  • dealing on own account;
  • portfolio management;
  • investment advice;
  • underwriting of financial instruments and/or placing of financial instruments on a firm commitment basis;
  • placing of financial instruments without a firm commitment basis;
  • operation of multilateral trading facilities; and
  • operation of organised trading facilities;
• provide ancillary services such as:
• • safekeeping and administration of financial instruments for the account of clients;
  • the granting of credits or loans to investors to allow them to carry out a transaction in one or more financial instruments;
  • advice to undertakings on capital structure, industrial strategy and related matters;
  • foreign exchange services, where they are connected to the provision of investment services;
  • investment research and financial analysis or other forms of recommendation relating to transactions in financial instruments; and
  • services related to underwriting; and
• perform any other activity falling under the scope of the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') (including activities as registrar agent, professional depositary of financial instruments, professional depositary of assets other than financial instruments, operator of a regulated market authorised in Luxembourg, currency exchange dealer, debt recovery, professional performing lending operations, professionals performing securities lending, family office, mutual savings fund administrator, domiciliation agent, professional providing company incorporation and management services, client communication agent, administrative agent of the financial sector, primary IT systems operator of the financial sector, secondary IT systems and communication networks operator of the financial sector, dematerialisation service provider of the financial sector, conservation service provider of the financial sector).

3.2 What requirements must be satisfied to obtain a licence?

The Banking Act sets out a number of base requirements that an institution must comply with in order to obtain authorisation as a credit institution. The proposed credit institution must be established in one of the legal forms set out under question 2.2.

The applicant must evidence the existence in Luxembourg of the central administration (meaning both the decision-making centre and the administrative centre) and the registered office of the proposed credit institution. Certain administrative aspects may be outsourced or performed abroad by affiliates if the applicant is in a group context. The credit institution must have robust internal governance arrangements, including:

• a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
• effective processes to identify, manage, monitor and report the risks they are or might be exposed to; and
• adequate internal control mechanisms, including sound administrative and accounting procedures and remuneration policies and practices allowing and promoting a sound and effective risk management, as well as control and security arrangements for information processing systems.

Specific organisational requirements must be met if the credit institution provides investment services and/or performs investment activities.

The applicant must provide the Commission de Surveillance du Secteur Financier (CSSF) with the identity of its shareholders, whether direct or indirect and whether natural or legal persons, that have qualifying holdings in the institution to be authorised or, where there are no qualifying holdings, of the 20 largest shareholders. A ‘qualifying holding' is any direct or indirect holding which represents 10% or more of the capital or voting rights in the relevant bank, or which makes it possible to exercise a significant influence over the management of the bank. The CSSF assesses the shareholding of the institution to be authorised and verifies whether:

• the sound and prudent management of the credit institution can be ensured;
• the shareholders are of good professional repute and have sufficient knowledge, skills and experience;
• the prudential supervision can be exercised without hindrance and the supervision on a consolidated basis is ensured;
• the shareholding structure is transparent and well organised;
• the shareholders are financially sound; and
• there are reasonable grounds to suspect that money laundering or terrorist financing activities are being undertaken or have been undertaken, or there is an increased risk of such activities.

The members of the management body must at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties.

The applicant must have a share capital of at least €8.7 million (see question 4.2).

The institution must have its annual accounts audited by one or more approved statutory auditors. Typically, one of the ‘Big Four' is appointed for this purpose.

The authorisation is also subject to the proposed credit institution's membership in the Luxembourg deposit guarantee scheme (Fonds de Garantie des Dépôts Luxembourg) (see question 10.2) and the Luxembourg investor protection scheme (Système d'Indemnisation des Investisseurs Luxembourg).

3.3 What is the procedure for obtaining a licence? How long does this typically take?

The authorisation procedure typically starts with a meeting between the applicant and the CSSF to discuss the request for authorisation as a credit institution. The CSSF recommends that such preliminary discussions take place prior to the official submission of the application file.

The official request for authorisation is introduced via a written application to be submitted to the CSSF, both electronically and in paper format. The application must be accompanied by all information required for the assessment thereof and by a programme of operations indicating the type and volume of business envisaged and the administrative and accounting structure of the institution. The minimum content of the application file, as well as the list of documents to be provided with the banking licence application file, is available on the CSSF's website.

The European Central Bank (ECB) is competent to authorise all credit institutions established in the EU member states participating in the Single Supervisory Mechanism (including Luxembourg). The CSSF notifies the receipt of an application file to the ECB, and the application file is assessed by both the CSSF and the ECB. If the CSSF considers the application file to be satisfactory, it will make a proposal to the ECB to authorise the credit institution and the ECB will then grant the authorisation and notify the CSSF thereof.

The CSSF must notify its decision within six months of receipt of the application or, if the application is incomplete, within six months of receipt of the information needed for the adoption of the decision. The absence of a decision within six months shall be deemed to be a refusal. In any event, a decision shall be adopted within 12 months of receipt of the application, and the absence of a decision is deemed to be a notification of refusal.

The authorisation is granted for an unlimited period.

The application is subject to an initial fee of €15,000. Annual licensing fees apply depending on the size of the credit institution's balance sheet. An annual lump sum is also payable for the participation in the Luxembourg deposit guarantee scheme (Fonds de Garantie des Dépôts Luxembourg), depending on the amount of covered deposits.

4 Regulatory capital and liquidity

4.1 How are banks typically funded in your jurisdiction?

Consistent with other Euro-area banks following the 2008 financial crisis, customer deposits represent the single largest source of funding. In 2020 deposits owed to customers represented approximately 53.13% of total liabilities (Euro-area average). These deposits are sourced from non-financial and financial undertakings, private and/or retail customers, and the current accounts of investment funds. The second major area of funding for banks in Luxembourg is interbank liabilities, which represented 28.30% of total liabilities in 2020.

4.2 What minimum capital requirements apply to banks in your jurisdiction?

Credit institutions must have a share capital of at least €8.7 million which is subscribed, fully paid up and compliant with the relevant provisions of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR) (Articles 28 and, where applicable, 29). They are also subject to specific rules on capital adequacy and must maintain a number of capital buffers.

Under the CRR, credit institutions must maintain, at all times, a total capital ratio (ie, the own funds of the credit institution expressed as a percentage of the total risk exposure amount, as calculated in accordance with the relevant provisions of the CRR) of 8%. The capital ratio must be composed of 4.5% of Common Equity Tier 1 capital, 1.5% of Additional Tier 1 capital and 2% of Tier 2 capital (each as defined under the CRR). They must also maintain a leverage ratio of 3%.

Under the Law of 5 April 1993 on the financial sector, as amended, credit institutions must maintain a capital conservation buffer composed of Common Equity Tier 1 capital equal to 2.5% of their total risk exposure amount calculated in accordance with the CRR, and an institution-specific countercyclical capital buffer composed of Common Equity Tier 1 capital which is equivalent to their total risk exposure amount calculated in accordance with the CRR multiplied by the weighted average of the countercyclical buffer rates. The CSSF is responsible for setting the countercyclical buffer rates applicable in Luxembourg. The countercyclical buffer rate for the first quarter of 2022, which is applicable as from 1 January 2022, is 0.50%.

Credit institutions may also, under certain conditions, be required to maintain a systemic risk buffer of Common Equity Tier 1 capital.

‘Globally systemically important institutions' and ‘other systemically important institutions' (as defined in question 5.2) must maintain the additional capital buffers set out in question 5.2.

4.3 What legal reserve requirements apply to banks in your jurisdiction?

The European Central Bank requires credit institutions established in the euro area to hold deposits on accounts with their national central bank. These are called ‘minimum reserves'. The reserve requirements are set out in Regulation (EU) 2021/378 of the European Central Bank of 22 January 2021 on the application of minimum reserve requirements (recast). In this respect, is should be noted that:

• branches in the euro area of credit institutions established outside the euro area are also subject to the minimum reserve requirements; and
• branches of euro area credit institutions which are located outside the euro area are not subject to the minimum reserve requirements.

Since 26 June 2021, minimum reserves are calculated using the following reserve ratios:

• 0% for (i) deposits which (a) have an agreed maturity over two years, (b) are redeemable at notice over two years, or (c) are repurchase agreements (repos) and (ii) debt securities issued with an original maturity over two years; and
• 1% on all other liabilities included in the reserve base, as defined in Regulation (EU) 2021/378.

5 Supervision of banking groups

5.1 What requirements apply with regard to the supervision of banking groups in your jurisdiction?

The Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') – which implements, among others, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, as amended (CRD) and Directive 2002/87/EC of the European Parliament and of the Council of 16 December 2002 on the supplementary supervision of credit institutions, insurance undertakings and investment firms in a financial conglomerate, as amended – contains provisions on:

• the supervision of credit institutions carrying on business in more than one EU member state;
• the supervision of credit institutions subject to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR) on a consolidated basis; and
• the supplementary supervision of credit institutions in a financial conglomerate.

The CRR also includes provisions with respect to prudential consolidation to which credit institutions may be subject.

The prudential supervision of Luxembourg credit institutions by the Commission de Surveillance du Secteur Financier (CSSF) covers the activities performed by such credit institution in other EU member states via the establishment of branches or the cross-border provision of services. The Banking Act also sets out the CSSF's powers with respect to Luxembourg branches of credit institutions from other EU member states, and the respective rights and competence of the CSSF and other competent authorities.

There are certain cases where the CSSF is required to exercise prudential supervision on a consolidated basis, meaning on the basis of the situation that results from applying the CRR requirements to a credit institution as if that credit institution formed, together with one or more other entities, a single institution. Such consolidated supervision applies, for instance:

• to Luxembourg parent credit institutions;
• to Luxembourg parent financial holding companies having as a subsidiary a Luxembourg credit institution; and
• under certain conditions, where the relevant group includes a Luxembourg credit institution and such credit institution shows the largest balance-sheet total.

The consolidated supervision covers, for instance, the items referred to in Article 11 of the CRR (eg, requirements with respect to own funds and eligible liabilities, capital requirements, large exposures and leverage), capital adequacy, internal governance requirements, certain intra-group transactions, risk management processes and internal control mechanisms, and the professional repute, experience, knowledge and skills of the members of the management body of a financial holding company or mixed financial holding company.

The CSSF must identify any group of companies that constitutes a financial conglomerate as defined in the Banking Act. The CSSF exercises supplementary supervision over Luxembourg credit institutions that belong to a financial conglomerate if the CSSF assumes the role of ‘coordinator' for the supervision of regulated entities in that financial conglomerate. The Banking Act sets out the different scenarios in which the CSSF may act as coordinator; this is the case, for instance, where:

• the financial conglomerate is headed by a credit institution or an investment firm authorised in Luxembourg;
• it is headed by a mixed financial holding company which is the parent of a credit institution or investment firm authorised in Luxembourg; or
• a Luxembourg credit institution or investment firm belongs to a financial conglomerate, subject to certain specific conditions.

All the financial sector entities within a financial conglomerate - whether regulated or not and whether established in an EU member state or in a third country - fall within the scope of the supplementary supervision of the CSSF. The supplementary supervision to be carried out by the CSSF covers the financial position of the financial conglomerate, and in particular the capital adequacy, risk concentration, intra-group transactions, internal control mechanisms and risk management processes.

The Banking Act contains rules on:

• cooperation, coordination and exchange of information between competent authorities;
• access to and verification of information;
• the powers and enforcement measures of competent authorities; and
• the measures at the disposal of the CSSF in order to effectively exercise its supervision.

Entities controlling a bank may qualify as ‘parent financial holding company' or ‘parent mixed financial holding company' which may trigger prudential supervision on a consolidated basis under CRR and governance requirements. Luxembourg-based parent financial holding companies and parent mixed financial holding companies must seek approval from the CSSF. This requires the provision of information on the entity and the group to the CSSF and, where different, the consolidating supervisor. An exemption from the approval requirement is available where certain conditions are met.

5.2 How are systemically important banks supervised in your jurisdiction?

‘Systemically important' banks must be distinguished from ‘significant' banks, as these concepts entail different consequences.

Significant and less significant institutions: The European Central Bank (ECB) directly supervises ‘significant' credit institutions; whereas ‘less significant' credit institutions are supervised by their national supervisory authorities in cooperation with the ECB. A credit institution will be considered as significant if it fulfils at least one of the significance criteria set out in Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions. These criteria include:

• the credit institution's size;
• its economic importance for the European Union as a whole or a specific EU member state;
• the significance of its cross-border activities;
• whether it has requested direct public financial assistance from the European Stability Mechanism or the European Financial Stability Facility; and
• whether the credit institution is one of the three most significant credit institutions established in an EU member state.

The ECB maintains a list of significant credit institutions.

Systemically important institutions: CRD defines ‘globally systemically important institutions' (G-SIIs) and ‘other systemically important institutions' (O-SIIs). The CSSF is the authority designated to identify the systemically important institutions authorised in Luxembourg, which include G-SIIs and O-SIIs. The CSSF takes its decisions in this respect after consultation with the Banque Centrale du Luxembourg (BCL) and the Luxembourg Systemic Risk Committee.

G-SIIs and O-SIIs are subject to additional capital requirements. G-SIIs must maintain an additional capital buffer (the G-SII buffer) that consists of Common Equity Tier 1 capital and varies between 1% and 3.5%, depending on the degree of systemic importance of the bank. O-SIIs may, subject to certain conditions, be required by the CSSF to maintain an additional capital buffer (the O-SII buffer) that consists of Common Equity Tier 1 capital. At present, there are no G-SIIs in Luxembourg. Seven O-SIIs have been identified, which are subject to O-SII buffers between 0.5% and 1% (depending on the institution) as of 1 January 2022.

5.3 What is the role of the central bank?

See question 1.3(c) above for the role of the BCL in general. As mentioned under question 5.2, the BCL also has a consultation role with respect to the supervision of systemically important institutions.

6 Activities

6.1 What specific regulations apply to the following banking activities in your jurisdiction: (a) Mortgage lending? (b) Consumer credit? (c) Investment services? and (d) Payment services and e-money?

Mortgage lending: Mortgage credit is one of the activities listed in Annex I of the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') that credit institutions are authorised to perform.

Specific provisions on mortgage lending have been introduced in the Luxembourg Consumer Code by the Luxembourg law of 23 December 2016 which implements Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property, as amended.

See question 10.1 concerning specific requirements for consumer protection.

The Banking Act was amended by the law of 4 December 2019 on macro-prudential measures concerning residential mortgages. This law was adopted following a recommendation by the European Systemic Risk Board in order to prevent the overheating of the mortgage lending market in Luxembourg. The new provisions allow the Commission de Surveillance du Secteur Financier (CSSF) - in collaboration with the BCL, the Commissariat aux Assurances and the Luxembourg Systemic Risk Committee - to impose on credit institutions, insurance companies and other professionals of the financial sector additional guidelines on credit criteria for mortgage loans relating to residential real estate located in Luxembourg. These measures can be taken only where they are required to counter the dysfunction of the national financial system or reduce the risks for the national financial stability stemming from developments in the real estate sector in Luxembourg.

In addition, the CSSF adopted Regulation No 20-08 of 3 December 2020 laying down conditions for granting loans for residential property located on Luxembourg territory, which applies to mortgage loans entered into as from 1 January 2021. This Regulation in particular introduces a Loan-to-Value ratio requirement of 80%, with certain exceptions (in particular, the ratio is 90% where the loan concerns the main residence of the borrower, and 100% for first-time acquirers of a main residence).

Consumer credit: Consumer credit is one of the activities listed in Annex I of the Banking Act that credit institutions are authorised to perform.

Specific provisions on consumer credit have been introduced in the Consumer Code by the Luxembourg law of 8 April 2011 which implements Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers, as amended.

See question 10.1 concerning specific requirements for consumer protection.

Investment services: At a European level, investment services are regulated by Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFID II) and Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFIR), each as amended.

MiFID II has been implemented in Luxembourg by the law of 30 May 2018 on markets in financial instruments (‘MIFID Law'), which amends the Banking Act.

Credit institutions are authorised to perform MiFID II investment services subject to the provisions of the Banking Act, the MIFID Law and MiFIR (see question 3.1).

Payment services and e-money: Payment services and the activity of electronic money institutions are governed by the Luxembourg law of 10 November 2009 on payment services, on the activity of electronic money institutions and settlement finality in payment and securities settlement systems, as amended (‘2009 Law') which implements into Luxembourg law the provisions of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market and of Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions, each as amended.

Credit institutions are authorised to provide payment services as defined in the 2009 Law and to issue electronic money within the meaning of the 2009 Law, subject to the provisions of the Banking Act and the 2009 Law.

7 Reporting, organisational requirements, governance and risk management

7.1 What key reporting and disclosure requirements apply to banks in your jurisdiction?

Banks are subject to extensive reporting requirements, and in particular prudential reporting requirements under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR). This includes reporting on own funds, financial information, large exposures, leverage, liquidity, losses stemming from lending collateralised by immovable property and asset encumbrance. The content and format of the reporting are harmonised by Commission Implementing Regulation (EU) 2021/451 of 17 December 2020 laying down implementing technical standards for the application of CRR with regard to supervisory reporting of institutions, as amended.

There are additional reporting requirements covered by Luxembourg provisions. Banks must, for instance, provide:

• information on participating interests and subordinated loans;
• information on staff expenses and taxes;
• a list of their head offices, agencies, branches and representative offices;
• an analysis of shareholdings; and
• a list of persons responsible for certain functions and activities.

Ad hoc reports may also be requested by the Commission de Surveillance du Secteur Financier (CSSF).

In order to assist banks with their reporting obligations, the CSSF published Circular 14/593, as amended, on supervisory reporting requirements applicable to credit institutions, as well as Circular 19/731, which lists the documents to be submitted to the CSSF and the European Central Bank on an annual basis, as well as the appropriate timing for submission. The CSSF also published a guide on reporting requirements for credit institutions.

Depending on their activities, banks may also be subject to specific reporting requirements under specific regulations. For instance, Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories requires settlement internalisers (ie, credit institutions which execute transfer orders on behalf of clients or on their own account other than through a securities settlement system) to report to the CSSF on a quarterly basis the aggregated volume and value of all securities transactions that they settle outside securities settlement systems. Likewise, Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories and Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse require banks that are counterparties to derivative contracts and securities financing transactions, respectively, to report the details of such contracts and transactions to trade repositories.

Banks have an obligation to publish their duly approved annual accounts together with the management reports and the reports from the persons responsible for auditing the accounts in accordance with the Law of 17 June 1992 relating to the annual and consolidated accounts of credit institutions governed by the laws of Luxembourg, as amended (the ‘Accounts Law'). Banks are further subject to periodic statistical reporting to the Banque Centrale du Luxembourg.

7.2 What key organisational and governance requirements apply to banks in your jurisdiction?

Generally, credit institutions must have in place effective policies and procedures to ensure compliance with their legal obligations and avoid conflicts of interest. From a systems perspective, credit institutions must invest appropriately to ensure continuity and regularity of services, and have appropriate risk management and security systems in place. Outsourcing is permitted; however, it must be contractualised and banks remain fully liable for any outsourced functions. Banks must ensure accurate recordkeeping for all services and transactions and ensure that, in respect of client assets, those assets' ownership rights are protected. Client financial instruments may not be used on own account, except where a client has provided express permission.

The Law of 5 April 1993 on the financial sector, as amended and the CRR require the management body of institutions to define, oversee and be accountable for the implementation of governance arrangements. The key accountabilities include the strategic objectives, risk strategy, and internal governance. In addition, the management body must ensure the integrity of the financial reporting system and exercise effective oversight of the daily management of the bank. There is a prohibition against combining the role of chair of the management body and chief executive officer. In respect of the composition of the management body, particular attention must be paid to the experience, skills, and knowledge of individual members, but also of the management body as a whole. There are detailed requirements in respect of time commitment and the number of directorships which may be held simultaneously. Credit institutions must also ensure that adequate human and financial resources are dedicated to the induction and training of members of the management body.

In addition, CSSF Circular 12/552 sets out detailed requirements relating to internal governance arrangements and specific requirements for the finance and IT functions. Banks must have appropriate internal communication and whistleblower arrangements and must also have put in place crisis management protocols, which have been tested. All governance arrangements must be documented in writing. Following the implementation of CSSF Circular 12/552 in late 2012, this was a major area of focus for banks in Luxembourg and continues to be a main source of concern of the CSSF.

7.3 What key risk management requirements apply to banks in your jurisdiction?

Banks in Luxembourg must have adequate internal control systems in place to promote sound and effective risk management. The CSSF recommends that larger or more complex institutions have a risk committee to assist the management body in order to facilitate effective risk control at management body level. CSSF Circular 12/552 requires the management body to approve a risk policy which implements the risk strategy of the institutions. This policy must include:

• the institution's risk tolerance determination;
• an internal limits system with limits risk taking in accordance with the risk tolerance;
• measures aimed to promote a sound risk culture;
• the existence of a risk control function and management arrangements for limits breaches and corrective measures for such breaches;
• the definition of a risk management information system; and
• crisis management and business continuity arrangements.

Further, the management body must set a capital and liquidity policy which:

• defines internal standards in relation to the management, scope and quality of the regulatory and internal own funds and liquidity reserves;
• defines processes to ensure reliable management information;
• ensures the permanent adequacy of the regulatory and internal own funds and liquidity reserves;
• effectively manages stress situations; and
• designates the functions in charge of the management, functioning and improvement of the processes, limit systems, procedures and internal controls.

CSSF Circular 12/552 requires the establishment of three distinct internal control functions (risk, internal audit and compliance). The risk and compliance functions form part of the second line of defence, while the internal audit function constitutes the third line of defence. Each of the three control functions shall be under the responsibility of a separate head of function (who, for the risk control function, is referred to as the ‘chief risk officer'). The principle of proportionality applies and it is therefore possible to merge the risk management and compliance functions on a case-by-case basis. The risk management function (as well as the compliance and audit functions) must be permanent and independent, and hold sufficient authority. The chief risk officer must have direct access to the members of the management body or its chair (or chair of the risk committee), the external auditor and the CSSF. The bank shall ensure that individuals working within the risk management function have a high level of professional experience and that the function is appropriately resourced. It is not permissible to outsource the risk management function. Under the principle of proportionality, a full-time chief risk officer may not be required for smaller institutions and can potentially be combined with compliance, subject to regulatory approval.

There are a number of important tasks which fall within the remit of the risk management function:

• monitoring risk limits and their compatibility with the strategies, activities and organisational and operational structure of the bank;
• systematic production of accurate risk management information for authorised management to understand the risks to which the institution is or may be exposed;
• the development of effective terminology, methods and technical resources to anticipate risk, as well as to identify, measure, report, manage, and monitor risks;
• the development of conservative assumptions in particular regarding dependencies between risks; and
• the anticipation and recognition of risks arising in a changing environment.

An annual risk management report relating to the tasks of the risk management function is prepared and submitted to the management body, in addition to regular and ad hoc reporting. Any serious problems, shortcomings or irregularities must be reported immediately by the risk management function to authorised management and the management body. It is also noteworthy that Luxembourg credit institutions must take risks into account when assessing new or expanded product offerings.

7.4 What are the requirements for internal and external audit in your jurisdiction?

External audit: Credit institutions must have their annual accounts audited by one or more approved statutory auditors. One of the ‘Big Four' is typically appointed in order to perform this task. Any change in the approved statutory auditor must be authorised in advance by the CSSF.

The Accounts Law specifies the content that must be included in the report of the approved statutory auditors. The approved statutory auditors must also express an opinion concerning the consistency of the management report with the annual accounts and provide an audit opinion stating clearly whether the annual accounts give a true and fair view in accordance with the relevant financial reporting framework and whether the annual accounts comply with the applicable statutory requirements.

Internal audit: As mentioned under question 7.3, CSSF Circular 12/552 requires the establishment of three distinct internal control functions, which includes an internal audit function.

The internal audit function shall be under the responsibility of a specific head of function (the ‘chief internal auditor'). The appointment and removal of the person in charge of the internal audit function must be approved by the board of directors of the bank and reported in writing to the CSSF. The ‘chief internal auditor' must have direct access to the members of the management body or its chair, the external auditor and the CSSF.

The internal audit function must be permanent, independent and objective, and have sufficient authority. It must be able to express itself freely and access all relevant external and internal data in order to fulfil its mission. The members of the internal audit function must individually and collectively possess high professional skills in the field of banking and financial activities, and be able to cover all activities of the institution; ongoing training must be organised. The internal audit function must be appropriately resourced.

The main task of the internal audit function is to review and assess the central administration and the internal governance arrangements of the credit institution and to ensure that they are adequate and operate effectively. The internal audit function shall in particular assess:

• the monitoring of compliance with applicable laws and regulations and the prudential requirements imposed by the CSSF;
• the efficiency and effectiveness of internal controls;
• the adequacy of the administrative, accounting and IT organisation;
• the safeguarding of securities and assets;
• the adequacy of the segregation of duties and of the execution of transactions;
• the accurate and complete registration of transactions;
• the provision of accurate, complete, relevant and understandable information to the board of directors, relevant committees, authorised management and the CSSF, as applicable;
• the implementation of decisions taken by the authorised management and by the persons acting by delegation and under its responsibility;
• compliance with the procedures governing the adequacy of the regulatory and internal own funds and liquidity (reserves);
• the adequacy of the risk management; and
• the operation and effectiveness of the compliance and risk management functions.

Each internal audit mission must be documented and subject to a written report. An annual internal audit report relating to the tasks of the internal audit function must also be prepared.

The internal audit function may be outsourced by smaller credit institutions whose risk profile is low and non-complex. Such outsourcing is subject to an assessment by the CSSF. The internal audit function may not be outsourced to the approved statutory auditor which is appointed as external auditor.

CSSF Circular 12/552 contains additional details on the organisation and responsibilities of the internal control functions, including the internal audit function, and the way in which they must execute their work.

8 Senior management

8.1 What requirements apply with regard to the management structure of banks in your jurisdiction?

In Luxembourg, both shareholders and members of the management body must be able to demonstrate that they possess sufficiently good repute and that the members of the management body possess sufficient knowledge, skills and experience to perform their duties. These requirements are applicable both on licence application and on a continuing basis. At least two individuals must be responsible for the management of the credit institutions and those individuals must typically reside in or near Luxembourg.

The board of directors entrusts authorised management with the daily running of the bank, which includes the implementation of all guiding principles and internal governance arrangements approved by the board. The board of directors is responsible for monitoring and overseeing the effectiveness of authorised management. Each member of authorised management is responsible for personally overseeing the activities and functions which fall under their direct responsibility on a regular basis.

There must be a sufficient number of directors so that their collective competencies are appropriate for the nature, scale and complexity of the bank's activities. The board of directors may create dedicated board committees (membership drawn from members of the board of directors) in the fields of audit, risk, compliance, remuneration, nomination and so on. The determination of which committees are required and which topics are discussed are made by the institution having regard to its business activities. Larger institutions typically have a number of board committees. Smaller institutions may not require a board committee.

Commission de Surveillance du Secteur Financier (CSSF) Circular 12/552 also requires the creation of internal control functions: internal audit, compliance and risk. Smaller institutions may assign responsibility for these roles to a member of authorised management, who is then assisted by external advisers.

To the extent that a credit institutions comprises multiple legal entities, it must be structured in an appropriate manner having regard to the strategy and guiding principles of the bank. At a group level, clear limits on powers and delegation should be established (with appropriate monitoring) and a comprehensive management information system must be put in place to ensure effective communication between legal entities, the board of directors, authorised management, internal control functions and the CSSF.

It should be noted that the concept of a ‘board of directors' as used in question 7 above and throughout this question 8 shall not be read in a strict company law sense, as banks may adopt a legal form that does not provide for a board of directors. Where the relevant bank has a board of supervisors, the references to a ‘board of directors' shall be read as references to the board of supervisors.

8.2 How are directors and senior executives appointed and removed? What selection criteria apply in this regard?

Members of the board of directors, both individually and collectively, must have the necessary professional competence (expertise, understanding and experience), professional standing and personal qualities required according to the bank's guiding principles governing the election and succession of the board. There must not be a majority of directors who take on an executive role within the institution. Depending on the institution's type and size, there may be a requirement in Luxembourg to have one or more directors who either are appointed by the Luxembourg state or represent the staff. In such cases, there are detailed rules for determining the number of directors required and the ratio of executive to non-executive directors.

Members of authorised management, both individually and collectively, must have the necessary professional competence (expertise, understanding and experience), professional standing and personal qualities to manage the institution and effectively determine the business direction. Specific qualities which are required include commitment, availability, objectivity, critical thinking and independence.

On appointment and on a continuing basis, the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') and CSSF Circular 12/552 require members of the board of directors and authorised management (as well as internal control function heads) to evidence professional standing and good repute, assessed on the basis of police records and any other evidence requested. Depending on whether an institution is classified as ‘significant' or ‘less significant', a personal declaration must also be completed with different levels of information required from nominees regarding conflicts of interest, personal shareholdings, professional experience, time commitment and applicable skills.

On removal of a member of the board of directors or authorised management (as well as internal control function heads), different scenarios apply:

• For resignations, the CSSF must be notified immediately and provided with a copy of the letter of resignation; and
• For removals, the CSSF must be notified and receive detailed, written justifications for the decision together with a copy of the termination/revocation letter.

In addition to the foregoing, standard company law requirements for appointing and removing members of the board of directors and authorised management also apply.

8.3 What are the legal duties of bank directors and senior executives?

The legal duties of Luxembourg bank directors and executives are similar to those in other major financial centres. The duties are derived both from Luxembourg company law and from financial regulation. The Luxembourg law of 10 August 1915 on commercial companies, as amended requires that directors:

• act in the best interest of the company;
• exercise independent judgement;
• exercise reasonable care, skill, and diligence;
• avoid conflicts of interest;
• declare interests;
• ensure confidentiality; and
• act within corporate objects and powers.

Luxembourg as a jurisdiction has a high number of banking subsidiaries. In respect of acting within the best interests of the company, it is important to consider director duties in the context of the Luxembourg subsidiary, acknowledging that there may be instances where the interests of the group conflict. Potential claims against directors can be brought in Luxembourg by the state prosecutor (in respect of criminal matters), by liquidators/receivers/administrators and by the company itself. There is also a possibility for shareholders to make a claim against directors on behalf of the company.

In addition to Luxembourg company law and associated jurisprudence, the Ten Principles of Corporate Governance issued by the Luxembourg Stock Exchange (last updated in December 2017) also have persuasive value in determining appropriate courses of action for directors and contain detailed criteria, including those related to independence. The most detailed guidance on this topic is the Luxembourg Bank Director's Guide published by the Luxembourg Institute of Directors (www.ila.lu).

CSSF Circular 12/552 places overall responsibility for the entire credit institution on the board of directors. The board is responsible for ensuring execution of activities and preserving business continuity. It must put in place a sound central administration and internal governance arrangements. Additional specific responsibilities of the board of directors include setting out, in writing:

• the business strategy of the institution, taking into account the bank's long-term financial interests, solvency and liquidity situation;
• the risk strategy;
• the regulatory and internal own funds and liquidity strategy;
• the guiding principles of a clear and consistent organisational and operational structure regarding the creation and maintenance of legal entities, information systems, security, communication and whistleblowing;
• the guiding principles relating to the internal control functions, remuneration, and escalation and settlement of any improper behaviours within the bank;
• the human and material resources required to implement the bank's strategies and guiding principles;
• the strategies for business continuity management and crisis management;
• the guiding principles for the appointment and succession of key senior individuals within the credit institution; and
• the arrangements to delegate and oversee management's implementation of the bank's strategies.

The role of the board of directors and corporate governance in general is a priority for the CSSF and the European Central Bank. Lack of appropriate governance arrangements is a frequent finding by the CSSF in relation to sanctions it has issued in recent years.

8.4 How is executive compensation in the banking sector regulated in your jurisdiction?

Executive compensation is a key lever used to promote sound and effective risk management within the Luxembourg and EU regulatory framework. CSSF Circular 17/658 adopts the European Banking Authority Guidelines on sound remuneration policies under Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, as amended (CRD) and disclosures under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended. Additionally, the Banking Act has transposed the relevant restrictions relating to compensation contained in CRD. Credit institutions are obliged to develop remuneration policies addressing both variable and non-variable compensation. Certain remuneration and governance data must also be made available on the institution's website. In respect of firms which are significant (in terms of size, internal organisation and the nature, scope and complexity of their activities), there is a requirement to form both a nomination and remuneration committee, which must include non-executive directors.

The credit institution's remuneration policy must identify staff who have the ability to materially influence the risk position of the bank. As a rule, these include all members of the board of directors and senior management, staff members with managerial responsibility over the institution's control functions or material business units, and – subject to specific conditions – staff members entitled to significant remuneration in the preceding financial year. The policy must have a structure in place to govern the performance assessment of employees and provide a clear link to the bank's risk strategy. Remuneration policies must clearly distinguish between fixed and variable compensation. Variable compensation is capped at twice fixed compensation, with an exception process and regulatory notification procedure for any amounts in excess of such cap.

Additionally, the remuneration payout process requires multi-year deferrals over certain thresholds. Risk-based adjustments related to compensation already granted are also foreseen: institutions must be able to apply malus or clawback arrangements of up to 100% of the total variable remuneration and any adjustments must be performance and risk related. Remuneration policies must use performance and risk criteria and specifically consider:

• evidence of misconduct or serious error;
• whether the business subsequently suffers a significant downturn it its financial performance;
• whether the business in which the staff member works suffers a significant failure of risk management;
• significant increases in the institution's economic or regulatory capital base; and
• any regulatory sanction where the conduct of the staff member was a contributing factor.

As at the end of 2019 (most recent data), there were 22 high earners in Luxembourg (ie, staff who were awarded €1 million or more in annual remuneration).

Practically speaking, detailed guidance is required when establishing a Luxembourg bank's remuneration policy to ensure its compliance with EU-level requirements and local employment law.

Since the adoption of the law of 21 May 2021, remuneration policies must be gender neutral, meaning that they must be based on equal pay for male and female workers for equal work or work of equal value.

9 Change of control and transfers of banking business

9.1 How are the assets and liabilities of banks typically transferred in your jurisdiction?

There are no particular provisions with respect to the transfer of assets and liabilities of banks in the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act'). A transfer of assets and liabilities will typically be subject to an asset purchase agreement. Where a change of control of a target entity is involved, the conditions set out under question 9.2 must be complied with. Certain transfers may be subject to specific provisions of the Luxembourg law of 10 August 1915 on commercial companies, as amended.

From a regulatory perspective, the entities involved in the transfer must assess whether the specific assets and liabilities in question constitute a regulated activity requiring an authorisation and ensure that the acquiring entity has the appropriate authorisation. Both the seller and the acquirer must update their respective business plans in order to reflect the change of business resulting from the disposal and acquisition of an activity, respectively (the provision of a business plan is part of the licensing process for Luxembourg credit institutions, and any change to the activities of the credit institution will be a change to the conditions of the initial authorisation which must be notified to the Commission de Surveillance du Secteur Financier (CSSF)).

9.2 What requirements must be met in the event of a change of control?

According to the Banking Act, any natural or legal person - whether acting alone or in concert with other persons that have taken a decision either to acquire, directly or indirectly, a qualifying holding (ie, 10% or more of the voting rights or of the capital) in a Luxembourg bank - shall first notify in writing the CSSF of their intention to acquire such qualifying holding.

The CSSF will conduct a review of the acquisition documentation in order to assess:

• the professional standing of the acquirers;
• the professional standing and the professional qualifications of the persons who will direct the daily business of the bank;
• the financial soundness of the acquirers;
• the capacity of the bank to keep complying with the prudential requirements under the Banking Act, pursuant to its change of control; and
• the absence of suspicion of money laundering of terrorist financing by the acquirers.

The CSSF has up to 60 working days (which can be extended up to 90 working days) as from the notification in order to assess these elements and to declare whether it is opposed to the acquisition.

The notification to the CSSF must include written submissions describing the intended acquisition and requesting its prior approval, as well as several documents such as commercial register excerpts, structure charts, corporate documentation relating to the acquirer(s), consolidated accounts, the share purchase agreement and a business plan.

The CSSF carries out its assessment in accordance with the principle of proportionality. It also reviews the proposed acquisition in light of the Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector published by the Joint Committee of the European Supervisory Authorities (JC/GL/2016/01, 20 December 2016).

In case of changes to the composition of the target's management body and its senior staff, the CSSF's approval is also required. The candidate(s) must complete an application form and provide the CSSF with several supporting documents (eg, identity documents, a curriculum vitae, a recent criminal record extract, a declaration of honour, a copy of the highest diploma and a copy of the corporate documentation appointing the candidate).

The seller of a qualifying holding in a credit institution must also notify the CSSF and credit institutions must inform the CSSF without delay of any acquisitions or disposals of holdings in their capital that exceed or fall below certain thresholds.

10 Consumer protection

10.1 What requirements must banks comply with to protect consumers in your jurisdiction?

The Luxembourg Consumer Code includes a number of requirements that must be complied with by professionals when dealing with consumers. These include requirements with respect to information to be provided to consumers, unfair business practices and specific requirements in relation to contracts entered into with consumers, including mortgage loan agreements and consumer credit agreements.

With respect to consumer credit and mortgage lending, the Luxembourg Consumer Code:

• requires professionals to provide certain information to consumers prior to entering into a contract with them and includes certain conditions with respect to advertising (in particular, specific information that must be mentioned, and the way in which it must be displayed);
• prohibits certain advertising practices (eg, advertisements that specifically focus on the ease and speed with which credit can be obtained, that make consumers believe that the credit will improve their financial situation, or that mention an attractive interest rate without specifying the conditions to which such rate is subject);
• obliges lenders to provide consumers with explanations allowing them to compare different offers and to decide whether the relevant credit is suitable to their needs;
• obliges lenders to assess the solvency of consumers and includes specific provisions on how to perform such assessment;
• sets out the mandatory minimum content of consumer credit agreements;
• obliges lenders to provide information on the interest rate and includes specific rules with respect to variable interest rates;
• sets out requirements with respect to overdraft facilities and overdrafts on current accounts;
• sets out the right for the consumer to withdraw from the credit agreement during a period of 14 calendar days;
• gives the consumer the right to prepay a loan, includes rules for the calculation of the effective global annual interest rate;
• requires mortgage lenders to provide explicit information as to whether advisory services are provided or will be provided;
• includes specific provisions with respect to late payment and the right for lenders to enforce/attach assets; and
• includes specific rules of conduct for mortgage lending, as well as knowledge and skill requirements for staff of mortgage lenders.

Any clause or combination of clauses in a consumer credit agreement or a mortgage loan that breaches the Consumer Code is deemed to be void. The Consumer Code also includes administrative and criminal sanctions for lenders and intermediaries.

10.2 How are deposits protected in your jurisdiction?

Deposits are protected by the Fonds de Garantie des Dépôts Luxembourg (FGDL), which is a public body that was established by Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes (‘BRR Law'). The FGDL ensures the repayment to depositors in case of unavailability of their deposits, up to €100,000 per person and per institution. The standard €100,00 protection may be increased to €2.5 million in certain specific cases and subject to specific conditions (eg, deposits resulting from real estate transactions relating to private residential properties). The FGDL must normally repay within seven working days. Certain deposits are excluded from protection (eg, deposits made by other credit institutions on their own behalf and for their own account, deposits by financial institutions, deposits by investment firms, deposits by insurance and reinsurance undertakings, deposits by undertakings for collective investment, deposits by pension and retirement funds and deposits by public authorities).

All Luxembourg credit institutions, as well as Luxembourg branches of credit institutions having their registered office in a third country, must be members of the FGDL. The FGDL collects contributions from member institutions on an annual basis and the amount of each institution's contribution is calculated based on the amount of covered deposits and the degree of risk incurred by the institution. The FGDL reached the initial target level of available financial means equivalent to 0.8% of the amount of covered deposits of member institutions at the end of 2018. The FGDL will continue to collect contributions until 2026, in order to reach a level of available financial means equivalent to 1.6% of the amount of covered deposits of member institutions.

There is also an investor compensation scheme (Système d'indemnisation des investisseurs Luxembourg) which, subject to certain conditions, protects customers holding financial instruments.

11 Data security and cybersecurity

11.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?

In the European Union, the protection of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

The GDPR defines the concept of ‘personal data' and establishes rules relating to the processing of such personal data, including a number of obligations to be complied with by controllers and processors of personal data. It:

• sets out the conditions under which the processing of personal data is deemed to be lawful and principles applicable to personal data processing (eg, lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality);
• includes specific conditions in order to evidence the consent given by data subjects to such processing;
• sets out rules applicable to the processing of special categories of personal data;
• gives rights to data subjects with respect to their personal data (eg, the right to information, right of access, right of rectification, right to erasure, right to restriction, right to data portability, right to object);
• sets out the respective responsibilities of controllers and processors of personal data;
• introduces the concepts of data protection by design and by default;
• includes the obligation to ensure the security of the personal data;
• sets out conditions with respect to the notification of data breaches;
• obliges controllers to perform data protection impact assessments for certain activities;
• includes rules concerning the appointment of a data protection officer;
• regulates transfers of personal data; and
• includes the obligation for controllers to maintain records of processing activities (mapping of data flows).

The GDPR entered into force on 25 May 2018. Prior to its entry into force, banks established extensive GDPR compliance projects in order to assess their personal data processing activities, map personal data flows both within and outside their organisations, and ensure compliance with the new requirements. As the potential sanctions for GDPR breaches include fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial years, and in light of the reputational risk involved in case of personal data breaches, compliance is taken seriously by banks, which now need to integrate personal data protection into their day-to-day operations.

Challenges faced by banks during the implementation phase include:

• the collection of user consent;
• the concepts of ‘controller' and ‘processor', and the correct allocation of responsibilities in webs of service providers, data storage and data deletion, which may be complex in matrixed institutions with numerous electronic backups;
• data classification and mapping of data flows within complex international groups; and
• the need to adapt business practices.

11.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?

At the EU level, a number of initiatives have been presented or are currently ongoing in the area of cybersecurity. The European Commission issued a recommendation on coordinated response to large-scale cybersecurity incidents and crises (Commission Recommendation (EU) 2017/1584 of 13 September 2017), and more recently a recommendation on cybersecurity of 5G networks (C(2019) 2335 final).

In terms of legislation, Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification was published in the Official Journal of the EU on 7 June 2019, and aims to achieve a high level of cybersecurity, cyber resilience and trust within the European Union. It has reformed ENISA, which supports EU member states, EU institutions, bodies, offices and agencies in improving cybersecurity; and has introduced a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, services and processes in the European Union. The first EU piece of legislation on cybersecurity was Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union which had to be implemented by the EU Member States by 9 May 2018.

At the national level, Luxembourg published its third national cybersecurity strategy for the 2018-2020 period (‘NCSS III'). The NCSS III includes guidelines on strengthening public confidence in the digital environment, the protection of digital infrastructure and the promotion of the economy, with objectives such as:

• the dissemination of information on risks;
• the combating of cybercrime;
• the identification of critical digital infrastructure;
• the adaptation of the emergency response plan for cyberattacks;
• the development of skills and abilities in the field of cyber defence;
• the improvement of risk management and training; and
• the promotion of start-ups to develop the digital security ecosystem.

As banks handle very sensitive information, cybersecurity is particularly important to the banking sector. The Law of 5 April 1993 on the financial sector, as amended contains a general requirement for credit institutions to have in place effective control and security arrangements for information processing systems, as well as sound security mechanisms designed to guarantee the security and authentication of the means of transfer of information, to minimise the risk of data corruption and of unauthorised access and to prevent information leakage in order to maintain the confidentiality of data at all times. The Commission de Surveillance du Secteur Financier (CSSF) issued a number of circulars which address issues related to confidentiality, IT and security, including:

• CSSF Circular 12/552;
• CSSF Circular 15/603 on security of internet payments;
• CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure, as amended; and
• CSSF Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management.

These circulars include:

• requirements to be complied with in case of IT and cloud outsourcing;
• the obligation to have backup and recovery plans and ensure business continuity;
• the obligation to monitor security vulnerabilities;
• the requirement to have an IT function (including an information security officer);
• the obligation to have an adequate internal governance and internal control framework in place for ICT and security risks;
• specific requirements in the field of security of internet payments (eg, the implementation of a security policy, the performance of a risk assessment, incident monitoring, the implementation of security measures and the use of strong customer authentication);
• the obligation to ensure data and systems integrity; and
• reporting and auditing requirements.

The growing importance of data, the increased risk of cyberattacks and the related regulatory requirements mean that banks will need to continue to invest in their cybersecurity capabilities and IT infrastructure.

12 Financial crime and banking secrecy

12.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for banks?

Luxembourg follows the Financial Action Task Force recommendations, implemented in the European legal framework by Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended (AMLD 4), as amended by Directive (EU) 2018/843 (AMLD 5) and Directive (EU) 2018/1673 (AMLD 6).

AMLD 4 has been implemented in Luxembourg by the law of 12 November 2004 on the fight against money laundering and terrorist financing (AML/CTF), as amended (‘AML Law'). The specific requirements (eg, the types of information or documentation that must be requested by banks in order to identify customers) are detailed in grand-ducal regulations, Commission de Surveillance du Secteur Financier (CSSF) regulations and CSSF circulars. Two of the most important texts in this respect are the Grand-Ducal Regulation of 1 February 2010 providing details on certain provisions of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended; and CSSF Regulation 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as amended.

Credit institutions are ‘professionals' within the meaning of the AML Law, and must in particular:

• identify each customer and verify its identity on the basis of documents, data or information obtained from reliable and independent sources;
• identify the beneficial owner and take measures to verify his or her identity using relevant information or data obtained from a reliable and independent source;
• take measures to understand the ownership and control structure of each customer;
• assess and understand the purpose and intended nature of the business relationship and, to the extent appropriate, obtain information on the purpose and the intended nature of the business relationship;
• conduct ongoing due diligence of the business relationship to ensure that the transactions being conducted are consistent with the credit institution's knowledge of each customer, its business and its risk profile; and
• ensure that the documents, data and information held are kept up to date.

One important characteristic of the current AML/CTF regime is the requirement for professionals to adopt a risk-based approach in order to determine the extent of the measures they are applying to ensure compliance with the AML/CTF requirements.

A register of beneficial owners (Registre des bénéficiaires effectifs (RBE)) has been introduced in Luxembourg further to the law of 13 January 2019 creating a register of beneficial owners and implementing Article 30 of AMLD 4 (‘UBO Law'). The UBO Law obliges entities registered with the Luxembourg trade and companies register (RCS) to provide the RBE with certain information concerning their ultimate beneficial owner(s) and to provide such information to professionals in the context of the performance of their customer due diligence obligations under the AML Law. Banks must also use the RBE in the context of their KYC obligations. The requirement to provide information with respect to beneficial owners to the RBE also applies to credit institutions, which are registered with the RCS. On 20 December 2019, the CSSF published Circular 19/732 concerning clarifications on the identification and verification of the identity of the ultimate beneficial owners in order to provide guidance to all professionals subject to AML/CTF obligations on the practical implementation of the identification requirements of the ultimate beneficial owner(s), as well as on the reasonable measures that should be taken to verify their identity.

A similar register of fiducies and trusts (Registre des fiducies et des trusts) has been introduced further to the law of 10 July 2020 establishing a register of fiducies and trusts, as amended and implementing Article 31 of AMLD4.

12.2 Does banking secrecy apply in your jurisdiction?

Yes. Pursuant to Article 41 of the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act'), natural and legal persons subject to the prudential supervision of the CSSF or established in Luxembourg and subject to the supervision of the European Central Bank or a foreign supervisory authority for the exercise of an activity referred to in the Banking Act, as well as members of the management body, directors, employees and any other persons working for these natural or legal persons, shall keep secret all information entrusted to them in the context of their professional activity or their mandate. The disclosure of such information is punishable, under Article 458 of the Luxembourg Criminal Code, by a prison term of between eight days and six months and a fine of between €500 and €5,000.

There are a number of exceptions to the secrecy requirement. This is the case, for instance, where the revelation of information is required or authorised by applicable law, or where information must be provided to national, European or international supervision or resolution authorities, subject to certain conditions.

13 Competition

13.1 What specific challenges or concerns does the banking sector present from a competition perspective? Are there any pro-competition measures that are targeted specifically at banks?

Luxembourg benefits from an AAA credit rating and is home to 125 international banks. In addition, the banking industry is supported by specialised accountants, consultants, law firms and IT specialists with a multilingual and diverse international workforce. As a financial centre, it has positioned itself as a gateway to EU markets for non-EU financial participants. Specialties include cross-border private and corporate banking, fund administration, custody, wealth management, and treasury services.

The Luxembourg government continues to adopt a pragmatic and efficient approach with respect to the financial sector, taking measures to ensure the reliability, predictability and competitiveness of the industry as required. The financial sector is of strategic importance to Luxembourg and its competitiveness globally is constantly assessed with measures taken as appropriate to retain that standing.

As in other jurisdictions, competition for traditional banking is largely from fintech companies and other ‘disruptors' seeking to disintermediate the classical bank-client relationship. There are no specific pro-competition measures in place and the competition which the banking sector faces is very similar to other large markets.

14 Recovery, resolution and liquidation

14.1 What options are available where banks are failing in your jurisdiction?

The failure of banks is governed by the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') and the Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes, as amended (‘BRR Law'). The Banking Act contains prudential rules and obligations in relation to recovery planning, intra-group financial support and early intervention; the BRR Law covers the resolution of banks.

Recovery: Credit institutions must draw up and maintain a recovery plan that provides for measures to be taken by the credit institution to restore its financial position following a significant deterioration of its financial situation, which must be updated at least once a year and is subject to an assessment by the Commission de Surveillance du Secteur Financier (CSSF). The recovery plan must include a number of elements, including:

• a communication and disclosure plan outlining how the bank intends to manage any potentially negative market reactions;
• a range of capital and liquidity actions required to maintain or restore the viability and financial position of the bank;
• a detailed description of how recovery planning is integrated into the corporate governance structure of the bank;
• arrangements and measures to conserve or restore the own funds of the bank;
• arrangements and measures to ensure the bank has adequate access to contingency funding sources; and
• arrangements and measures to restructure liabilities or business lines.

The Banking Act includes specific provisions for group recovery plans. Recovery plans must be kept confidential and may be shared only with third parties which have participated in their drafting and transposition. The failure to draw up, maintain and update recovery plans is subject to specific administrative penalties, which include fines of up to 10% of the total annual net turnover of the bank in the preceding business year, or up to €5 million for individuals.

The Banking Act also includes provisions regulating the entry into group financial support agreements, which may be entered into only subject to specific conditions and with the authorisation of the relevant competent authorities.

Where a bank infringes or is likely in the near future to infringe the requirements of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR), the Banking Act, their implementing measures or certain provisions of Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments, the CSSF may take a number of early intervention measures. The CSSF may:

• require the management body of the bank to:
• • update the recovery plan;
  • implement one or more of the arrangements or measures of the recovery plan;
  • prepare an action plan to address the situation and a timetable for its implementation;
  • convene a meeting of the bank's shareholders; or
  • draw up a plan for the negotiation on restructuring of debt;
• require the bank to remove or replace one or more members of the management body or authorised management, change its business strategy or change its legal or operational structures; and
• acquire, including through on-site inspections, all information necessary to update the resolution plan and prepare for the possible resolution of the bank.

Where there is a significant deterioration in the financial situation of a bank, or where there are serious infringements of applicable laws or regulations or of the statutes of the bank, or serious administrative irregularities, and the taking of early intervention measures is not sufficient to reverse that deterioration, the CSSF may also require the removal of the authorised management or management body.

Finally, where the replacement of the authorised management or management body is deemed to be insufficient, the CSSF may appoint a temporary administrator to temporarily replace the management body or temporarily work with the management body. The powers, role and duties of the temporary administrator are determined by the CSSF.

Resolution: The BRR Law contains extensive provisions on the resolution of credit institutions. Any reference in this Q&A to the ‘Resolution Board' is a reference to the CSSF acting in its capacity as resolution authority in Luxembourg. The Resolution Board carries out its resolution functions independently from the CSSF's supervisory functions.

Prior to any resolution, the Resolution Board must prepare a resolution plan and perform a resolvability assessment for each credit institution. Specific provisions apply for groups. The resolution plan provides for the resolution actions that the Resolution Board may take where the relevant credit institution meets the conditions for resolution. Its content is detailed in the BRR Law.

The Resolution Board shall take a resolution action where all the following conditions are met:

• The credit institution is failing or likely to fail;
• There is no reasonable prospect that any alternative private sector measures or supervisory action would prevent the failure of the institution within a reasonable timeframe; and
• A resolution action is necessary in the public interest.

The Resolution Board has a number of resolution tools, resolution powers and other powers at its disposal. These include:

• the power to appoint a special manager to replace the management body of the institution under resolution, which shall have all the powers of the shareholders and of the management body;
• the power to transfer to a purchaser shares or other instruments of ownership issued by, and/or all of any assets, rights or liabilities of, the bank under resolution (the ‘sale of business' tool);
• the power to transfer to a bridge institution, which shall be a legal person that is wholly or partially owned by one or more public authorities and controlled by the Resolution Board, shares or other instruments of ownership issued by, and/or all of any assets, rights or liabilities of, the bank under resolution (the ‘bridge institution' tool);
• the power to transfer assets, rights or liabilities of the bank under resolution or of a bridge institution to one or more asset management vehicles (the ‘asset separation' tool);
• write-down and conversion powers in relation to liabilities of the bank under resolution (the ‘bail-in' tool);
• the power to write down or convert relevant capital instruments;
• a number of general and ancillary powers, including:
• • the power to take control of an institution;
  • the power to transfer rights, assets or liabilities of an institution;
  • the power to reduce the principal amount of eligible liabilities;
  • the power to convert eligible liabilities into ordinary shares or other instruments of ownership;
  • the power to cancel debt instruments;
  • the power to amend or alter the maturity of debt instruments; and
  • the power to close out or terminate financial or derivatives contracts;
• the power to require an institution or any of its group entities to provide any services or facilities;
• powers in respect of assets, rights, liabilities, shares and other instruments located in a third country;
• the power to suspend any payment or delivery obligations pursuant to any contract;
• the power to restrict the enforcement of security interests;
• the power to temporarily suspend termination rights of any party to a contract with an institution under resolution;
• the power to require an institution to contact potential purchasers in view of the resolution of the institution; and
• information-gathering and investigatory powers.

The objectives of resolution (which must be taken into account by the Resolution Board when applying the resolution tools and exercising its resolution powers) are:

• the continuity of critical functions;
• the avoidance of significant adverse effect on the financial system;
• the protection of public funds;
• the protection of depositors; and
• the protection of client funds and client assets.

The Resolution Board must also take into account certain general principles set out in the BRR Law. For instance, the shareholders of the institution under resolution shall bear first losses, creditors in the same class shall be treated in an equitable manner and covered deposits shall be fully protected.

The Resolution Board may impose administrative penalties on banks, members of their management body and other natural persons responsible in case of specific infringements with respect to resolution as set out in the BRR Law. These penalties include:

• warnings;
• public statements;
• orders requiring the cessation of a specific conduct;
• temporary or permanent bans from exercising certain functions;
• temporary bans from carrying out certain activities;
• suspension of voting rights; and
• fines (which can reach up to 10% of the total annual net turnover of the bank in the preceding business year or, for individuals, up to €5 million).

The BRR Law established the Luxembourg Resolution Fund (Fonds de Résolution Luxembourg (FRL)), the purpose of which is to collect contributions due under the BRR Law, manage the financial means so collected and participate in the financing of the resolution of failing institutions. The FRL must have adequate financial means, which must reach 1% of the amount of covered deposits of all the institutions authorised under the Banking Act by 31 December 2024. In order to collect these financial means, the FRL collects annual ex ante contributions from banks, among others. Where the FRL's financial means are not sufficient to cover the losses, costs or other expenses incurred, the FRL may raise extraordinary contributions ex post. The FRL may also borrow money.

The resolution of Luxembourg banks is further subject to Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund.

14.2 What insolvency and liquidation regime applies to banks in your jurisdiction?

In addition to resolution, the BRR Law covers the reorganisation and winding up of credit institutions. In terms of specific procedures, the BRR Law covers suspension of payments, voluntary liquidation and judicial winding-up proceedings. The BRR Law further specifies that the following do not apply to credit institutions:

• Book III of the Luxembourg Commercial Code (which covers bankruptcy and suspension of payments, among other things);
• the provisions of the Law of 4 April 1886 on court-approved compositions and arrangements with creditors aimed at preventing bankruptcy; and
• the provision of the Grand-ducal Decree of 24 May 1935 supplementing the legislation relating to suspension of payments, compositions and arrangements with creditors aimed at preventing bankruptcy and bankruptcy following on from the setting-up of a controlled management scheme.

Suspension of payments: Suspension of payments proceedings may be started where:

• the bank has lost its creditworthiness or has reached an impasse regarding liquidity, whether it is in a state of cessation of payments or not;
• the execution of the bank's commitments is compromised; or
• the authorisation of the bank has been withdrawn and the decision in this respect is not yet final.

Only the CSSF or the bank concerned may apply for suspension of payments proceedings. The application is lodged with the Tribunal d'Arrondissement (district court) of Luxembourg sitting in commercial matters. Where the application is made by the bank, the bank shall, under penalty of inadmissibility of the application, inform the CSSF prior to bringing the matter before the court. The lodging of the application results in the suspension of all payments by the bank and a prohibition of all acts other than precautionary measures pending a final decision. The BRR Law details the procedure. The judgment determines, for a period not exceeding six months, the conditions and arrangements for the suspension of payments and appoints one or more administrators, who shall be in charge of the management of the bank's assets. The written authorisation by the administrator(s) is required for all acts and decisions of the bank. The suspension of payments has universal effect and applies to branches and assets of the institution located abroad.

Voluntary liquidation: A bank may start voluntary liquidation proceedings only after notifying the CSSF of its intention to do so; the notification must be made at least one month prior to convening the general meeting which shall decide on the voluntary liquidation. Specific publication requirements apply to the notice convening the meeting. A report on the completion of the voluntary liquidation and the arrangements of such voluntary liquidation must be transmitted to the CSSF.

Judicial winding-up: The dissolution and winding-up of a bank may take place where:

• it is apparent that the suspension of payments set out above cannot rectify the situation that caused it;
• the financial situation of the bank is affected to such an extent that the bank will no longer be able to comply with the commitments with respect to the rights of holders of claims or participations; and
• the authorisation of the bank has been withdrawn and the decision in this respect became final.

Only the CSSF or the state prosecutor may apply to the Tribunal d'Arrondissement of Luxembourg sitting in commercial matters to order the dissolution and winding-up of a bank. When ordering the winding-up, the Tribunal d'Arrondissement appoints an official receiver and one or more liquidators, determines the winding-up method and may make applicable the general rules governing bankruptcy. The liquidators inform the known creditors located abroad of the winding-up. Any creditor has the right and obligation to deposit its claim with the registry of the Tribunal d'Arrondissement.

Where the Resolution Board considers that a bank is failing or likely to fail and no private sector measure or supervisory action would prevent such failure, but that a resolution action would not be in the public interest, it may request the winding up of the bank.

15 Trends and predictions

15.1 How would you describe the current banking landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

In terms of anti-money laundering/counter-terrorist financing (AML/CTF), and especially in light of the upcoming vising of the Financial Action Task Force to Luxembourg, one major focus was the implementation of Directive (EU) 2018/843 (AMLD 5). The latest update in this respect were (i) the publication of two laws dated 25 March 2020 amending the law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (‘AML Law'), and establishing a centralized electronic data research system with respect to payment accounts and bank accounts identified by an IBAN number as well as safe deposit boxes held by credit institutions in Luxembourg and (ii) the publication of the law of 10 July 2020 establishing a register of fiducies and trusts.

From a regulatory perspective, credit institutions must ensure compliance with the amendments to banking regulation that result from the latest EU Banking Reform Package. In particular, Directive (EU) 2019/878 of the European Parliament and of the Council of 20 May 2019 amending CRD IV (CRD V), Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR) (CRR II) and Directive (EU) 2019/879 of the European Parliament and of the Council of 20 May 2019 amending BRRD (BRRD II) which entered into force on 20 June 2019. The new rules and requirements include:

• a binding leverage ratio;
• a net stable funding ratio;
• new rules with respect to market risk;
• the introduction of proportionality;
• rules with respect to environmental, social and governance (ESG) related risks; and
• rules on intermediate EU parent undertakings and financial holding companies.

The growth of the Luxembourg fintech ecosystem is also an interesting development. An increasing number of players in payments, lending and investments may compete with services traditionally offered by banks. On the other hand, fintechs specialised in cybersecurity and authentication, big data, artificial intelligence and regtech, for instance, may provide opportunities for banks in Luxembourg.

Luxembourg, like other EU countries, is affected by Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability‐related disclosures in the financial services sector, Regulation (EU) 2019/2089 of the European Parliament and of the Council of 27 November 2019 amending Regulation (EU) 2016/1011 as regards EU Climate Transition Benchmarks, EU Paris-aligned Benchmarks and sustainability-related disclosures for benchmarks and Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment. The regulatory technical standards related to these regulations should be adopted in the coming months. Together, these initiatives will affect the manner in which banks lends funds and require changes to internal approval processes and monitoring systems. CRR II and CRD V also contain measures which will require credit institutions to take into account ESG risks. This will affect both the supervision of credit institutions and the evaluation of assets against specific ESG criteria.

In terms of legislative reforms, banks should also prepare for:

• the AML/CFT package published on 20 July 2021, which includes (i) a proposal for a regulation on AML/CFT, containing directly applicable rules on customer due diligence and beneficial ownership for instance, (ii) a proposal for a sixth AML/CFT directive, (iii) proposed revisions to Regulation 2015/847/EU on transfers of funds, and (iv) a proposal for the establishment of a new EU AML/CFT authority; and
• the new Banking Package published on 27 October 2021 which includes proposed amendments to CRD IV and CRR regarding Basel III requirements, ESG risks, and additional tools for bank supervisors.

The Luxembourg Stock Exchange distinguished itself internationally by launching the Luxembourg Green Exchange (LGX) in 2016. This is the world's first dedicated green bond exchange and lists 50% of the world's green bonds. The platform currently supports bonds and funds, and intends to extend to indexes. At the end of 2018, more than $120 billion worth of green bonds from around the world were listed on the LGX. This initiative, together with EU-level sustainable finance regulation, has positioned Luxembourg for success as sustainable finance evolves from the headlines to regulatory and operational reality.

According to recent surveys in the banking sector, banks expect that costs will increase the most in compliance and IT, and decrease the most in operations over the next three years. Some of the most important topics identified by banks as being part of their transformation agenda are process optimisation, digital banking platforms, upskilling of employees and outsourcing/insourcing.

15.2 Does your jurisdiction regulate cryptocurrencies? Are there any legislative developments with respect to cryptocurrencies or fintech in general?

Cryptocurrencies as such are not currently subject to specific regulation in Luxembourg.

On 14 March 2018 the Commission de Surveillance du Secteur Financier (CSSF) issued a warning on virtual currencies and a warning on initial coin offerings (ICOs) and tokens. In these warnings, the CSSF explained what virtual currencies and ICOs are, and informed supervised entities and the public about the different risks associated therewith (eg, volatility and price bubble risk, lack of protection and risk of theft, liquidity shortage, operational disruption, misleading information, lack of transparency, risk of price manipulation, fraud and money laundering, loss of capital). The CSSF also stressed in both warnings that the warnings concern only virtual currencies and fundraising through ICOs as such, without questioning the underlying technology; the CSSF recognises that the underlying blockchain technology can bring certain benefits to financial sector activities.

Blockchain technology is gradually being introduced into the Luxembourg legal framework. A law of 1 March 2019 has amended the law of 1 August 2001 on the circulation of securities in order to introduce the recognition of the maintenance of securities accounts, and the crediting of securities to securities accounts, within or through secured electronic registration mechanisms, including distributed electronic ledgers or databases. The law of 22 January 2021 introduced the issuance of dematerialized securities and the maintenance of securities issuance accounts within or through such mechanisms, ledgers or databases.

With respect to fintech in general, the CSSF issued Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure, which sets out requirements to be complied with where cloud computing infrastructures are used. It also issued a position on robo-advice, where it explained what comprises robo-advice and how this fits within the existing regulatory landscape; and a FAQ on AML/CTF and IT requirements for specific customer on-boarding/know-your-customer methods which focuses on identification and verification of identity through video chat and the requirements that must be complied with when such a video system is used by professionals subject to AML/CTF obligations (eg, credit institutions). In December 2018 the CSSF published a white paper on artificial intelligence and related opportunities, risks and recommendations for the financial sector.

There is no specific licence for fintechs in Luxembourg, but the activities performed by fintechs may be subject to licensing requirements under the Law of 5 April 1993 on the financial sector, as amended or other applicable laws and regulations. Two laws of 25 March 2021 however amended the AML Law to introduce a registration requirement for virtual asset service providers (VASPs). VASPs include persons which provide services such as the exchange between virtual assets or between virtual assets and fiat currencies, the transfer of virtual assets, the safekeeping or administration of virtual assets, or the participation in or provision of financial services related to an issuer's offer or sale of virtual assets. VASPs must comply with certain governance requirements, in particular with respect to their management, and must register with the CSSF. The registration requirement applies to entities that are already licensed and any banks providing virtual asset services are therefore required to register as VASPs.

Finally, on 21 January 2022, the CSSF published a white paper on distributed ledger technologies and blockchain which highlights technological risks and includes a number of recommendations for the financial sector.

16 Tips and traps

16.1 What are your top tips for banking entities operating in your jurisdiction and what potential issues would you highlight?

Outsourcing: Luxembourg offers a flexible environment to outsource back to group companies, which is a very common operating model and makes Luxembourg an attractive EU hub, especially post-Brexit. A number of requirements must be taken into account and specific rules apply in case of IT outsourcing and use of cloud computing infrastructure.

Substance: Luxembourg offers a great deal of flexibility in terms of substance, but ‘letterbox' entities are not acceptable. Applicable regulations provide for proportionality in certain cases, but minimal substance - especially with respect to risk and compliance - is required. Parties typically seek local advice to understand the appropriate balance.

Exemptions from the Law of 5 April 1993 on the financial sector: Not all activities require a banking licence. Lending activities, for instance, could be performed under a different and less onerous licence. Relevant entities can also benefit from exemptions - for instance, where they perform a one-off transaction or provide regulated services within their group. A common practice is to obtain a clearance letter from the Commission de Surveillance du Secteur Financier confirming that an authorisation is not required for a particular activity or structure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.