Luxembourg

**Registration as a VASP:** Entities providing "custodian wallet services" (which includes custody of virtual assets on behalf of clients) are considered Virtual Asset Service Providers (VASPs) under Luxembourg law. These VASPs are subject to registration with the CSSF for AML/CFT purposes.

The registration is governed by the **Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the "AML Law")**, which incorporated the EU's 5th AML Directive.

Registration requires the entity to comply with AML/CFT obligations, including customer due diligence (CDD), ongoing monitoring, suspicious transaction reporting, and internal control frameworks.

**Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (Loi du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme, telle que modifiée):** While a specific URL to the consolidated law is hard to pinpoint, it's the primary legal basis. The key amendments are from 2018 and later.

**CSSF Circular 22/811 (and previous versions like 20/747 and 21/769 which it consolidates/replaces):** This circular provides detailed guidance on AML/CFT obligations for VASPs.

CSSF Circular 22/811 (English version)

**CSSF webpage on Virtual Assets / VASPs:**

**Authorization, not just Registration:** MiCA will require firms providing "custody and administration of crypto-assets on behalf of third parties" to obtain a full authorization from a national competent authority (the CSSF in Luxembourg) to operate across the EU. This is a more stringent licensing regime than the current AML registration.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

While the current AML Law itself doesn't explicitly mandate segregation of client crypto assets in the same way traditional financial services are regulated (e.g., MiFID), the CSSF expects VASPs to have robust internal controls, governance, and risk management frameworks. Commingling client and proprietary assets would generally be viewed as poor practice and a significant risk to clients, potentially leading to CSSF intervention based on general prudential expectations.

Firms offering custody services must demonstrate adequate arrangements to protect clients' virtual assets.

**Explicit Requirement:** MiCA explicitly mandates crypto-asset service providers offering custody services to:

Keep separate the crypto-assets of their clients from their own crypto-assets and ensure that this is achieved by using different blockchain addresses or distributed ledgers.

Keep separate the funds of their clients from their own funds, in accordance with national law.

**MiCA Regulation (EU) 2023/1114, Article 67 ("Custody and administration of crypto-assets on behalf of third parties"):** Specifically, Article 67(1)(b) addresses segregation.

Luxembourg's current VASP AML registration does not explicitly mandate specific insurance or bonding requirements for pure crypto custody services.

However, the CSSF generally expects regulated entities to have adequate financial resources and robust risk management, which may include appropriate professional indemnity insurance to cover potential liabilities arising from operational failures, security breaches, or errors.

**Prudential Requirements and Professional Indemnity Insurance:** MiCA introduces specific prudential requirements for crypto-asset service providers. For custodians, it requires them to:

Hold own funds (capital requirements) or a professional indemnity insurance to cover liability risks from their operations. The amount will depend on the type of service and associated risks.

**MiCA Regulation (EU) 2023/1114, Article 67 (5) and Article 68 (specifically Article 68(1)(a) regarding capital requirements or professional indemnity insurance).**

There are no explicit mandates for "cold storage" in Luxembourg's current regulations.

However, CSSF Circular 22/811 and the general principles of sound risk management dictate that VASPs must implement robust IT security measures and internal controls to protect virtual assets. This implicitly requires firms to adopt industry best practices for secure storage, which often involves a combination of hot, warm, and cold storage solutions, multi-signature wallets, Hardware Security Modules (HSMs), and comprehensive key management policies. The CSSF assesses the adequacy of these measures as part of the VASP registration and ongoing supervision.

MiCA does not explicitly mandate "cold storage" either, but it does require crypto-asset service providers to:

Have sound governance arrangements, including clear organisational structure with well-defined, transparent and consistent lines of responsibility.

Establish and maintain effective arrangements to prevent operational risks, including IT security risks.

Employ appropriate systems, resources and procedures to ensure the security, integrity and confidentiality of their services.

**MiCA Regulation (EU) 2023/1114, Articles 67 and 69 (Organisational requirements).**

Luxembourg does not currently have a distinct definition of a "qualified crypto custodian" beyond the existing VASP registration requirements for AML/CFT purposes. Any entity registered as a VASP for "custodian wallet services" is considered a supervised entity by the CSSF for those specific purposes.

MiCA will effectively create a framework for "qualified custodians" by:

Defining "custody and administration of crypto-assets on behalf of third parties" as a specific crypto-asset service.

Requiring authorization from a national competent authority (like the CSSF) to provide this service.

Setting out detailed and stringent organisational, prudential, and operational requirements for these authorized entities, including liability provisions. An authorized MiCA crypto-asset service provider offering custody will be the EU's equivalent of a "qualified custodian" for crypto assets.

**MiCA Regulation (EU) 2023/1114, Article 3(1)(14) (Definition of "custody and administration of crypto-assets on behalf of third parties") and Title V (Authorization and operating conditions for crypto-asset service providers).**

**Key Impact on Custody:** MiCA will introduce a harmonized, comprehensive regulatory framework for crypto-assets and crypto-asset service providers across the EU.

**Authorization:** Firms providing custody will need to be authorized as "crypto-asset service providers" (CASPs) by the CSSF.

**Enhanced Requirements:** It will impose explicit requirements for custodians regarding:

**Organisational requirements:** Robust governance, risk management, IT security, and business continuity plans.

**Prudential requirements:** Own funds or professional indemnity insurance.

**Client asset segregation:** Explicit requirement to keep client crypto-assets and funds separate from own assets.

**Liability:** CASPs will be liable to clients for loss of crypto-assets due to operational malfunction, security breaches, or errors, unless proven otherwise.

**Notification and client agreement obligations.**

**Timeline:** Most provisions concerning crypto-asset services (including custody, falling under Title V of MiCA) will apply from **30 December 2024**.

The CSSF will be the primary competent authority for implementing and enforcing MiCA in Luxembourg and is expected to issue further guidance, circulars, and FAQs as the implementation date approaches.

**CSSF (Commission de Surveillance du Secteur Financier):**

Virtual Assets Section: https://www.cssf.lu/en/virtual-assets/ (This is a key resource for current CSSF guidance)

**Law of 12 November 2004 on combating money laundering and terrorist financing (as amended, including by the Law of 25 March 2020 on virtual assets):**

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n27/jo

*Note: This law is frequently amended. The key amendment for VASPs is the Law of 25 March 2020 which incorporated the 5th AML Directive.*

**Law of 5 April 1993 on the financial sector (governs PFS licenses):**

**Law of 13 July 2018 on payment services (implements PSD2):**

**Substance Over Form:** The legal nature of a token is determined by its characteristics and rights it confers, not merely by the terminology used by the issuer.

**Technology Neutrality:** The fact that an instrument is issued using DLT does not change its fundamental legal classification if it possesses the characteristics of an existing financial instrument.

**Assessment against existing financial instrument definitions:** The primary legal test is to evaluate if the token embodies rights and obligations that correspond to categories like:

**Transferable Securities:** Shares in companies, bonds or other forms of securitised debt, and any other negotiable instruments which confer the right to acquire or dispose of any such transferable securities by subscription or exchange or which confer voting rights or any other rights similar to shares. (MiFID II, Annex I, Section C, Point 1)

**Money-Market Instruments:** Instruments normally dealt in on the money market, such as treasury bills, certificates of deposit and commercial paper, and excluding instruments of payment. (MiFID II, Annex I, Section C, Point 2)

**Units in Collective Investment Undertakings:** (MiFID II, Annex I, Section C, Point 3)

**Derivatives:** Options, futures, swaps, forward rate agreements, and any other derivative contracts relating to securities, currencies, interest rates or yields, emission allowances or other underlying instruments, financial indices or financial measures which may be settled physically or in cash. (MiFID II, Annex I, Section C, Points 4-10)

**Security Tokens:** These are explicitly designed to represent traditional financial instruments. Examples include:

**Equity tokens:** Representing ownership shares in a company, conferring voting rights, dividend rights, etc.

**Debt tokens:** Representing bonds, loans, or other debt instruments, conferring interest payments and principal repayment.

**Asset-backed tokens:** Tokens representing fractional ownership in real-world assets like real estate, art, or commodities, where the primary purpose is investment.

**Derivative tokens:** Tokens whose value is derived from an underlying asset or index, such as tokenized options or futures contracts.

**Investment contract tokens:** Where the token confers rights that are intrinsically linked to an investment scheme, similar to collective investment undertakings.

**Utility Tokens (Conditional):** Generally, utility tokens that genuinely provide access to a product or service (e.g., software license, platform access) are **not** considered securities. However, a utility token could be reclassified as a security if:

Its primary purpose or the reasonable expectation of purchasers is an investment return rather than utility.

It also confers rights similar to traditional securities (e.g., profit-sharing, governance rights in a structure resembling a company).

**Payment/Exchange Tokens (Generally Not):** Cryptocurrencies like Bitcoin or Ethereum, primarily designed as a means of payment or exchange, are generally **not** classified as securities. However, they may fall under:

**E-money regulation:** If they purport to maintain a stable value and are issued by an e-money issuer against receipt of funds (e.g., certain stablecoins).

**Payment services regulation:** If services related to their transfer are offered.

**AML/CFT regulation:** As virtual assets.

**Public Offer or Admission to Trading (Prospectus Regulation):**

If a token qualifies as a "transferable security" and is offered to the public in Luxembourg or admitted to trading on a regulated market in the EU, the **Prospectus Regulation (EU) 2017/1129** applies.

This typically requires the publication of a CSSF-approved prospectus, providing detailed information about the issuer, the securities, and the risks.

**Exemptions** exist, for example, for offers below certain thresholds (€8 million over 12 months in the EU, or smaller amounts nationally without EU passporting), or offers made only to qualified investors.

**Prospectus Regulation (EU) 2017/1129:** https://eur-lex.europa.eu/eli/reg/2017/1129/oj

**Investment Firm Authorisation (MiFID II):**

If an issuer (or related entity) provides investment services (e.g., investment advice, portfolio management, brokerage, underwriting) related to security tokens, they may need authorization as an **investment firm** under MiFID II.

**MiFID II (Directive 2014/65/EU):** https://eur-lex.europa.eu/eli/dir/2014/65/oj

**AML/CFT Registration for Virtual Asset Service Providers (VASPs):**

Regardless of whether a token is a security, entities providing services related to virtual assets (e.g., exchange between virtual assets and fiat currencies, custody, transfer, issuance, operation of trading platforms) generally qualify as **Virtual Asset Service Providers (VASPs)**.

VASPs must register with the CSSF and comply with the **Law of 12 November 2004 on the fight against money laundering and terrorist financing**, which transposes the EU AML Directives. This involves implementing robust AML/CFT policies and procedures.

**Luxembourg Law of 12 November 2004 (consolidated version, French):** https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n6/jo (Note: English translations are often available through legal services, but the official version is French)

**CSSF Circular 20/746 (FAQ on Virtual Assets):** https://www.cssf.lu/en/document/circular-20-746-faq-virtual-assets/

**CSSF page on Virtual Assets:** https://www.cssf.lu/en/pages/virtual-assets/

**Trading Venues:** Platforms facilitating the trading of security tokens may require authorization as:

**Regulated Market:** A multilateral system operated by a market operator which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments (MiFID II).

**Multilateral Trading Facility (MTF):** A multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments (MiFID II).

**Organised Trading Facility (OTF):** A multilateral system, which is not a regulated market or an MTF, in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system (MiFID II).

**Post-Trade Transparency & Reporting:** Transactions in security tokens on regulated venues would be subject to MiFID II's pre- and post-trade transparency requirements and transaction reporting obligations.

**Market Abuse:** Trading in security tokens is subject to the **Market Abuse Regulation (EU) 596/2014 (MAR)**, prohibiting insider dealing, market manipulation, and unlawful disclosure of inside information.

**DLT Pilot Regime:** The **DLT Pilot Regime (Regulation (EU) 2022/858)**, which came into effect in March 2023, allows for the temporary operation of DLT market infrastructures (DLT MTFs and DLT Settlement Systems) that admit to trading or record certain crypto-assets classified as financial instruments. This provides a sandbox-like environment for experimenting with DLT in traditional financial market infrastructures.

**DLT Pilot Regime (Regulation (EU) 2022/858):** https://eur-lex.europa.eu/eli/reg/2022/858/oj

**Focus on Unauthorised Activities:** The CSSF frequently issues warnings and takes action against entities operating in Luxembourg without the necessary licenses or registrations, including those providing investment services, payment services, or VASP services related to crypto-assets.

These actions often involve cease-and-desist orders or public warnings, preventing entities from offering services until they comply with regulatory requirements.

**AML/CFT Non-Compliance:** A significant portion of public enforcement in the crypto space relates to breaches of AML/CFT obligations. The CSSF regularly imposes administrative fines on VASPs and other supervised entities for deficiencies in their anti-money laundering and counter-terrorist financing frameworks.

While not specific to "securities," these actions underscore the CSSF's vigilance in ensuring regulated entities adhere to financial crime prevention standards. For instance, public notices on CSSF's website regularly list administrative sanctions.

**Investor Protection Warnings:** The CSSF issues numerous warnings to the public about fraudulent crypto schemes, unregulated entities, and the risks associated with investing in volatile or speculative crypto-assets. These indirectly enforce regulatory compliance by deterring participation in unregulated markets.

**Guidance and Prevention:** The CSSF largely adopts a proactive approach, providing extensive guidance through FAQs, circulars, and direct engagement with market participants to ensure compliance before issues escalate. Many projects are guided towards proper classification and authorisation pathways, reducing the need for direct enforcement through litigation.

**CSSF Public Warnings:** Regular public warnings against unauthorized firms offering crypto-asset related services (e.g., investment platforms, trading venues) that are not authorized as investment firms or payment institutions. These warnings often state that the entity is not supervised by the CSSF and its activities are illegal in Luxembourg.

**Administrative Sanctions:** Public announcements of administrative fines for non-compliance with AML/CFT requirements imposed on supervised entities, including VASPs. While not always directly about the "security" classification of tokens, these demonstrate the CSSF's enforcement powers over entities operating in the crypto space.

**Strong AML/CFT focus:** The primary regulatory lens through which crypto-asset service providers (VASPs) are currently supervised.

**Embracing DLT for traditional securities:** Early mover in allowing the use of Distributed Ledger Technology (DLT) for the issuance and transfer of securities.

**Proactive adoption of EU frameworks:** Actively preparing for and incorporating the Markets in Crypto-Assets (MiCA) Regulation.

**Supervision by the financial regulator:** All relevant entities are brought under the purview of the national financial supervisory authority.

**Commission de Surveillance du Secteur Financier (CSSF)**

**Role:** The CSSF is responsible for the prudential supervision of all professionals of the financial sector (PSFs) in Luxembourg, including virtual asset service providers (VASPs). It oversees compliance with AML/CFT obligations, DLT securities frameworks, and will be the competent authority for MiCA licensing.

**Law of 25 March 2020 (amending the AML/CFT Law):**

**Name:** *Loi du 25 mars 2020 ayant pour objet de modifier: 1° la loi modifiée du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme; (...) 3° la loi modifiée du 5 avril 1993 relative au secteur financier.* (Law of 25 March 2020 amending: 1° the amended law of 12 November 2004 on the fight against money laundering and terrorist financing; (...) 3° the amended law of 5 April 1993 on the financial sector.)

**Purpose:** This law implemented the 5th EU Anti-Money Laundering Directive (AMLD5) into national law. Crucially, it expanded the scope of entities subject to AML/CFT obligations to include Virtual Asset Service Providers (VASPs) and brought them under the supervision of the CSSF.

**Reference (Legilux - official legal publication):** https://legilux.public.lu/eli/etat/leg/loi/2020/03/25/a189/jo

**CSSF guidance for VASPs:** https://www.cssf.lu/en/document-detail/news/virtual-asset-service-providers/

**Law of 1 March 2019 (on DLT for financial instruments):**

**Name:** *Loi du 1er mars 2019 concernant l’utilisation de la technologie des registres distribués dans le secteur financier.* (Law of 1 March 2019 concerning the use of distributed ledger technology in the financial sector.)

**Purpose:** This pioneering law clarified that book-entry securities (dematerialised securities) can be issued and circulated through Distributed Ledger Technology (DLT) systems, giving them the same legal standing as traditional securities. This removed legal uncertainty for financial institutions wanting to use blockchain for securities.

**Law of 22 January 2021 (amending the DLT Law and others):**

**Name:** *Loi du 22 janvier 2021 portant modification de: 1° la loi modifiée du 1er mars 2019 concernant l’utilisation de la technologie des registres distribués dans le secteur financier; 2° la loi modifiée du 5 avril 1993 relative au secteur financier.* (Law of 22 January 2021 amending: 1° the amended law of 1 March 2019 concerning the use of distributed ledger technology in the financial sector; 2° the amended law of 5 April 1993 on the financial sector.)

**Purpose:** This law further enhanced Luxembourg's DLT framework, particularly by extending the legal certainty of using DLT for unlisted securities, thus broadening the scope of DLT applicability in the financial sector.

**EU Markets in Crypto-Assets (MiCA) Regulation:**

**Name:** *Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.*

**Date:** Entered into force 29 June 2023. Staged implementation:

Titles III and IV (asset-referenced tokens and e-money tokens) apply from **30 June 2024**.

All other provisions apply from **30 December 2024**.

**Purpose:** MiCA is a landmark EU-wide regulation providing a comprehensive framework for the issuance, public offering, and trading of crypto-assets (excluding those already classified as financial instruments, which are covered by existing EU securities law). It covers requirements for issuers, crypto-asset service providers (CASPs), market integrity, and consumer protection. Luxembourg, as an EU member state, will fully implement and enforce MiCA, which will supersede some national provisions.

**Not Banned:** Luxembourg permits crypto trading and the operation of crypto exchanges.

**Regulated Activities (Currently under AML/CFT):**

Entities providing services related to virtual assets in or from Luxembourg (e.g., operating an exchange, providing custodian wallets, facilitating transfers, exchanging virtual assets for fiat currency or other virtual assets) are classified as **Virtual Asset Service Providers (VASPs)**.

These VASPs are subject to the **Law of 12 November 2004 (as amended, particularly by the 2020 law)** on the fight against money laundering and terrorist financing.

They must **register with the CSSF** and comply with stringent AML/CFT requirements, including:

Customer Due Diligence (KYC - Know Your Customer)

Internal governance and risk management frameworks.

The CSSF conducts ongoing supervision to ensure compliance.

From **December 2024**, crypto exchanges and other CASPs (Crypto-Asset Service Providers) will need to obtain a **full authorization** under the MiCA Regulation, rather than just an AML/CFT registration.

MiCA introduces comprehensive requirements covering capital, governance, operational resilience, consumer protection, and market abuse prevention. This will significantly elevate the regulatory bar for these entities in Luxembourg, aligning them more closely with traditional financial institutions in terms of oversight.

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/1993/04/05/n2/jo

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/2018/07/13/a590/jo

**Directive (EU) 2015/849 (4th AML Directive):** Laid the groundwork for strengthening AML/CFT rules across the EU.

**Directive (EU) 2018/843 (5th AML Directive):** Critically, this directive extended the scope of AML/CFT rules to include virtual asset service providers, bringing them under the regulatory purview.

**Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the "AML Law"):** This is the cornerstone legislation. It was significantly amended by the **Law of 25 March 2020** to transpose the 5th AML Directive, explicitly including virtual asset service providers as "professionals" subject to AML/CFT obligations.

**CSSF Regulation N° 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing:** This regulation, though predating the full VASP inclusion, sets out general professional obligations and is complemented by specific CSSF guidance.

**CSSF Circular 20/747 (as amended by Circular 22/815):** This circular is crucial for VASPs as it consolidates and specifies the AML/CFT professional obligations under the amended AML Law for all entities subject to CSSF supervision, including VASPs. It provides detailed guidance on risk assessment, customer due diligence, internal organisation, and reporting requirements.

**Exchange services:** Exchanging virtual assets for fiat currencies or other virtual assets.

**Custodial wallet providers:** Entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual assets.

**Transfer of virtual assets:** Services involving the movement of virtual assets between addresses or accounts.

**Issuance of virtual assets:** Services related to the offering or sale of new virtual assets.

Obtain and verify the customer's name, residential address, date and place of birth, nationality, and a unique identification number (e.g., from a passport or national ID card).

Verify identity using reliable, independent source documents, data, or information (e.g., government-issued photo ID, proof of address utility bill).

**Legal Entities (Companies, Foundations, etc.):**

Obtain and verify the company's name, legal form, registered address, articles of association, list of directors, and proof of incorporation.

Identify and verify the identity of individuals who hold senior management positions.

**Beneficial Ownership (UBO):** Identify and take reasonable measures to verify the identity of the beneficial owner(s) (any natural person who directly or indirectly owns or controls 25% or more of the shares or voting rights, or otherwise exercises control over the entity). For trusts or similar legal arrangements, identify the settlors, trustees, beneficiaries, and any other person exercising ultimate control.

Consult relevant registers (e.g., the Luxembourg Register of Beneficial Owners - RBE).

**Purpose and Intended Nature of the Business Relationship:** Understand the rationale behind the customer's use of virtual asset services.

Scrutinize transactions undertaken throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Regularly review and update customer identification data, especially for high-risk clients.

**Enhanced Due Diligence (EDD):** Required for situations posing a higher ML/TF risk, including:

Politically Exposed Persons (PEPs), their family members, and close associates.

Complex or unusually large transactions, and all unusual patterns of transactions, that have no apparent economic or lawful purpose.

Business relationships or transactions conducted with customers from countries identified by FATF as having strategic AML/CFT deficiencies.

Specific virtual asset types or transaction patterns deemed high-risk (e.g., anonymity-enhanced cryptocurrencies, mixing services).

**Simplified Due Diligence (SDD):** May be applied in limited, specifically defined low-risk situations, but generally very restricted in the virtual asset sector due to inherent risks.

**Reporting Authority:** The **Cellule de Renseignement Financier (CRF)**, Luxembourg's Financial Intelligence Unit (FIU).

**Reporting Obligation:** Reports must be made promptly when a suspicion arises.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer concerned, or to third parties, that an STR has been or will be made, or that an investigation is being or may be carried out.

**Retention Period:** Generally **five years** after:

The end of a business relationship with a customer.

The date of an occasional transaction.

Copies of all documents obtained for CDD (identification, verification).

Records of all transactions, including amounts, types of virtual assets, dates, parties involved (including wallet addresses or transaction IDs), and the means of payment.

Records of correspondence relating to the customer relationship.

Records of any analysis undertaken concerning suspicious transactions.

Copies of all suspicious transaction reports made to the CRF.

Records of internal risk assessments, policies, procedures, and staff training.

**Commission de Surveillance du Secteur Financier (CSSF):**

The CSSF is the primary financial supervisory authority in Luxembourg responsible for the prudential supervision of banks, investment firms, payment institutions, electronic money institutions, and since the 5th AML Directive, virtual asset service providers.

It is responsible for granting registration to VASPs, supervising their AML/CFT compliance, issuing specific regulations and guidance, and enforcing compliance through sanctions if necessary.

Relevant Section for Virtual Assets/Fintech: https://www.cssf.lu/en/fintech/

**Cellule de Renseignement Financier (CRF - Luxembourg FIU):**

**Titles III (Asset-Referenced Tokens - ARTs) and IV (E-money Tokens - EMTs)**, which cover stablecoins, will apply from **30 June 2024**.

The rest of MiCA will apply from 30 December 2024.

Defined as a crypto-asset that purports to maintain a stable value by referencing the value of **one single fiat currency**.

These are essentially digital forms of fiat currency issued on a blockchain (e.g., EUR-pegged stablecoin).

They are regulated akin to electronic money under the existing E-Money Directive (EMD2) but with specific additional MiCA requirements.

**Asset-Referenced Tokens (ARTs / ASTs):**

Defined as a crypto-asset that is not an e-money token and that purports to maintain a stable value by referencing **any other value or right, or a combination thereof, including one or several official currencies**.

These include stablecoins pegged to a basket of currencies, commodities (like gold), or other crypto-assets (e.g., a "basket stablecoin" or a gold-backed token).

**E-money:** If a stablecoin met the definition of electronic money under the *Loi du 20 mai 2011 concernant l'accès à l'activité des établissements de monnaie électronique* (transposing EMD2), its issuer would need an e-money institution license. This was the most likely classification for fiat-pegged stablecoins.

**Securities:** If a stablecoin granted rights similar to those of traditional securities (e.g., voting rights, share in profits, debt instruments), it could have been classified as a security under the *Loi du 5 avril 1993 relative au secteur financier* or prospectus laws.

**Payment Tokens:** This was a less defined category in national law; if a token only served as a means of exchange without other features, its regulatory treatment was less clear beyond AML/CFT rules.

Issuers must at all times maintain a **100% reserve of assets** corresponding to the value of the EMTs in circulation.

These reserve assets must be held in a segregated account at a credit institution or invested in highly liquid, minimal-risk assets (e.g., short-term government bonds).

Reserve assets must be distinct from the issuer's operating funds.

Issuers must at all times maintain a **reserve of assets** that is sufficient to cover the value of the ARTs in circulation.

The reserve assets must be held in segregated accounts, clearly identified, and owned by the issuer acting in the interest of the ART holders.

MiCA specifies rules for the composition, segregation, and management of these reserve assets, often requiring a more diversified and prudent investment strategy compared to EMTs, given their potential to reference multiple assets.

An **independent custodian** must hold the reserve assets.

Only **credit institutions** (banks) or **e-money institutions (EMIs)** authorized under EMD2 (and MiCA) can issue EMTs.

In Luxembourg, this means entities already licensed by the CSSF as a bank or EMI. MiCA introduces additional specific requirements for EMT issuers.

Issuers of ARTs must be authorized by their relevant national competent authority (NCA), which in Luxembourg is the **CSSF**.

The authorization process requires a comprehensive application covering governance arrangements, risk management, capital requirements, operational resilience, and a recovery plan.

ART issuers must meet minimum **capital requirements** (e.g., €350,000 or 0.2% of the average amount of reserve assets, whichever is higher).

Holders of EMTs have a direct right to redeem their tokens **at par value** (e.g., 1 EUR-token for 1 EUR) at any time.

Redemption must be processed **without undue delay** by the EMT issuer.

The issuer cannot charge fees for this redemption right unless specifically allowed under limited circumstances outlined in MiCA.

Holders of ARTs have a direct right to redeem their tokens from the issuer **at any time**.

The redemption must be for the value of the assets referenced by the token, as defined in the white paper, and without undue delay.

Issuers must publish their redemption policy, including any fees, in their white paper.

Purely algorithmic stablecoins, which rely solely on software algorithms to maintain their peg without significant asset backing, generally **will not fit the definitions of EMTs or ARTs under MiCA**.

For an ART, MiCA specifically requires the maintenance of a **reserve of assets** to stabilize its value. Algorithmic stablecoins that lack such a reserve, or where the reserve is not sufficiently robust or segregated, will not qualify for authorization as an ART.

This effectively means that most forms of unbacked or under-backed algorithmic stablecoins will be **prohibited from being issued, offered to the public, or admitted to trading** in the EU under MiCA.

**No specific national Luxembourgish CBDC:** The focus is on a single digital euro for the entire Eurozone.

**Coexistence:** A digital euro is envisioned to coexist with existing forms of money, including commercial bank money and potentially well-regulated private stablecoins (EMTs/ARTs).

A digital euro would provide a **risk-free digital payment option** directly backed by the ECB, potentially reducing the demand for private stablecoins for certain use cases, especially those seeking maximum safety.

However, private stablecoins (especially ARTs) could still serve specific purposes, such as wholesale interbank settlements, programmability features, or linking to a wider range of assets, complementing rather than fully replacing a digital euro.

The ECB has indicated that the digital euro would not be programmable to restrict individual spending, a feature that private stablecoins might still offer.

**Loi du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme (as amended):** This law transposes EU AML directives.

**CSSF Circular 19/730:** Outlines specific AML/CFT obligations for entities operating in the virtual asset sector, including registration requirements for virtual asset service providers (VASPs).

Issuers of stablecoins (EMTs and ARTs) will be considered "obliged entities" under AML/CFT law, requiring them to implement customer due diligence (CDD), transaction monitoring, suspicious activity reporting, and other compliance measures.

**European Union (EU) Sanctions:** These are directly applicable regulations in all EU member states. The EU implements both UN-mandated sanctions and its own autonomous sanctions regimes (e.g., concerning Russia, Iran, North Korea, Syria, Myanmar, etc.). EU sanctions explicitly cover "funds and economic resources," which have been clarified to include crypto-assets.

**United Nations (UN) Sanctions:** These are binding on all UN member states and are implemented in the EU through EU Council Regulations. UN sanctions typically target specific individuals, entities, or regimes (e.g., Al-Qaeda, ISIL, Taliban, DPRK, Iran).

**Office of Foreign Assets Control (OFAC) Sanctions (U.S.):** While U.S. sanctions are not directly legally binding on non-U.S. persons or entities outside the U.S., their extraterritorial reach is significant. VASPs in Luxembourg engaged in transactions involving U.S. persons, the U.S. financial system (e.g., USD transactions), or U.S.-origin technology must adhere to OFAC regulations to avoid severe penalties, including designation on OFAC's Specially Designated Nationals and Blocked Persons (SDN) List. OFAC has been proactive in adding cryptocurrency addresses to its sanctions lists.

**Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (Loi du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme):** This is the core national law transposing EU AML Directives (including the 5th and 6th AML Directives) into Luxembourgish law. It designates VASPs as obliged entities.

**URL (Legilux):** https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n6/jo (Note: This link is to the original law; look for the "Version consolidée" for the latest amendments.)

**CSSF Circular 20/747 (as amended):** This circular details the AML/CFT requirements specifically for virtual asset service providers.

**EU Council Regulations:** These are the direct legal instruments for EU sanctions. Examples include:

**Council Regulation (EU) No 833/2014** concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine (and its numerous amendments, particularly those explicitly covering crypto-assets).

**URL (EUR-Lex):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02014R0833-20230225 (Check for the latest consolidated version)

Other specific regulations for various sanctioned countries (available on EUR-Lex or the EU Sanctions Map).

**Risk-Based Approach:** VASPs must conduct a comprehensive risk assessment of their business, customers, products, services, and geographic exposure to identify and mitigate sanctions risks.

**Customer Due Diligence (CDD) / Know Your Customer (KYC):**

Identify and verify the identity of customers and beneficial owners.

Understand the purpose and intended nature of the business relationship.

Conduct ongoing monitoring of the business relationship.

Screen all customers and beneficial owners against relevant sanctions lists *before* onboarding and on an ongoing basis.

**Mandatory Screening:** VASPs must screen all new and existing clients (individuals, entities, beneficial owners) against all applicable sanctions lists.

**EU Consolidated List:** This list compiles all individuals and entities subject to EU asset freezes and other restrictive measures (UN-mandated and autonomous EU sanctions).

**URL (EU Sanctions Map, search tool):** https://www.sanctionsmap.eu/#/main

**URL (Official Journal of the EU for specific lists):** https://eur-lex.europa.eu/homepage.html (Search by regulation number)

**OFAC SDN List:** While not directly legally binding, it is best practice for VASPs with any international exposure or U.S. nexus to screen against OFAC's SDN List. OFAC frequently adds cryptocurrency wallet addresses to this list.

**URL (OFAC SDN List):** https://www.treasury.gov/ofac/downloads/sdn.txt

**Crypto Address Screening:** Where sanctions lists include specific crypto wallet addresses (as OFAC's SDN list does, and potentially EU lists in the future), VASPs must implement technical solutions to screen transactions against these addresses.

**Ongoing Screening:** Screening must not be a one-time event but rather an ongoing process to capture newly listed individuals or entities.

**"Hit" Protocol:** If a match is found (a "hit"), the VASP must immediately:

Freeze any assets belonging to the sanctioned person/entity.

Cease all dealings with that person/entity.

Report the hit to the relevant authorities (CSSF and the Cellule de Renseignement Financier - CRF, Luxembourg's FIU) without delay.

Monitor all transactions for suspicious activities, including those involving high-risk jurisdictions or patterns indicative of sanctions evasion.

Implement robust blockchain analytics tools to trace funds and identify potential connections to sanctioned entities or high-risk wallets.

Develop and implement comprehensive written policies, procedures, and internal controls for sanctions compliance.

Appoint a qualified Compliance Officer (often an RC – *Responsable du Respect des Obligations Professionnelles* – and RR – *Responsable de la Fonction de Conformité*) responsible for AML/CFT and sanctions compliance.

**Employee Training:** Regularly train all relevant staff on sanctions regulations, internal procedures, and how to identify and report potential sanctions violations.

**Record-Keeping:** Maintain records of all CDD measures, risk assessments, transaction monitoring alerts, and sanctions screening activities.

**EU Sanctions:** Prohibit certain dealings with individuals, entities, and governments in sanctioned countries (e.g., Russia, North Korea, Iran, Syria, Venezuela). Recent EU sanctions against Russia explicitly prohibit the provision of crypto-asset wallet, account, or custody services to Russian nationals or natural persons residing in Russia, or legal persons, entities, or bodies established in Russia, if the total value of crypto-assets exceeds a certain threshold (currently €10,000).

**Legal Ref:** **Council Regulation (EU) 2022/1904** amending Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine.

**UN Sanctions:** Impose restrictions on specific countries (e.g., DPRK, Iran) concerning nuclear proliferation, terrorism financing, etc.

**OFAC Sanctions:** Maintain broad embargoes or targeted sanctions on countries like Cuba, Iran, North Korea, Syria, Venezuela, and the Crimea, Donetsk, and Luhansk regions of Ukraine. Dealing with these jurisdictions (even indirectly through crypto) carries significant risk for VASPs.

Orders to cease and desist certain practices.

Financial penalties (fines) up to **€5 million** or **10% of the annual turnover** for legal persons, whichever is higher. For serious breaches, this can go up to **€10 million** for legal persons, or up to twice the amount of the benefit derived from the breach, if that amount can be determined. For natural persons, fines can reach **€5 million**.

Temporary or permanent prohibition from exercising management functions.

Imprisonment (e.g., 1 to 5 years under the AML Law).

Heavier fines, potentially up to **€1,250,000**.

For terrorist financing offenses, penalties can be even more severe.

**Law of 12 November 2004, as amended:** Title VI specifies administrative and criminal sanctions.

**EU Consolidated List:** This list identifies persons and entities subject to EU restrictive measures. Critically, the definition of "funds" and "economic resources" in EU regulations (e.g., Council Regulation (EU) No 269/2014 concerning restrictive measures against actions undermining Ukraine's territorial integrity, as amended, and Council Regulation (EU) No 833/2014 concerning Russia) has been expanded to explicitly include "crypto-assets." This means that any individual or entity on the EU Consolidated List is sanctioned with respect to all their assets, including crypto-assets.

**UN Sanctions Lists:** These are implemented via EU regulations, and similarly, the asset freezes apply to crypto-assets.

**OFAC SDN List:** This is the most explicit list regarding crypto-assets, as OFAC has designated numerous cryptocurrency addresses associated with sanctioned entities (e.g., North Korean hacking groups, ransomware operators, Russian darknet markets) directly on its SDN list.

**URL (EUR-Lex):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1904 (See Article 1(17) adding Article 5b to Reg 833/2014)

**Focus on Registration and AML/CFT Compliance:**

The CSSF maintains a public register of VASPs operating in Luxembourg. This registration process is a crucial form of regulation and "pre-enforcement." Entities must demonstrate robust AML/CFT frameworks to be registered.

Failure to register or comply with AML/CFT obligations is a violation, and the CSSF's primary "enforcement" in such cases often involves:

Issuing warnings for unregistered activities.

Ordering non-compliant entities to cease operations.

Intensive supervisory engagement, which can lead to operational changes but not necessarily a public fine.

**Significance:** This proactive stance aims to prevent illicit activity rather than solely penalize it after the fact, which might explain the lack of numerous public fines.

**No Major Public Fines Against Specific Crypto Entities:**

Extensive searches of the CSSF's official communications, press releases, and reputable financial news sources for the period of mid-2021 to mid-2024 do not reveal specific, public enforcement actions against named cryptocurrency entities with associated penalty amounts for non-compliance with virtual asset regulations.

Luxembourg's regulatory actions, especially related to AML/CFT, can sometimes be resolved through administrative measures, enhanced supervision, or non-public agreements, rather than large public fines.

It is common for financial regulators globally to take actions that are not widely publicized, especially when dealing with smaller entities or when issues are resolved through direct engagement and remediation. The absence of a public record does not necessarily mean an absence of regulatory scrutiny or internal corrective actions.

**Regulator:** **Commission de Surveillance du Secteur Financier (CSSF)**

Law of 25 March 2020: Establishing a register for VASPs, transposing parts of the 5th Anti-Money Laundering Directive (AMLD5).

CSSF Circular 20/747: Revised prudential requirements for VASPs.

CSSF Circular 23/843: Updated guidance for VASPs on AML/CFT, reflecting new recommendations from the Financial Action Task Force (FATF).

**Violation Type (General Focus):** Non-compliance with AML/CFT obligations, operating without proper registration as a VASP, market abuse, consumer protection issues.

**Outcome (General):** Refusal of VASP registration, official warnings, cease-and-desist orders, enhanced supervisory measures.

**Date:** Ongoing regulatory activity (last 3 years).

**Penalty Amount:** Not publicly disclosed for specific crypto entities during this period.

**CSSF VASP Register (Information Page):** This page explains the registration requirements and provides access to the list of registered VASPs.

**CSSF Press Releases / News (General):** Regularly updated with guidance and warnings, rather than specific enforcement actions with fines.

**CSSF Circular 23/843 (Relevant for AML/CFT for VASPs):**

**CSSF Warnings for Unlicensed Entities:** The CSSF frequently issues warnings against entities that purport to offer financial services in Luxembourg without proper authorization, including those related to crypto. These are general warnings rather than specific enforcement actions against a regulated VASP.