Luxembourg -- AML/CFT Compliance Regulatory Overview

**Directive (EU) 2015/849 (4th AML Directive):** Laid the groundwork for strengthening AML/CFT rules across the EU.

**Directive (EU) 2018/843 (5th AML Directive):** Critically, this directive extended the scope of AML/CFT rules to include virtual asset service providers, bringing them under the regulatory purview.

**Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the "AML Law"):** This is the cornerstone legislation. It was significantly amended by the **Law of 25 March 2020** to transpose the 5th AML Directive, explicitly including virtual asset service providers as "professionals" subject to AML/CFT obligations.

**CSSF Regulation N° 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing:** This regulation, though predating the full VASP inclusion, sets out general professional obligations and is complemented by specific CSSF guidance.

**CSSF Circular 20/747 (as amended by Circular 22/815):** This circular is crucial for VASPs as it consolidates and specifies the AML/CFT professional obligations under the amended AML Law for all entities subject to CSSF supervision, including VASPs. It provides detailed guidance on risk assessment, customer due diligence, internal organisation, and reporting requirements.

**Exchange services:** Exchanging virtual assets for fiat currencies or other virtual assets.

**Custodial wallet providers:** Entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual assets.

**Transfer of virtual assets:** Services involving the movement of virtual assets between addresses or accounts.

**Issuance of virtual assets:** Services related to the offering or sale of new virtual assets.

Obtain and verify the customer's name, residential address, date and place of birth, nationality, and a unique identification number (e.g., from a passport or national ID card).

Verify identity using reliable, independent source documents, data, or information (e.g., government-issued photo ID, proof of address utility bill).

**Legal Entities (Companies, Foundations, etc.):**

Obtain and verify the company's name, legal form, registered address, articles of association, list of directors, and proof of incorporation.

Identify and verify the identity of individuals who hold senior management positions.

**Beneficial Ownership (UBO):** Identify and take reasonable measures to verify the identity of the beneficial owner(s) (any natural person who directly or indirectly owns or controls 25% or more of the shares or voting rights, or otherwise exercises control over the entity). For trusts or similar legal arrangements, identify the settlors, trustees, beneficiaries, and any other person exercising ultimate control.

Consult relevant registers (e.g., the Luxembourg Register of Beneficial Owners - RBE).

**Purpose and Intended Nature of the Business Relationship:** Understand the rationale behind the customer's use of virtual asset services.

Scrutinize transactions undertaken throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Regularly review and update customer identification data, especially for high-risk clients.

**Enhanced Due Diligence (EDD):** Required for situations posing a higher ML/TF risk, including:

Politically Exposed Persons (PEPs), their family members, and close associates.

Complex or unusually large transactions, and all unusual patterns of transactions, that have no apparent economic or lawful purpose.

Business relationships or transactions conducted with customers from countries identified by FATF as having strategic AML/CFT deficiencies.

Specific virtual asset types or transaction patterns deemed high-risk (e.g., anonymity-enhanced cryptocurrencies, mixing services).

**Simplified Due Diligence (SDD):** May be applied in limited, specifically defined low-risk situations, but generally very restricted in the virtual asset sector due to inherent risks.

**Reporting Authority:** The **Cellule de Renseignement Financier (CRF)**, Luxembourg's Financial Intelligence Unit (FIU).

**Reporting Obligation:** Reports must be made promptly when a suspicion arises.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer concerned, or to third parties, that an STR has been or will be made, or that an investigation is being or may be carried out.

**Retention Period:** Generally **five years** after:

The end of a business relationship with a customer.

The date of an occasional transaction.

Copies of all documents obtained for CDD (identification, verification).

Records of all transactions, including amounts, types of virtual assets, dates, parties involved (including wallet addresses or transaction IDs), and the means of payment.

Records of correspondence relating to the customer relationship.

Records of any analysis undertaken concerning suspicious transactions.

Copies of all suspicious transaction reports made to the CRF.

Records of internal risk assessments, policies, procedures, and staff training.

**Commission de Surveillance du Secteur Financier (CSSF):**

The CSSF is the primary financial supervisory authority in Luxembourg responsible for the prudential supervision of banks, investment firms, payment institutions, electronic money institutions, and since the 5th AML Directive, virtual asset service providers.

It is responsible for granting registration to VASPs, supervising their AML/CFT compliance, issuing specific regulations and guidance, and enforcing compliance through sanctions if necessary.

Relevant Section for Virtual Assets/Fintech: https://www.cssf.lu/en/fintech/

**Cellule de Renseignement Financier (CRF - Luxembourg FIU):**

**Titles III (Asset-Referenced Tokens - ARTs) and IV (E-money Tokens - EMTs)**, which cover stablecoins, will apply from **30 June 2024**.

The rest of MiCA will apply from 30 December 2024.

Defined as a crypto-asset that purports to maintain a stable value by referencing the value of **one single fiat currency**.

These are essentially digital forms of fiat currency issued on a blockchain (e.g., EUR-pegged stablecoin).

They are regulated akin to electronic money under the existing E-Money Directive (EMD2) but with specific additional MiCA requirements.

**Asset-Referenced Tokens (ARTs / ASTs):**

Defined as a crypto-asset that is not an e-money token and that purports to maintain a stable value by referencing **any other value or right, or a combination thereof, including one or several official currencies**.

These include stablecoins pegged to a basket of currencies, commodities (like gold), or other crypto-assets (e.g., a "basket stablecoin" or a gold-backed token).

**E-money:** If a stablecoin met the definition of electronic money under the *Loi du 20 mai 2011 concernant l'accès à l'activité des établissements de monnaie électronique* (transposing EMD2), its issuer would need an e-money institution license. This was the most likely classification for fiat-pegged stablecoins.

**Securities:** If a stablecoin granted rights similar to those of traditional securities (e.g., voting rights, share in profits, debt instruments), it could have been classified as a security under the *Loi du 5 avril 1993 relative au secteur financier* or prospectus laws.

**Payment Tokens:** This was a less defined category in national law; if a token only served as a means of exchange without other features, its regulatory treatment was less clear beyond AML/CFT rules.

Issuers must at all times maintain a **100% reserve of assets** corresponding to the value of the EMTs in circulation.

These reserve assets must be held in a segregated account at a credit institution or invested in highly liquid, minimal-risk assets (e.g., short-term government bonds).

Reserve assets must be distinct from the issuer's operating funds.

Issuers must at all times maintain a **reserve of assets** that is sufficient to cover the value of the ARTs in circulation.

The reserve assets must be held in segregated accounts, clearly identified, and owned by the issuer acting in the interest of the ART holders.

MiCA specifies rules for the composition, segregation, and management of these reserve assets, often requiring a more diversified and prudent investment strategy compared to EMTs, given their potential to reference multiple assets.

An **independent custodian** must hold the reserve assets.

Only **credit institutions** (banks) or **e-money institutions (EMIs)** authorized under EMD2 (and MiCA) can issue EMTs.

In Luxembourg, this means entities already licensed by the CSSF as a bank or EMI. MiCA introduces additional specific requirements for EMT issuers.

Issuers of ARTs must be authorized by their relevant national competent authority (NCA), which in Luxembourg is the **CSSF**.

The authorization process requires a comprehensive application covering governance arrangements, risk management, capital requirements, operational resilience, and a recovery plan.

ART issuers must meet minimum **capital requirements** (e.g., €350,000 or 0.2% of the average amount of reserve assets, whichever is higher).

Holders of EMTs have a direct right to redeem their tokens **at par value** (e.g., 1 EUR-token for 1 EUR) at any time.

Redemption must be processed **without undue delay** by the EMT issuer.

The issuer cannot charge fees for this redemption right unless specifically allowed under limited circumstances outlined in MiCA.

Holders of ARTs have a direct right to redeem their tokens from the issuer **at any time**.

The redemption must be for the value of the assets referenced by the token, as defined in the white paper, and without undue delay.

Issuers must publish their redemption policy, including any fees, in their white paper.

Purely algorithmic stablecoins, which rely solely on software algorithms to maintain their peg without significant asset backing, generally **will not fit the definitions of EMTs or ARTs under MiCA**.

For an ART, MiCA specifically requires the maintenance of a **reserve of assets** to stabilize its value. Algorithmic stablecoins that lack such a reserve, or where the reserve is not sufficiently robust or segregated, will not qualify for authorization as an ART.

This effectively means that most forms of unbacked or under-backed algorithmic stablecoins will be **prohibited from being issued, offered to the public, or admitted to trading** in the EU under MiCA.

**No specific national Luxembourgish CBDC:** The focus is on a single digital euro for the entire Eurozone.

**Coexistence:** A digital euro is envisioned to coexist with existing forms of money, including commercial bank money and potentially well-regulated private stablecoins (EMTs/ARTs).

A digital euro would provide a **risk-free digital payment option** directly backed by the ECB, potentially reducing the demand for private stablecoins for certain use cases, especially those seeking maximum safety.

However, private stablecoins (especially ARTs) could still serve specific purposes, such as wholesale interbank settlements, programmability features, or linking to a wider range of assets, complementing rather than fully replacing a digital euro.

The ECB has indicated that the digital euro would not be programmable to restrict individual spending, a feature that private stablecoins might still offer.

**Loi du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme (as amended):** This law transposes EU AML directives.

**CSSF Circular 19/730:** Outlines specific AML/CFT obligations for entities operating in the virtual asset sector, including registration requirements for virtual asset service providers (VASPs).

Issuers of stablecoins (EMTs and ARTs) will be considered "obliged entities" under AML/CFT law, requiring them to implement customer due diligence (CDD), transaction monitoring, suspicious activity reporting, and other compliance measures.