Luxembourg -- Licensing Requirements Regulatory Overview

**Registration as a VASP:** Entities providing "custodian wallet services" (which includes custody of virtual assets on behalf of clients) are considered Virtual Asset Service Providers (VASPs) under Luxembourg law. These VASPs are subject to registration with the CSSF for AML/CFT purposes.

The registration is governed by the **Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the "AML Law")**, which incorporated the EU's 5th AML Directive.

Registration requires the entity to comply with AML/CFT obligations, including customer due diligence (CDD), ongoing monitoring, suspicious transaction reporting, and internal control frameworks.

**Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (Loi du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme, telle que modifiée):** While a specific URL to the consolidated law is hard to pinpoint, it's the primary legal basis. The key amendments are from 2018 and later.

**CSSF Circular 22/811 (and previous versions like 20/747 and 21/769 which it consolidates/replaces):** This circular provides detailed guidance on AML/CFT obligations for VASPs.

CSSF Circular 22/811 (English version)

**CSSF webpage on Virtual Assets / VASPs:**

**Authorization, not just Registration:** MiCA will require firms providing "custody and administration of crypto-assets on behalf of third parties" to obtain a full authorization from a national competent authority (the CSSF in Luxembourg) to operate across the EU. This is a more stringent licensing regime than the current AML registration.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

While the current AML Law itself doesn't explicitly mandate segregation of client crypto assets in the same way traditional financial services are regulated (e.g., MiFID), the CSSF expects VASPs to have robust internal controls, governance, and risk management frameworks. Commingling client and proprietary assets would generally be viewed as poor practice and a significant risk to clients, potentially leading to CSSF intervention based on general prudential expectations.

Firms offering custody services must demonstrate adequate arrangements to protect clients' virtual assets.

**Explicit Requirement:** MiCA explicitly mandates crypto-asset service providers offering custody services to:

Keep separate the crypto-assets of their clients from their own crypto-assets and ensure that this is achieved by using different blockchain addresses or distributed ledgers.

Keep separate the funds of their clients from their own funds, in accordance with national law.

**MiCA Regulation (EU) 2023/1114, Article 67 ("Custody and administration of crypto-assets on behalf of third parties"):** Specifically, Article 67(1)(b) addresses segregation.

Luxembourg's current VASP AML registration does not explicitly mandate specific insurance or bonding requirements for pure crypto custody services.

However, the CSSF generally expects regulated entities to have adequate financial resources and robust risk management, which may include appropriate professional indemnity insurance to cover potential liabilities arising from operational failures, security breaches, or errors.

**Prudential Requirements and Professional Indemnity Insurance:** MiCA introduces specific prudential requirements for crypto-asset service providers. For custodians, it requires them to:

Hold own funds (capital requirements) or a professional indemnity insurance to cover liability risks from their operations. The amount will depend on the type of service and associated risks.

**MiCA Regulation (EU) 2023/1114, Article 67 (5) and Article 68 (specifically Article 68(1)(a) regarding capital requirements or professional indemnity insurance).**

There are no explicit mandates for "cold storage" in Luxembourg's current regulations.

However, CSSF Circular 22/811 and the general principles of sound risk management dictate that VASPs must implement robust IT security measures and internal controls to protect virtual assets. This implicitly requires firms to adopt industry best practices for secure storage, which often involves a combination of hot, warm, and cold storage solutions, multi-signature wallets, Hardware Security Modules (HSMs), and comprehensive key management policies. The CSSF assesses the adequacy of these measures as part of the VASP registration and ongoing supervision.

MiCA does not explicitly mandate "cold storage" either, but it does require crypto-asset service providers to:

Have sound governance arrangements, including clear organisational structure with well-defined, transparent and consistent lines of responsibility.

Establish and maintain effective arrangements to prevent operational risks, including IT security risks.

Employ appropriate systems, resources and procedures to ensure the security, integrity and confidentiality of their services.

**MiCA Regulation (EU) 2023/1114, Articles 67 and 69 (Organisational requirements).**

Luxembourg does not currently have a distinct definition of a "qualified crypto custodian" beyond the existing VASP registration requirements for AML/CFT purposes. Any entity registered as a VASP for "custodian wallet services" is considered a supervised entity by the CSSF for those specific purposes.

MiCA will effectively create a framework for "qualified custodians" by:

Defining "custody and administration of crypto-assets on behalf of third parties" as a specific crypto-asset service.

Requiring authorization from a national competent authority (like the CSSF) to provide this service.

Setting out detailed and stringent organisational, prudential, and operational requirements for these authorized entities, including liability provisions. An authorized MiCA crypto-asset service provider offering custody will be the EU's equivalent of a "qualified custodian" for crypto assets.

**MiCA Regulation (EU) 2023/1114, Article 3(1)(14) (Definition of "custody and administration of crypto-assets on behalf of third parties") and Title V (Authorization and operating conditions for crypto-asset service providers).**

**Key Impact on Custody:** MiCA will introduce a harmonized, comprehensive regulatory framework for crypto-assets and crypto-asset service providers across the EU.

**Authorization:** Firms providing custody will need to be authorized as "crypto-asset service providers" (CASPs) by the CSSF.

**Enhanced Requirements:** It will impose explicit requirements for custodians regarding:

**Organisational requirements:** Robust governance, risk management, IT security, and business continuity plans.

**Prudential requirements:** Own funds or professional indemnity insurance.

**Client asset segregation:** Explicit requirement to keep client crypto-assets and funds separate from own assets.

**Liability:** CASPs will be liable to clients for loss of crypto-assets due to operational malfunction, security breaches, or errors, unless proven otherwise.

**Notification and client agreement obligations.**

**Timeline:** Most provisions concerning crypto-asset services (including custody, falling under Title V of MiCA) will apply from **30 December 2024**.

The CSSF will be the primary competent authority for implementing and enforcing MiCA in Luxembourg and is expected to issue further guidance, circulars, and FAQs as the implementation date approaches.

**CSSF (Commission de Surveillance du Secteur Financier):**

Virtual Assets Section: https://www.cssf.lu/en/virtual-assets/ (This is a key resource for current CSSF guidance)

**Law of 12 November 2004 on combating money laundering and terrorist financing (as amended, including by the Law of 25 March 2020 on virtual assets):**

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n27/jo

*Note: This law is frequently amended. The key amendment for VASPs is the Law of 25 March 2020 which incorporated the 5th AML Directive.*

**Law of 5 April 1993 on the financial sector (governs PFS licenses):**

**Law of 13 July 2018 on payment services (implements PSD2):**

**Substance Over Form:** The legal nature of a token is determined by its characteristics and rights it confers, not merely by the terminology used by the issuer.

**Technology Neutrality:** The fact that an instrument is issued using DLT does not change its fundamental legal classification if it possesses the characteristics of an existing financial instrument.

**Assessment against existing financial instrument definitions:** The primary legal test is to evaluate if the token embodies rights and obligations that correspond to categories like:

**Transferable Securities:** Shares in companies, bonds or other forms of securitised debt, and any other negotiable instruments which confer the right to acquire or dispose of any such transferable securities by subscription or exchange or which confer voting rights or any other rights similar to shares. (MiFID II, Annex I, Section C, Point 1)

**Money-Market Instruments:** Instruments normally dealt in on the money market, such as treasury bills, certificates of deposit and commercial paper, and excluding instruments of payment. (MiFID II, Annex I, Section C, Point 2)

**Units in Collective Investment Undertakings:** (MiFID II, Annex I, Section C, Point 3)

**Derivatives:** Options, futures, swaps, forward rate agreements, and any other derivative contracts relating to securities, currencies, interest rates or yields, emission allowances or other underlying instruments, financial indices or financial measures which may be settled physically or in cash. (MiFID II, Annex I, Section C, Points 4-10)

**Security Tokens:** These are explicitly designed to represent traditional financial instruments. Examples include:

**Equity tokens:** Representing ownership shares in a company, conferring voting rights, dividend rights, etc.

**Debt tokens:** Representing bonds, loans, or other debt instruments, conferring interest payments and principal repayment.

**Asset-backed tokens:** Tokens representing fractional ownership in real-world assets like real estate, art, or commodities, where the primary purpose is investment.

**Derivative tokens:** Tokens whose value is derived from an underlying asset or index, such as tokenized options or futures contracts.

**Investment contract tokens:** Where the token confers rights that are intrinsically linked to an investment scheme, similar to collective investment undertakings.

**Utility Tokens (Conditional):** Generally, utility tokens that genuinely provide access to a product or service (e.g., software license, platform access) are **not** considered securities. However, a utility token could be reclassified as a security if:

Its primary purpose or the reasonable expectation of purchasers is an investment return rather than utility.

It also confers rights similar to traditional securities (e.g., profit-sharing, governance rights in a structure resembling a company).

**Payment/Exchange Tokens (Generally Not):** Cryptocurrencies like Bitcoin or Ethereum, primarily designed as a means of payment or exchange, are generally **not** classified as securities. However, they may fall under:

**E-money regulation:** If they purport to maintain a stable value and are issued by an e-money issuer against receipt of funds (e.g., certain stablecoins).

**Payment services regulation:** If services related to their transfer are offered.

**AML/CFT regulation:** As virtual assets.

**Public Offer or Admission to Trading (Prospectus Regulation):**

If a token qualifies as a "transferable security" and is offered to the public in Luxembourg or admitted to trading on a regulated market in the EU, the **Prospectus Regulation (EU) 2017/1129** applies.

This typically requires the publication of a CSSF-approved prospectus, providing detailed information about the issuer, the securities, and the risks.

**Exemptions** exist, for example, for offers below certain thresholds (€8 million over 12 months in the EU, or smaller amounts nationally without EU passporting), or offers made only to qualified investors.

**Prospectus Regulation (EU) 2017/1129:** https://eur-lex.europa.eu/eli/reg/2017/1129/oj

**Investment Firm Authorisation (MiFID II):**

If an issuer (or related entity) provides investment services (e.g., investment advice, portfolio management, brokerage, underwriting) related to security tokens, they may need authorization as an **investment firm** under MiFID II.

**MiFID II (Directive 2014/65/EU):** https://eur-lex.europa.eu/eli/dir/2014/65/oj

**AML/CFT Registration for Virtual Asset Service Providers (VASPs):**

Regardless of whether a token is a security, entities providing services related to virtual assets (e.g., exchange between virtual assets and fiat currencies, custody, transfer, issuance, operation of trading platforms) generally qualify as **Virtual Asset Service Providers (VASPs)**.

VASPs must register with the CSSF and comply with the **Law of 12 November 2004 on the fight against money laundering and terrorist financing**, which transposes the EU AML Directives. This involves implementing robust AML/CFT policies and procedures.

**Luxembourg Law of 12 November 2004 (consolidated version, French):** https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n6/jo (Note: English translations are often available through legal services, but the official version is French)

**CSSF Circular 20/746 (FAQ on Virtual Assets):** https://www.cssf.lu/en/document/circular-20-746-faq-virtual-assets/

**CSSF page on Virtual Assets:** https://www.cssf.lu/en/pages/virtual-assets/

**Trading Venues:** Platforms facilitating the trading of security tokens may require authorization as:

**Regulated Market:** A multilateral system operated by a market operator which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments (MiFID II).

**Multilateral Trading Facility (MTF):** A multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments (MiFID II).

**Organised Trading Facility (OTF):** A multilateral system, which is not a regulated market or an MTF, in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system (MiFID II).

**Post-Trade Transparency & Reporting:** Transactions in security tokens on regulated venues would be subject to MiFID II's pre- and post-trade transparency requirements and transaction reporting obligations.

**Market Abuse:** Trading in security tokens is subject to the **Market Abuse Regulation (EU) 596/2014 (MAR)**, prohibiting insider dealing, market manipulation, and unlawful disclosure of inside information.

**DLT Pilot Regime:** The **DLT Pilot Regime (Regulation (EU) 2022/858)**, which came into effect in March 2023, allows for the temporary operation of DLT market infrastructures (DLT MTFs and DLT Settlement Systems) that admit to trading or record certain crypto-assets classified as financial instruments. This provides a sandbox-like environment for experimenting with DLT in traditional financial market infrastructures.

**DLT Pilot Regime (Regulation (EU) 2022/858):** https://eur-lex.europa.eu/eli/reg/2022/858/oj

**Focus on Unauthorised Activities:** The CSSF frequently issues warnings and takes action against entities operating in Luxembourg without the necessary licenses or registrations, including those providing investment services, payment services, or VASP services related to crypto-assets.

These actions often involve cease-and-desist orders or public warnings, preventing entities from offering services until they comply with regulatory requirements.

**AML/CFT Non-Compliance:** A significant portion of public enforcement in the crypto space relates to breaches of AML/CFT obligations. The CSSF regularly imposes administrative fines on VASPs and other supervised entities for deficiencies in their anti-money laundering and counter-terrorist financing frameworks.

While not specific to "securities," these actions underscore the CSSF's vigilance in ensuring regulated entities adhere to financial crime prevention standards. For instance, public notices on CSSF's website regularly list administrative sanctions.

**Investor Protection Warnings:** The CSSF issues numerous warnings to the public about fraudulent crypto schemes, unregulated entities, and the risks associated with investing in volatile or speculative crypto-assets. These indirectly enforce regulatory compliance by deterring participation in unregulated markets.

**Guidance and Prevention:** The CSSF largely adopts a proactive approach, providing extensive guidance through FAQs, circulars, and direct engagement with market participants to ensure compliance before issues escalate. Many projects are guided towards proper classification and authorisation pathways, reducing the need for direct enforcement through litigation.

**CSSF Public Warnings:** Regular public warnings against unauthorized firms offering crypto-asset related services (e.g., investment platforms, trading venues) that are not authorized as investment firms or payment institutions. These warnings often state that the entity is not supervised by the CSSF and its activities are illegal in Luxembourg.

**Administrative Sanctions:** Public announcements of administrative fines for non-compliance with AML/CFT requirements imposed on supervised entities, including VASPs. While not always directly about the "security" classification of tokens, these demonstrate the CSSF's enforcement powers over entities operating in the crypto space.

**Strong AML/CFT focus:** The primary regulatory lens through which crypto-asset service providers (VASPs) are currently supervised.

**Embracing DLT for traditional securities:** Early mover in allowing the use of Distributed Ledger Technology (DLT) for the issuance and transfer of securities.

**Proactive adoption of EU frameworks:** Actively preparing for and incorporating the Markets in Crypto-Assets (MiCA) Regulation.

**Supervision by the financial regulator:** All relevant entities are brought under the purview of the national financial supervisory authority.

**Commission de Surveillance du Secteur Financier (CSSF)**

**Role:** The CSSF is responsible for the prudential supervision of all professionals of the financial sector (PSFs) in Luxembourg, including virtual asset service providers (VASPs). It oversees compliance with AML/CFT obligations, DLT securities frameworks, and will be the competent authority for MiCA licensing.

**Law of 25 March 2020 (amending the AML/CFT Law):**

**Name:** *Loi du 25 mars 2020 ayant pour objet de modifier: 1° la loi modifiée du 12 novembre 2004 relative à la lutte contre le blanchiment et contre le financement du terrorisme; (...) 3° la loi modifiée du 5 avril 1993 relative au secteur financier.* (Law of 25 March 2020 amending: 1° the amended law of 12 November 2004 on the fight against money laundering and terrorist financing; (...) 3° the amended law of 5 April 1993 on the financial sector.)

**Purpose:** This law implemented the 5th EU Anti-Money Laundering Directive (AMLD5) into national law. Crucially, it expanded the scope of entities subject to AML/CFT obligations to include Virtual Asset Service Providers (VASPs) and brought them under the supervision of the CSSF.

**Reference (Legilux - official legal publication):** https://legilux.public.lu/eli/etat/leg/loi/2020/03/25/a189/jo

**CSSF guidance for VASPs:** https://www.cssf.lu/en/document-detail/news/virtual-asset-service-providers/

**Law of 1 March 2019 (on DLT for financial instruments):**

**Name:** *Loi du 1er mars 2019 concernant l’utilisation de la technologie des registres distribués dans le secteur financier.* (Law of 1 March 2019 concerning the use of distributed ledger technology in the financial sector.)

**Purpose:** This pioneering law clarified that book-entry securities (dematerialised securities) can be issued and circulated through Distributed Ledger Technology (DLT) systems, giving them the same legal standing as traditional securities. This removed legal uncertainty for financial institutions wanting to use blockchain for securities.

**Law of 22 January 2021 (amending the DLT Law and others):**

**Name:** *Loi du 22 janvier 2021 portant modification de: 1° la loi modifiée du 1er mars 2019 concernant l’utilisation de la technologie des registres distribués dans le secteur financier; 2° la loi modifiée du 5 avril 1993 relative au secteur financier.* (Law of 22 January 2021 amending: 1° the amended law of 1 March 2019 concerning the use of distributed ledger technology in the financial sector; 2° the amended law of 5 April 1993 on the financial sector.)

**Purpose:** This law further enhanced Luxembourg's DLT framework, particularly by extending the legal certainty of using DLT for unlisted securities, thus broadening the scope of DLT applicability in the financial sector.

**EU Markets in Crypto-Assets (MiCA) Regulation:**

**Name:** *Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.*

**Date:** Entered into force 29 June 2023. Staged implementation:

Titles III and IV (asset-referenced tokens and e-money tokens) apply from **30 June 2024**.

All other provisions apply from **30 December 2024**.

**Purpose:** MiCA is a landmark EU-wide regulation providing a comprehensive framework for the issuance, public offering, and trading of crypto-assets (excluding those already classified as financial instruments, which are covered by existing EU securities law). It covers requirements for issuers, crypto-asset service providers (CASPs), market integrity, and consumer protection. Luxembourg, as an EU member state, will fully implement and enforce MiCA, which will supersede some national provisions.

**Not Banned:** Luxembourg permits crypto trading and the operation of crypto exchanges.

**Regulated Activities (Currently under AML/CFT):**

Entities providing services related to virtual assets in or from Luxembourg (e.g., operating an exchange, providing custodian wallets, facilitating transfers, exchanging virtual assets for fiat currency or other virtual assets) are classified as **Virtual Asset Service Providers (VASPs)**.

These VASPs are subject to the **Law of 12 November 2004 (as amended, particularly by the 2020 law)** on the fight against money laundering and terrorist financing.

They must **register with the CSSF** and comply with stringent AML/CFT requirements, including:

Customer Due Diligence (KYC - Know Your Customer)

Internal governance and risk management frameworks.

The CSSF conducts ongoing supervision to ensure compliance.

From **December 2024**, crypto exchanges and other CASPs (Crypto-Asset Service Providers) will need to obtain a **full authorization** under the MiCA Regulation, rather than just an AML/CFT registration.

MiCA introduces comprehensive requirements covering capital, governance, operational resilience, consumer protection, and market abuse prevention. This will significantly elevate the regulatory bar for these entities in Luxembourg, aligning them more closely with traditional financial institutions in terms of oversight.

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/1993/04/05/n2/jo

Consolidated version (in French): https://legilux.public.lu/eli/etat/leg/loi/2018/07/13/a590/jo