Tue, Feb 22, 2022

CSSF Updates

CSSF: Circular CSSF 21/785, Material IT Outsourcing

October 14

On October 14, 2021, the CSSF published Circular CSSF 21/785, which replaces the prior authorization obligation with a prior notification obligation in the event of material IT outsourcing.

The circular introduces the submission of a notification form to the CSSF at least 3 months before implementation of the outsourcing arrangement. In case of outsourcing to a support professional from the financial sector (PFS), this period is reduced to 1 month. During the notification period, the CSSF can request additional information about the outsourcing notification and partially or completely reject the project. In the absence of reaction, the outsourcing arrangement can be considered approved and therefore can be implemented.

For cloud computing, the circular states that the service contract signed with the cloud service provider shall be subject to the law of one of the EU countries, and at least one cloud data center shall be located within the EU for resilience purposes. Where the contract signed is a group contract aiming at allowing the ISCR (i.e., an institution supervised by the competent authority and consuming cloud computing resources for the purpose of carrying out its activities) and other entities of the group to benefit from cloud computing services, the contract can also be subjected to the law of the country of the signing group entity, including where this country is outside the EU.

The circular enters into force on October 15, 2021, and applies to:

  • All credit institutions
  • PSFs
  • Payment institutions and electronic money institutions 
  • Investment fund managers subject to Circular CSSF 18/698

Read the full article here.

CSSF: Circular CSSF 21/786, FATF Statements (Repealing Circular CSSF 21/775 of July 5, 2021)

November 4

On November 4, 2021, the CSSF published Circular CSSF 21/786 on the Financial Action Task Force (FATF) statements, repealing Circular CSSF 21/775 of July 5, 2021. The circular informs the entities that the CSSF supervises of the FATF statements concerning high-risk jurisdictions on which enhanced due diligence and, where appropriate, countermeasures are imposed as well as jurisdictions under increased monitoring of the FATF.

Compared with the March 2021 version, the FATF added Jordan, Mali and Turkey to the list of jurisdictions with current strategic AML/CFT deficiencies that they have developed an action plan with the FATF to address. In addition, FATF removed Botswana and Mauritius from the list. 

As of today, the 23 jurisdictions that have strategic AML/CFT deficiencies that they have developed an action plan with the FATF to address are Albania, Barbados, Burkina Faso, Cambodia, Cayman Islands, Haiti, Jamaica, Jordan, Mali, Malta, Morocco, Myanmar, Nicaragua, Pakistan, Panama, Philippines, Senegal, South Sudan, Syria, Turkey, Uganda, Yemen and Zimbabwe.

Read the full article here.

CSSF: FAQ on Virtual Assets

November 29

On November 29, 2021, the CSSF published the first FAQ on virtual assets. The document provides clarifications on the following questions:

  • May a UCITS or an AIF invest in virtual assets?
  • Do Luxembourg investment fund managers (IFMs) need authorization to manage virtual assets?
  • Are there specific considerations regarding the mitigation of ML/TF risks?


UCITS and UCIs addressing non-professional investors and pension funds are not allowed to invest directly or indirectly in virtual assets. However, digital assets that fulfil the conditions of financial instruments within the meaning of the law of April 5, 1993, on the financial sector are not subject to the above exclusion and could potentially fall within the scope of eligible investments for UCITS.


AIF can invest directly (and indirectly) in virtual assets under the conditions that its units are marketed only to professional investors and the Luxembourg-authorized IFM has an extension of authorization from the CSSF for this new investment strategy. The CSSF draws attention to the integration phase of virtual assets in the AIFs’ investment policies and for the IFM to have adequate internal control functions in the approval of new products/investment strategies before applying for an extension of authorization from the CSSF for this new strategy. In addition, the IFM must make a case-by-case assessment of the impact of the investments in virtual assets on the risk profile of the investment fund and ensure that investors are properly informed in a transparent and timely manner and that the relevant fund documentation is updated.


Authorized AIFMs wishing to manage AIFs investing in virtual assets must obtain a prior authorization from the CSSF for the strategy “Other-Other Fund-Virtual assets.” In the authorization request, authorized AIFMs are expected to provide, among other things:

  • A description of the project and of the different services providers and delegates involved
  • Information about whether the investments in virtual assets will be made directly or indirectly (by means of derivatives, for example)
  • An updated risk management policy, including in particular how the risks in relation to the virtual assets are managed
  • An updated valuation policy, including the rules on how the value of the virtual assets will be determined
  • A description of the experience of the portfolio manager (and other entities involved in the investment management process) in virtual assets
  • A description of how the custody of the assets will be organized by the depositary
  • Information about the targeted investors as well as any information about the distribution channels of the AIF
  • The IFM’s AML/CTF analysis on the assets side

In addition, the CSSF highlighted that if the if the IFM (or any other participant) provides virtual assets services in the meaning of article 1 (20c) of the AML/CTF law, it must submit a complete application file for registration as a virtual asset service provider (VASP) to the CSSF before commencing the activity.

ML/TF risks

The compliance officer in charge of compliance with the professional obligations (RC) and the person responsible for compliance with the professional obligations (RR) possess and can demonstrate an adequate understanding of ML/TF, proliferation financing risks virtual assets pose, and the necessary measures to mitigate those risks. The CSSF refers to the national vertical risk assessment of ML/TF related to VASPs and the FATF guidance for a risk-based approach to virtual assets and VASPs.

Read the full article here.

Taxonomy Regulation: Communication on Regulatory Requirements and Fast-Track Procedure

December 2

On December 2, 2021, the CSSF emphasized the January 1, 2022, deadline for certain updates of UCITS and AIF pre-contractual documents specific to the transparency of environmentally sustainable investments in relation to the environmental objectives of climate change mitigation and adaptation and the use of templates under draft SFDR RTSs for financial market participants that have not yet submitted the required updates to the pre-contractual documents of UCITS and/or AIFs in accordance with articles 5, 6 and 7 of the Taxonomy Regulation. The CSSF has put in place a fast-track procedure to facilitate the submission of the prospectus/issuing document updates.


To benefit from the Taxonomy Regulation fast-track procedure, updates must be limited to those changes required under articles 5, 6 and 7. Under the Taxonomy Regulation fast-track procedure, each updated UCITS prospectus submitted for visa stamp must be accompanied by a confirmation letter available on the CSSF website. For any complete and Taxonomy Regulation–compliant submissions under the Taxonomy Regulation fast-track procedure that the CSSF receives by December 17, 2021, the Luxembourg regulator will endeavour to release the visa stamp before 31 December 2021.


The fast-track procedure for AIFs differs from the UCITS procedure in that no confirmation letter should be attached to the filing. In addition, the CSSF stated the following:

  • For each AIF managed, Luxembourg-based AIFMs (authorized and registered) should submit to the CSSF the specific information required under the SFDR and the Taxonomy
  • Regulation that must be disclosed to investors per article 6(3) of the SFDR and in the disclosures to investors referred to in article 23(1) of Directive 2011/61/EU.
  • Luxembourg-based AIFMs should clearly indicate where said specific information has been disclosed to investors. 
  • The same procedure applies to Luxembourg-based managers registered by the CSSF in accordance with the EU Regulation No. 345/2013 or No. 346/2013.
  • Necessary updates in the prospectus of existing Luxembourg-based European Long-Term Investment Funds will be handled swiftly on a case-by-case basis.

In addition, all financial products not subject to article 8 or 9 of the SFDR, so-called “article 6 SFDR funds,” will require updated pre-contractual documentation before January 1, 2022, to include the prescribed statement of article 7 of the Taxonomy Regulation.

Finally, where sub-funds disclose investing in an economic activity that contributes to an environmental objective of climate change mitigation or adaptation, as set out in articles 9, 10 and 11 of the Taxonomy Regulation, the prospectus must:

  • Inform users of these environmental objective
  • Provide a description of how and to what extent the investment underlying the sub-funds is taxonomy aligned (criteria of article 3 of the Taxonomy Regulation fulfilled)

Read the full article here

CSSF: 2021 Survey Related to the Fight against ML/TF

December 14

On December 14, 2021, the CSSF advised the professionals under supervision that the annual online survey for the year 2021 related to the fight against MF/TF will be launched on February 15, 2022. 

The annual survey is a collection of standardized key information concerning ML/TF risks and the implementation of measure to mitigate them. For the year 2021, the survey covered, among other things, the following items:

  • General information about the IFMs, including the composition of the conduction officers, the compliance function, and the UBO
  • The tasks performed as a designated IFM, such as the fund administration, transfer agency, portfolio management, or risk management
  • The tasks that the IFM performed by delegation, such as fund administration, transfer agency, portfolio management, or marketing
  • Domiciliation services
  • The IFM’s inherent ML/TF risks, including the number of investment fund initiators and the types and number of investment funds under management
  • The existence of branches or subsidiaries within the IFM
  • Ongoing monitoring and cooperation with the authorities
  • The IFM’s ML/TF mitigation effectiveness, including the risk-based approach or the AML training for staff

The 2021 ML/FT survey must be submitted through the CSSF eDesk module between February 15 and April 15, 2021, by either the officer in charge of compliance with professional obligations (RC) or the person responsible for compliance with professional obligations (RR).

Read the full article here.

CSSF: FAQ Concerning the Luxembourg Law of December 17, 2010, Relating to UCITS

December 17

On December 17, 2021, the CSSF published a revised version of its FAQ concerning the Luxembourg law of December 17, 2010, relating to UCITS. The updated FAQ includes a new question regarding special-purpose acquisition companies (SPACs). Investments in SPACs by UCITS are not prohibited as they may constitute eligible investments, provided they qualify at any point of their life cycle, as transferable securities within the meaning of article 1 (34) and article 41 of the 2010 law and article 2 of Regulation 2008, further clarified by the Committee of European Securities Regulators guidelines. 

However, the CSSF stated that UCITS’ investment in SPACs should in principle be limited to a maximum of 10% of a UCITS’ net asset value, provided that such SPAC investments fulfil all applicable eligibility requirements, are appropriately disclosed in the prospectuses, and are captured adequately by the UCITS risk management process.

Read the full article here.

CSSF: Publication of Circulars CSSF 21/788, 21/789 and 21/790 Concerning IFMs and UCIs

December 22

On December 22, 2021, the CSSF published three circulars introducing new reporting obligations for IFMs and UCIs.

Circular 21/788

The circular introduces a new AML/CFT external report for all Luxembourg-based IFMs, including registered AIFMs and all Luxembourg investment funds supervised by the CSSF for AML/CFT purposes. The report must be prepared by the approved statutory auditor applicable the first time as at year end (December 31, 2021).

Circular CSSF 21/789

The circular introduces the following new requirements for all authorized IFMs, self-managed investment companies, and self-managed alternative investment funds, applicable for the first time as at year end (December 31, 2021):

  • Completion of a self-assessment questionnaire (SAQ) annually
  • Annual review of certain questions in the SAQ by the approved statutory auditor and completion of a separate report on that basis
  • A management letter to be prepared annually by the approved statutory auditor of the IFM

Circular CSSF 21/790

The circular introduces the following new requirements for all regulated UCIs (i.e., UCITS, Part II UCI, Specialized Investment Funds, and Investment Companies in Risk Capital), applicable as of the financial year ending June 30, 2022:

  • Completion of an SAQ annually
  • Communication of certain information to the CSSF in case the approved statutory auditor issues a modified audit opinion in the context of the audit work of the regulated UCI
  • Annual review of certain questions in the SAQ by the approved statutory auditor and completion of a separate report on that basis
  • A management letter to be prepared annually by the approved statutory auditor of the regulated UCI

The new reporting and management letter must be submitted to the CSSF via the eDesk platform.

Read the full article here

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.