LUXEMBOURG Law and Practice Contributed by: Andreas Heinzmann, Valerio Scollo and Angela Permunian, GSK Stockmann
12. Fraud 12.1 Elements of Fraud
prepare and submit recovery and redemption plans to the CSSF. Recently, Alipay (Europe) Limited SA has been author - ised by the CSSF to issue e‑money tokens under MiCA, namely a euro-backed stablecoin, providing EU‑wide passporting of EMT activities. The authors also note a trend in using Luxembourg securitisation structures in the context of issuance of stablecoins denominated in currencies of emerging markets. The main regulation governing open banking, PSD2, has been transposed into Luxembourg law by the Law of 20 July 2018 amending the Payment Services Law. PSD2 enables customers to share their data securely via application programming interfaces with banks and third parties. Although PSD2 has significantly impacted the pay - ment sector in the EU, it can be argued that so far open banking in Europe has not fully lived up to its expectations. Some technical issues faced by third- party providers due to PSD2 rules have required fur - ther fine-tuning to the legal framework, which has, for example, required the EBA to extend the frequency of customer re-authentication from 90 days to 180 days. However, once the PSD3/PSR package is adopted, PSD2 will be partially updated and replaced, further reducing re-authentication frequency. 11.2 Concerns Raised by Open Banking Concerns raised by open banking include risks relat - ing to data protection and security breaches. Both topics are highly regulated by the EU, as the GDPR also applies to open banking, and financial sector regulation, including PSD2 and DORA, has applied from January 2025 and includes strict requirements to increase cybersecurity and the resilience of ICT infra - structures. So far, there have not been any significant enforcement actions by the competent authorities in Luxembourg relating to open banking. 11. Open Banking 11.1 Regulation of Open Banking
There are no specific elements relating to fraud in financial services. The general definition of fraud under the Luxembourg Criminal Code applies, which requires the employment of fraudulent manoeuvres or abuse of trust or credulity. The CSSF has highlighted the main elements to detect suspicious providers, including unsolicited contact, offers of high profits or returns, tight deadlines, trial investments, and unclear identification of contracting parties, among other sus - picious manoeuvres. 12.2 Areas of Regulatory Focus The CSSF provides recommendations and warnings in order to detect and report fraudulent activities. In particular, the CSSF is mostly vigilant with respect to falsification of websites of supervised entities, identity theft and cold calling. 12.3 Responsibility for Losses Fintech service providers are governed by the Payment Service Law, according to which they are responsible for customer losses in cases of unauthorised transac - tions and are obliged to refund the customer. In accordance with MiCA, CASPs are responsible to their clients for any losses resulting from incidents related to ICT, including cyber-attacks, theft or any system failures, as well as for any loss of crypto- assets resulting from providing custody and admin - istration services. Moreover, the CSSF has the power to impose administrative penalties and other admin - istrative sanctions (see 2.10 Significant Enforcement Actions ).
528 CHAMBERS.COM
Powered by FlippingBook