Banking Regulation 2025

LUXEMBOURG Trends and Developments Contributed by: Baptiste Aubry, Carole Schmidt and Adam Obadia, A&O Shearman

CSSF Regulation No 24-01 relating to the noti - fication of incidents according to the act of 28 May 2019 transposing Directive (EU) 2016/1148, also known as NIS2. This CSSF Regulation clari - fies the incident classification and major incident notification obligations incumbent upon the fol - lowing types of supervised entities: • credit institutions and market infrastructures designated as operators of essential services within the meaning of NIS2; and • support PFS that are also digital service pro - viders within the meaning of NIS2. The clear focus of the CSSF on ICT risk man - agement is also evidenced through the CSSF supervisory practice when carrying out “IT risk” on-site inspections. The CSSF identified defi - ciencies in particular in the following fields: • IT security, especially when managing obso - lete IT systems; • management of logical access and applica - tion of the least privilege principle; • lack of IT risk management processes or of competent IT security control function; • management of IT changes and incidents; • IT governance and monitoring; • management of IT risk by the second line of defence; and • audit work in respect of IT activities. These deficiencies led in some instances to administrative fines of up to EUR444,400 against credit institutions, investment firms or special - ised PFS. For one of these fines, the CSSF also published the name of one of the sanctioned credit institutions. A recent study by Check Point Software Tech - nologies reported an 82% increase in cyberat - tacks against Luxembourg organisations in the

third quarter of 2024, most of them targeting the financial sector, therefore we do not expect the regulatory pressure to reduce in the near future. Use of digital tools for anti-money laundering and counter-terrorism financing (AML/CTF) compliance Digital tools have increasingly been used for AML/CTF compliance, offering considerable effi - ciencies and cost savings. In many fields of the AML/CTF spectrum, from client onboarding to ongoing transaction monitoring and identifica - tion of suspicious activities, digital transforma - tion has significantly enhanced compliance pro - cesses. Given that AML/CTF topics in general attract strict CSSF scrutiny, it is not surprising that the Luxembourg regulator closely oversees this trend. With the development of digital banking, remote client onboarding has significantly expanded, meaning that supervised entities have devel - oped new digital AML and KYC practices, such as the use of video to verify a customer’s iden - tity. The CSSF published FAQs in that respect in 2018 to clarify its expectations for remote client identification methods. While the CSSF has not updated these FAQs since 2018, one may expect that the CSSF oversight practice on this topic shall evolve shortly. Hence, in July 2021, the Financial Action Task Force (FATF) published a report analysing the opportunities and challenges arising from the use of new tech - nologies for AML/CTF compliance purposes. In the same vein, the European Banking Authority published guidelines on the use of remote cus - tomer onboarding solutions in November 2022, providing detailed guidance on the use of inno - vative technologies for the remote identification of clients. Although these guidelines have not yet been formally implemented in Luxembourg, the CSSF recognised that it intends to comply with

342 CHAMBERS.COM

Powered by