Digital Transformation of the Luxembourg Financial Sector: Enhanced Scrutiny by the Luxembourg Regulator

Over the years, financial institutions have been increasing their reliance on digital solutions to enhance efficiency, streamline services, and maintain a competitive edge. This trend has accelerated with the advent of disruptive technologies such as artificial intelligence (AI), blockchain, and big data analytics. Financial institutions leverage these technologies to automate processes, offer 24/7 banking services, and innovate in areas like robo-advisory and digital payment transactions. However, digitalisation of services also exposes financial institutions to new risks that must be adequately identified, mitigated, and managed, particularly in areas like cybersecurity and operational resilience.

Building upon new legislative developments and faced with a 64% increase of ransomware attacks in the financial sector in 2023, the Luxembourg regulator of the financial sector, the Commission de Surveillance du Secteur Financier (CSSF) has heightened its expectations for entities under its supervision over the past two years.

This article identifies certain key points of attention of the CSSF in this field, to which supervised entities of the banking sector in the broad sense of that term should pay particular attention in order to ensure that their governance arrangements, policies, and procedures are aligned with the regulator’s expectations. We also provide an insight into the CSSF’s support of innovation in the financial sector as well as expected developments in that field.

Key Points of Attention of the CSSF

Overall management of ICT risk and ensuring digital resilience

With the increased digitalisation of the financial sector, the sector is more exposed to cyber threats and risk of ICT disruptions. Conscious of this risk, the CSSF quickly issued CSSF circular 20/750 in August 2020 by which it endorsed the EBA guidelines on ICT and security risk management. This circular was amended in December 2022 to include additional requirements for payment service providers to assess ICT and security risks related to the payment services they provide.

Given the critical importance of ICT for the proper provision of financial services nowadays, the EU legislature decided to go a step further in the harmonisation process for digital operational resilience across the EU, leading to the adoption of the Digital Operational Resilience Act (DORA) on 14 December 2022. DORA provides for a set of rules on ICT governance and risk management, reporting of ICT-related incidents, testing of digital operational resilience, management of risks associated with ICT third-party service providers and sharing of information with peers.

While DORA will become applicable from 17 January 2025, the CSSF has anticipated the upcoming requirements by issuing CSSF Circular 24/847 one year ahead of the DORA implementation deadline. This CSSF Circular defines a harmonised ICT-related incident reporting framework largely aligned with the DORA requirements but applicable from 1 April 2024. Furthermore, this framework applies not only to supervised entities that will be in the scope of DORA but also to other types of entities supervised by the CSSF, such as specialised and support professionals of the financial sector (PFS). In parallel, the CSSF issued, on 5 January 2024, CSSF Regulation No 24-01 relating to the notification of incidents according to the act of 28 May 2019 transposing Directive (EU) 2016/1148, also known as NIS2. This CSSF Regulation clarifies the incident classification and major incident notification obligations incumbent upon the following types of supervised entities:

• credit institutions and market infrastructures designated as operators of essential services within the meaning of NIS2; and
• support PFS that are also digital service providers within the meaning of NIS2.

The clear focus of the CSSF on ICT risk management is also evidenced through the CSSF supervisory practice when carrying out “IT risk” on-site inspections. The CSSF identified deficiencies in particular in the following fields:

• IT security, especially when managing obsolete IT systems;
• management of logical access and application of the least privilege principle;
• lack of IT risk management processes or of competent IT security control function;
• management of IT changes and incidents;
• IT governance and monitoring;
• management of IT risk by the second line of defence; and
• audit work in respect of IT activities.

These deficiencies led in some instances to administrativefines of up to EUR444,400 against credit institutions, investment firms or specialised PFS. For one of these fines, the CSSF also published the name of one of the sanctioned credit institutions.

A recent study by Check Point Software Technologies reported an 82% increase in cyberattacks against Luxembourg organisations in the third quarter of 2024, most of them targeting the financial sector, therefore we do not expect the regulatory pressure to reduce in the near future.

Use of digital tools for anti-money laundering and counter-terrorism financing (AML/CTF) compliance

Digital tools have increasingly been used for AML/CTF compliance, offering considerable efficiencies and cost savings. In many fields of the AML/CTF spectrum, from client onboarding to ongoing transaction monitoring and identification of suspicious activities, digital transformation has significantly enhanced compliance processes. Given that AML/CTF topics in general attract strict CSSF scrutiny, it is not surprising that the Luxembourg regulator closely oversees this trend.

With the development of digital banking, remote client onboarding has significantly expanded, meaning that supervised entities have developed new digital AML and KYC practices, such as the use of video to verify a customer’s identity. The CSSF published FAQs in that respect in 2018 to clarify its expectations for remote client identification methods. While the CSSF has not updated these FAQs since 2018, one may expect that the CSSF oversight practice on this topic shall evolve shortly. Hence, in July 2021, the Financial Action Task Force (FATF) published a report analysing the opportunities and challenges arising from the use of new technologies for AML/CTF compliance purposes. In the same vein, the European Banking Authority published guidelines on the use of remote customer onboarding solutions in November 2022, providing detailed guidance on the use of innovative technologies for the remote identification of clients. Although these guidelines have not yet been formally implemented in Luxembourg, the CSSF recognised that it intends to comply with these guidelines, which was further confirmed in the annual report for 2023.

Digital transformation is also key to supporting ongoing transaction monitoring and identification of suspicious activities. In its white paper “Artificial Intelligence - Opportunities, risks and recommendations for the financial sector” of December 2018, the CSSF noted that AI had already been successfully used to assist with AML/CTF compliance tasks, enabling more efficient KYC checks and facilitating real-time fraud detection, among other things. The increasing reliance on AI tools by supervised entities for that purpose has been confirmed more recently in May 2023 in the report on “Thematic review on the use of Artificial Intelligence in the Luxembourg Financial sector”. Despite these advancements, the CSSF has emphasised the importance of maintaining a balance between automation and human oversight, as completely relying on algorithms could introduce errors or biases.

Risks associated with the reliance on third-party service providers

Digitalisation often necessitates the use of third-party service providers. Following the issuance of the last EBA guidelines on outsourcing arrangements, the CSSF decided to overhaul the Luxembourg outsourcing regime with the issuance of a new CSSF Circular 22/806 on outsourcing arrangements. Interestingly, the scope of application of the Luxembourg outsourcing regime is not limited to credit institutions, investment firms and payment institutions, but also extends to investment funds and their managers as well as specialised and support professionals in the financial sector (PFS). It therefore goes beyond the scope of application of the EBA guidelines, evidencing the willingness of the CSSF to ensure a harmonisation of the rules applicable in that respect for all entities under its supervision.

This CSSF Circular 22/806 provides rules applicable to any type of outsourcing arrangement but also specific rules in its part II for information and communication technology (ICT) outsourcing arrangements, which aim at addressing the risks associated with the increased use of external service providers. Considering these new specific rules as well as the specific form which has been issued by the CSSF on 17 February 2023 for financial institutions to notify critical or important ICT outsourcing arrangements, one of the key points of focus for the regulator is data governance and the protection of data used in the context of ICT outsourcing arrangements. To that effect, the CSSF expects, among others, that supervised entities ensure strong data encryption and implement secure data handling practices and adequately monitor their service providers to avoid data breaches (including through regular audits).

The CSSF’s focus on third-party service provider risks is also evidenced through the CSSF supervisory practice. As part of its “corporate governance” on-site inspections, the CSSF also reviews the proper governance of outsourced activities and functions. Common deficiencies identified during the regulator’s inspections in 2022 and 2023 pertain to:

• prior identification of risks associated with outsourced activities and external services providers and, subsequently, lack of review of the risk assessments;
• assessment of the criticality of the outsourcing;
• reporting of information to the management bodies;
• adequate supervision of outsourced activities and functions; and
• dealing with the continuity of outsourced services in internal arrangements.

Outsourcing arrangements are also a point of scrutiny in the context of IT on-site inspections, with deficiencies being identified in 2022 and 2023 in respect of criticality assessment of the outsourcing, applicable contractual arrangements (in particular, intra-group ones) and operational monitoring.

As already announced in its annual report for 2023, the CSSF expectations and practices regarding ICT outsourcing are likely to further evolve in the course of 2025 following the entry into force of DORA, and the CSSF Circular 22/806 is likely to be amended accordingly. It should be noted that the delayed implementation of the EBA guidelines enabled the CSSF to align certain requirements of the 22/806 with the discussions held at the time regarding DORA. However, at this stage, we are not aware of the extent of the modifications that the CSSF expects to introduce.

CSSF Supportive Approach to Innovation

To balance regulatory oversight with the need to support innovation in the financial sector and in line with the recommendations of the European Supervisory Authorities, the CSSF has set up an Innovation Hub whose mission is to support the use and development of innovative technologies. This hub’s mission is to act as a support system for developing and implementing innovative technologies in the financial sector. It provides guidance, resources, and a platform for collaboration between financial institutions, fintech companies and relevant CSSF teams. This allows financial institutions and fintech companies to test new digital products within a supervised environment, encouraging innovation while ensuring compliance with relevant regulatory requirements. Thus, in the case of a concrete project involving financial innovation, a first meeting will be organised with the CSSF Innovation Hub and the appropriate internal experts to assess whether a license or registration is needed and facilitate discussion between the CSSF and the applicant on regulatory expectation. It allows for the testing of new products under the supervision of the CSSF, ensuring that they meet regulatory standards, helps identify and mitigate potential risks before they are fully launched in the market, and it provides valuable feedback to both the applicant and the regulators, facilitating a better understanding of new technologies and their implications.

Considering the last two CSSF annual reports, this Innovation Hub has been particularly active in the following fields:

• implementation of DORA;
• monitoring of AI developments;
• assessment of RegTech solutions; and
• development of activities related to crypto-assets.

Expected Developments

As digitalisation progresses, Luxembourg actors in the financial sector are exploring advanced applications in new technologies such as AI or crypto-assets. While promising, these technologies and new types of assets also generate new risks. The CSSF is therefore expected to release specific guidance in these areas.

Furthermore, new EU legislative developments in the financial sector with digital impacts are forthcoming, meaning the CSSF, in its capacity as the competent authority, will become increasingly involved in digital topics.

Managing and identifying the risks associated with the use of AI and machine learning (ML)

In late 2021, the CSSF and the BCL launched a survey to better assess how certain innovative technologies have been adopted by actors of the Luxembourg financial sector. The main findings of this survey were published in a report “Thematic review on the use of Artificial Intelligence in the Luxembourg Financial sector” issued in May 2023.

While the survey evidenced that the adoption of AI was at an early stage in the Luxembourg financial sector, the CSSF and the BCL expected an increased use of AI and ML in the short term. Therefore, although acknowledging the benefits of these new technologies (among others, and as already stated above, for AML/CTF compliance), they already anticipated that new challenges and risks would have to be addressed by regulators. Interestingly, some of these risks were already specifically identified in the preface of the regulator’s annual report for 2023: “data quality risks, the risk of bias, misinformation, hallucination, operational and cyber risks, market manipulation risks (including through social media), and threats to data protection”.

However, pending formal adoption of the proposal for an EU Artificial Intelligence Act, the CSSF has decided not to issue any new local guidance and invited supervised entities to continue referring to the recommendations included in its white paper of 21 December 2018 “Artificial Intelligence: Opportunities, risks and recommendations for the financial sector”. The CSSF nonetheless stressed that it would continue monitoring developments in this field, which it did through meetings with selected entities over the course of 2023 and the launch of a new survey regarding the usage of artificial intelligence on 19 June 2024. While the results of this new survey are not yet public, the CSSF has already announced that it will start defining its supervisory approach in this field from 2024 now that Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence has been adopted and particular attention will be paid to generative AI. Further guidance can therefore be expected from the CSSF in this field. And the regulator has already given an indication of what could be its key points of attention by stating that “governance, human oversight and explainability” should be ensured by supervised entities relying upon AI solutions.

Monitoring the implementation of the new EU framework for crypto-assets

Under the current Luxembourg legal framework, virtual asset service providers are subject to a registration regime under the amended act of 12 November 2004 on the combat against money laundering and terrorist financing. On 17 August 2023, the CSSF published a series of FAQs specifying the key features of this national registration regime.

This regime will evolve since an EU-harmonised regime for crypto-assets has now been enacted at EU level pursuant to Regulation (EU) 2023/1114 on markets in crypto-assets, the so-called MiCAR. While a phased approach has been adopted under MiCAR regarding the application of the new authorisation and regulatory supervision framework for crypto-asset issuers and crypto-asset service providers, the CSSF has adopted a proactive approach by regularly publishing communications from July 2023 to ensure that actors of the financial sector willing to engage in crypto-assets activities are aware of their new obligations under MiCAR and do not miss the relevant timelines. As the remaining provisions of MiCAR become applicable from 30 December 2024 and with a draft bill of lawcurrently being discussed before the Luxembourg Parliament to designate the CSSF as the competent authority for MiCAR compliance, the CSSF’s supervisory approach in this field will likely evolve in the coming months.

EU legislative initiatives in the financial sector

Several EU proposals impacting the financial sector are currently under discussion at the EU level. Notably, the new EU payments package and the Financial Data Access Act will introduce new obligations applicable to payment service providers regarding third-party access to client payment data and a new regime for third-party access to client financial data (other than payments data) respectively. In very simplified terms, both sets of rules require secure communication channels between actors of the financial sector and third parties, as well as a permission dashboard for clients to monitor and manage third-party access to their data. In this case, digitalisation will be mandated by regulatory requirements rather than chosen by supervised entities.

Given the risks associated with increased exchanges of client data between actors of the financial sector (in particular, potential data breaches or leakages), the proper implementation of these new obligations will undoubtedly attract the regulator’s attention.

Conclusion

The digitalisation of Luxembourg’s banking sector offers transformative opportunities, from streamlined processes to enhanced customer experiences. However, this shift also brings complex legal and regulatory implications and increased exposure to cyberattack risks for supervised entities. The CSSF plays a critical role in guiding supervised entities through this transformation, using tools like the financial innovation hub and close supervision to foster innovation while mitigating risks.

As digital transformation continues, Luxembourg’s legal framework must evolve in tandem, balancing innovation with appropriate safeguards to ensure clients’ protection and the stability of the financial sector. The regulatory guidance and insights provided by the CSSF will be essential for Luxembourg-supervised entities as they navigate the challenges and opportunities of a digital future. By adhering to the regulator’s expectations, the Luxembourg financial sector can thrive in the digital age, bolstering its position as a secure and innovative financial hub within the EU.