Contributed By GSK Stockmann SA
Luxembourg is a major European banking and wealth management centre. As a recognised EU hub for fintech companies, banks, asset managers and insurance companies, Luxembourg has a highly developed financial services ecosystem. Since 2007, when the fintech pioneer PayPal received a full banking licence in Luxembourg, Luxembourg has seen robust growth over the past few years and has now become a home for over 200 fintechs.
In particular, Brexit has led to an increase in fintech activities in Luxembourg. As UK-based companies are no longer able to passport their activities within the EU, many operators have chosen to relocate or expand their operations in Luxembourg in order to access the European market and benefit from EU passport authorisation.
The fintech market in Luxembourg has been impacted by other recent global trends, including the COVID-19 pandemic, the war in Ukraine, macroeconomic trends and the focus on sustainability.
Impact of Legislative Developments
Luxembourg's economy heavily relies on financial services, which account for around a quarter of the country's economic activity. As a result, developing effective financial regulations is a key policy concern for the Luxembourg legislature. The legislature has demonstrated a positive attitude towards digital innovation, leading to recent legislative initiatives relating to the use of digital technology in the financial sector.
For example, a law enabling the issuance of dematerialised securities using distributed ledger technologies (DLT) was adopted in 2021 (see 12.4 Regulation of “Issuers” of Blockchain Assets), and has been followed by a new law approved in March 2023 that explicitly allows for the use of such securities as financial collateral.
At the EU level, the European legislature has made efforts to regulate various aspects of fintech. To ensure consistency and clarity in the regulatory framework across Europe, the European Commission introduced the Digital Finance Package in September 2020. This package includes several regulations, three of which have already been adopted: a pilot regime for market infrastructures based on DLT (see 2.5 Regulatory Sandbox), a regulation focused on digital operational resilience (see 2.10 Implications of Additional, Non-financial Services Regulations) and a regulation on markets in crypto-assets (see 12 Blockchain).
Upcoming Changes in EU Legislation
As further elaborated in this chapter, many topics relating to virtual assets and other recently developed technologies used in the financial sector had not been explicitly covered by the traditional financial services regulation. Further legislative changes are still expected to be adopted. In the context of the Digital Finance Package, a legislative proposal has been announced by the European Commission for a new open finance framework (see 13.1 Regulation of Open Banking). Further, the EU Regulation on artificial intelligence (AI Act) is expected to be approved in the upcoming months following a landmark agreement between the European Commission, European Parliament and Council which will provide clarity, inter alia, on AI applications in finance.
Although virtual assets have already been covered by the most recent EU anti-money laundering directive (see 12.3 Classification of Blockchain Assets), a proposal for a new anti-money laundering (AML) directive was introduced by the European Commission in 2021 and is currently being debated by the European legislature. One of the aims of this directive is to align the scope of AML rules with the activities covered by MiCA and notably exchanges of one crypto-asset for another. The proposal also includes an obligation for all crypto-asset service providers involved in crypto-asset transfers to collect and make accessible data on the originators and beneficiaries of the transfers they operate.
Lastly, the fintech market may also be impacted by the proposed updates of several regulations and directives impacting the financial sector, including the revision of the MiFID II/MiFIR framework and AIFMD.
There are a variety of different types of fintech companies in Luxembourg, including payments, big data and AI, insurtech, cybersecurity and authentication, Fundtech, regtech, lending and blockchain. Especially in the e-payment and e-commerce sectors, Luxembourg is the home to leading industry players such as Amazon, PayPal, Airbnb and Rakuten, which are licensed and supervised by the CSSF as banks, payment service institutions, e-money institutions or virtual asset service providers, as the case may be.
Furthermore, a significant number of fintech companies in Luxembourg provide services for the compliance and regulatory needs of the financial sector. These services range from known-your-customer obligations, data management and fraud detection to fund reporting, digital investment services and investor information tools. Luxembourg-based fintechs, such as FundsDLT and Tokeny, are also active in the development of blockchain-based market infrastructures.
While traditional players in the financial industry, including banks and insurance companies, were initially viewed as competitors to fintech companies, today there is a notable shift towards collaboration between these entities in the Luxembourg banking sector. Fintechs working with legacy players offer a wide variety of services, including data analytics, asset management and open banking. By way of example, following EU legislative developments on payment services, several Luxembourg retail banks formed the fintech company LUXHUB in 2018, an entity which has since become a leading European open banking platform.
The regulatory regime applicable to fintech players depends on the business model and activities of the company. The following outlines the main legislation applicable to typical fintech activities provided by entities incorporated in Luxembourg, however, applicable regulations should be assessed on a case-by-case basis.
Payment and electronic money institutions: entities providing payment or electronic money services are subject to the Law of 10 November 2009 on payment services, as amended (the Payment Services Law), and accordingly are subject to authorisation by the Financial Sector Supervisory Commission (Commission de Surveillance du Secteur Financier or CSSF).
Most of the aforementioned legislation is accompanied by several technical standards, regulations, circulars and guidance issued by the competent authorities, which should also be considered. In addition, each of the activities above may be subject to, among others, anti-money laundering regulations (see 2.13 Impact of AML Rules) and data protection regulations (see 2.10 Implications of Additional, Non-financial Services Regulations).
The compensation models that industry participants are allowed to use to charge customers vary mainly depending on the service provided by the fintech entity and the relevant customer type. Disclosure obligations relating to fees vary depending on the same factors. Typically, regulated entities, such as investment firms, are subject to certain precontractual obligations, which include the obligation to disclose costs charged by the service provider.
As a general rule, there is no difference between the regulation of fintech companies and legacy players, as long as the services they provide fall under the scope of regulated activities. However, given the size and business model of fintech companies, certain rules applicable to legacy players would typically not apply to fintech companies. In addition, in some cases the applicable regulations depend directly on the scale of the business, for example the EU crowdfunding regulation provides certain regulatory exemptions as long as the yearly funding remains under the threshold of EUR5 million.
There is currently no general regulatory sandbox regime in Luxembourg applicable to all fintechs. However, the adoption of Regulation (EU) 2022/858 has introduced a pilot regime for market infrastructures based on DLT (the DLT Pilot Regime), which is fully applicable from March 2023. The DLT Pilot Regime provides a temporary exemption from certain regulatory requirements for eligible firms for the development of market infrastructures used for the trading or settlement of financial instruments that are issued, recorded, transferred and stored using DLT.
In addition, the CSSF has established an innovation hub that seeks to foster an open and constructive dialogue with the fintech industry. This initiative is intended to facilitate the realisation of financial innovation projects, among other things. The innovation hub is a single point of contact for any person who wishes to present an innovative project or exchange views on challenges facing financial innovation in Luxembourg.
Fintech companies may be supervised by several regulators in Luxembourg, of which the following are the most relevant.
The CSSF
The CSSF is the competent authority of the prudential supervision of credit institutions, professionals of the financial sector, alternative investment fund managers, undertakings for collective investment, authorised securitisation undertakings, regulated markets, payment institutions, electronic money institutions and other entities operating in the financial sector. In addition, the CSSF is also the competent authority to ensure that such supervised entities comply with the laws protecting financial consumers and with anti-money laundering laws.
The CAA
The CAA is the competent supervisory authority for the insurance sector in Luxembourg, which includes mainly insurance undertakings, reinsurance undertakings, certain pension funds, insurance professionals and insurance intermediaries.
The CNDP
The National Commission for Data Protection (Commission Nationale pour la Protection des Données or CNDP) is the national authority that verifies the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy. The CNDP is the supervisory authority for Regulation (EU) 2016/679 on data protection (GDPR).
European Regulators
In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Luxembourg. Significant credit institutions incorporated in Luxembourg are directly supervised by the European Central Bank (ECB).
Authorised financial institutions may outsource their activities subject to certain restrictions. Most importantly, strategic or core functions cannot be outsourced and the institution needs to retain the necessary expertise to efficiently monitor such services and to manage the associated risks.
Outsourcing must comply with the detailed guidance outlined in the updated CSSF Circular 22/806 published in April 2022, which implements into one circular the EBA Guidelines on outsourcing and previous CSSF circulars relating to outsourcing requirements. In addition, banks should take into consideration specific requirements set out in the CSSF Circular 15/552, as amended.
Due to the need to ensure the continuity of outsourced activities, certain provisions must be included in the relevant written contracts. Among others, outsourcing agreements must set out specific clauses relating to termination and the right of the entity to monitor the service provider’s performance on an ongoing basis. In addition, specific contractual clauses are required in case an outsourced IT activity relies on a cloud computing infrastructure.
Rules applicable to outsourcing may vary also depending on whether or not the service provider is a supervised entity. For example, rules relating to the obligation of professional secrecy in outsourcing depend on whether the service provider is established in Luxembourg and supervised by the CSSF, the ECB or the CAA. It is anticipated that the current rules will be modified to align with Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA).
The extent to which fintech providers may be deemed to be “gatekeepers” depends on the business model of the company. In general, fintech entities may be deemed liable for activities on their platform in relation to anti-money laundering obligations if the activities are within the scope of the AML Law. In addition, gatekeeper liability may come into question if the fintech entity is involved in a transaction that falls under the scope of Directive (EU) 2018/822 on mandatory automatic exchange of information (DAC 6) as a reportable cross-border transaction.
The CSSF as the supervisory authority has broad powers to impose sanctions on entities subject to its supervision. For example, in the area of anti-money laundering and counter-terrorism financing (AML/CTF) supervision, the CSSF has the authority to issue warnings, reprimands, administrative fines and professional disqualification, and these sanctions may be made public.
With regard to administrative fines, the CSSF has recently mainly imposed fines regarding failures to comply with anti-money laundering and financial market rules. Although significant fines are rare, in 2020 the CSSF imposed a fine of EUR4.6 million on a Luxembourg bank due to non-compliance with the applicable AML/CTF legislation. The amount of the fine is proportional to the turnover of the bank.
In addition to imposing administrative fines, the CSSF may also report cases to the prosecutor’s office regarding investment firms which claim to be established in Luxembourg and offer investment services without authorisation. These reports have become more frequent in recent years, and the rise in these cases can be mainly attributed to the emergence of fake websites meant to mislead investors.
In addition to enforcement actions by the CSSF, fintech companies may be subject to enforcement actions by the CNDP for non-compliance with the applicable data protection rules.
Data Protection and Privacy
The GDPR together with the Luxembourg Law of 1 August 2018 regulate the processing of personal data, and such rules apply regardless of the industry sector or whether the relevant entity is a legacy player or a newly established start-up. In addition to the general rules governing the processing of personal data, the rules relating to privacy by design and privacy by default as well as automated decision-making and profiling may be relevant for fintech companies.
Cybersecurity
Management of risks relating to information and communication technologies (ICT) is an essential part of the necessary risk management by financial institutions. The CSSF has recently implemented the guidelines adopted by the EBA on ICT and security risk management, which need to be complied with by all entities authorised under the Financial Sector Law and the Payment Services Law in order for such entities to manage their ICT and security risks.
In addition, specific requirements apply to entities considered operators of essential services in accordance with Directive (EU) 2016/1148, as transposed into national legislation by the Law of 28 May 2019. Certain entities of the financial sector, such as banks, may need to take specific measures to manage security risks, in case their services are deemed by the CSSF to be essential to the maintenance of critical economic activities, dependent on networks and information systems, and on which an incident would have a significant disruptive effect.
Further legislative changes have been recently adopted in the field of cybersecurity. Following the adoption of DORA, all entities in scope must ensure that they can withstand ICT-related disruptions and threats. In particular, fintechs may need to adhere to strict standards to prevent and limit the impact of ICT-related incidents. DORA also provides an oversight framework on service providers (such as Big Tech) which provide cloud computing to financial institutions.
The activities of financial sector participants are mainly reviewed by the regulators, however, auditors are typically appointed by industry participants to review their business activities. Furthermore, certain regulated entities, eg, banks, must set up internal risk control, compliance and internal audit functions.
In principle, there is no general prohibition for regulated entities to combine regulated and unregulated products. However, in certain cases the regulator must be notified of such activities, and may then assess the compatibility of these services and products in more detail. For example, in the case of services and products related to virtual assets, the CSSF has recently published FAQs outlining its position on the possibility of banks opening virtual asset accounts. According to the CSSF, banks may open accounts, similar to securities accounts, that allow customers to deposit virtual assets, however, they cannot open virtual asset bank accounts (eg, current accounts).
In accordance with the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, (the AML Law), which transposes, among others, Directive (EU) 2015/849 into national law, fintech companies that qualify as professionals under the AML Law are required to comply with several professional obligations. The AML Law applies eg, to banks, financial institutions, virtual asset service providers, payment institutions and electronic money institutions.
In particular, these entities are required to comply with customer due diligence obligations, adequate internal management requirements and co-operation requirements with the authorities. The CSSF is required to ensure that all the persons subject to its supervision, authorisation or registration comply with the professional AML/CTF obligations and implement a risk-based approach in order to allocate appropriate resources and means to those products and customers that represent higher risks of money laundering and terrorist financing. Accordingly, the CSSF has broad sanctioning powers (see 2.9 Significant Enforcement Actions).
While there are no regulatory requirements in Luxembourg tailored specifically for services provided by robo-advisers, providing digital or automated services is however subject to the same regulatory requirements as non-automated financial advisers. Depending on the business model of the robo-adviser, specific licences will be required in accordance with the Financial Sector Law, which implements the relevant provisions of MiFID II into national law.
For example, if automated technology is used to provide personal recommendations to a client in respect of transactions relating to financial instruments, such service provider will need to be authorised by the CSSF as an investment adviser, or, if services provided by a robo-adviser qualify as management of portfolios in accordance with the client’s mandates on a discretionary client-by-client basis, the service provider will need to be authorised as a private portfolio manager.
In some cases, legacy players are implementing solutions introduced by robo-advisers. The Luxembourg bank Banque et Caisse d’Epargne de l’Etat (BCEE), was the first retail bank in Luxembourg to launch a robo-adviser service called SpeedInvest in 2017, which helps allocate investments into certain funds. Since then, other banks have also introduced investment services based on automated tools.
The same rules apply to robo-advisers and traditional advisers (see 7.7 Issues Relating to Best Execution of Customer Trades).
With regard to regulation on online lenders, the main difference relates to whether the borrower is a consumer or not. Luxembourg legislation on lending in a professional or commercial context does not in principle separate different categories of legal entities based on eg, the size of the business or the sector in which the borrower operates.
Loans to Consumers
Specific mandatory rules apply to credit agreements between a consumer and a lender acting in the context of any business activity. Lenders providing consumer credit need to be licensed either by the CSSF or in accordance with the Law of 2 September 2011 relating to the establishment of certain businesses and business licences. According to the Luxembourg Consumer Code, provisions on consumer credit apply to agreements under which the creditor grants consumer credit in the form of a deferred payment, loan or other similar financial accommodation, if, among others, the total amount of the credit is between EUR200 and EUR75,000. Specific obligations apply to the contractual relationship, which relate namely to the precontractual information, assessment of the consumer’s creditworthiness, content of the agreement, right of withdrawal and right of early repayment of the credit. In addition, similar obligations apply to mortgage credit agreements – ie, agreements where a creditor grants a credit to a borrower in view of the acquisition of a residential immovable property.
Loans in a Professional Context
The legal framework applicable to non-consumer loans includes fewer mandatory provisions, as general principles of contract law apply to the loan agreements. However, providing lending activities even in a professional context is in principle a regulated activity. According to the Financial Sector Law, professionals performing lending operations – ie, professionals engaging in the business of granting loans to the public for their own account, are subject to authorisation by the CSSF.
The underwriting process used by industry participants typically varies depending on the type of borrower and the type of credit. Specific regulatory requirements apply, namely in relation to AML/CTF obligations and consumer protection.
Obligations Relating to AML/CTF
All professionals operating in the financial sector typically need to comply with obligations relating to AML/CTF (see 2.13 Impact of AML Rules). In particular, the AML Law requires professionals to establish a customer acceptance policy adapted to their activities and to apply customer due diligence measures when establishing a business relationship. These KYC obligations include identifying the customer’s and the customer’s ultimate beneficial owner’s identities and verifying these based on information obtained from reliable and independent sources. In certain circumstances, the identification/verification of a natural person’s identity may be conducted through an online video conference.
Specific Obligations Relating to Consumer Lending
If a loan is qualified as a consumer credit agreement (see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities), the lender must adhere to certain precontractual obligations. Prior to entering into a consumer credit agreement, the lender must provide the consumer with the necessary information to compare the different consumer credit proposals in order to make an informed decision, which is provided by using a standard European consumer credit information form. In addition, the lender must assess the consumer’s creditworthiness on the basis of sufficient information. For this assessment, the consumer must provide all necessary information, including current financial commitments and income. Lastly, consumer credit agreements must be drawn up on paper or other durable medium, and each party must be provided with a signed copy of the agreement.
Loans may be funded from a variety of different sources, and depending on the source of funds, different licensing requirements apply. Only entities authorised as credit institutions may receive deposits or other receivables from the public and grant credits for their own account. Other alternative sources of funds for loans include securitisation and crowdfunding.
Securitisation
Luxembourg is one of the leading European centres for securitisation with a comprehensive and market-friendly legal framework. Although securitisation vehicles are exempt from the requirement to be authorised as professionals performing lending operations, authorisation by the CSSF is required if the securitisation vehicle funds its activities by issuing financial instruments to the public on a continuous basis.
Crowdfunding
Loans funded through lending-based crowdfunding platforms benefit from the newly established legal framework. The EU Crowdfunding Regulation, which has been applicable since 10 November 2021, provides a harmonised EU framework for crowdfunding services provided to non-consumer project owners relating to offers for an amount of up to EUR5 million calculated over a period of 12 months per project owner. The provision of crowdfunding services is subject to a licence and prudential supervision by the CSSF.
Syndication of online loans provided by fintech companies is currently not market practice in Luxembourg. Loan syndication is typically used to finance larger larger-scale projects such as company takeovers, property projects or significant investment projects. These extensive and complex financings typically involve legacy players.
Payment processors can either use existing payment rails or alternatively create their own payment rails. However, in the latter case specific licensing requirements apply.
Luxembourg is part of the single euro payments area (SEPA), which aims to create a single euro payments area in which all scriptural payments are considered as domestic – ie, without any distinction between national and cross-border payments. With regard to large-value transactions, these are currently processed through the T2 system, which settles cross-border payments in euro in real time.
Luxembourg investment funds can be structured as undertakings for collective investments in transferable securities (UCITS) or as other types of undertakings for collective investments, namely alternative investment funds (AIF). Different regulations apply to fund administrators depending on the type and structure of the fund they manage. For example, the administration of a UCITS is regulated by the Luxembourg Law of 17 December 2010 on undertakings for collective investment (the UCI Law), while the management of an AIF is regulated by the Luxembourg Law of 12 July 2013 on alternative investment fund managers (the AIFM Law), transposing the alternative investment fund managers Directive 2011/61/EU (AIFMD) into national law.
Administrators of UCITS and AIF are regulated and typically subject to licence by and supervision of the CSSF, or other EU regulators in accordance with the relevant passporting regimes and other requirements depending on the type of fund. Certain exemptions may apply for alternative investment fund managers which benefit from an exemption under the AIFMD, for example in case of smaller assets under management.
In addition to the management activities, certain administrative services (eg, accounting, bookkeeping) can be delegated to an entity licensed as a support professional of the financial sector (support PFS) in accordance with the Financial Sector Law. Administrative services qualifying as depositary services must be performed by a depositary, typically a bank, regulated in accordance with the Financial Sector Law.
Any administrative activity which is performed by third parties, namely administration or depositary services, has to be supervised and monitored by the manager of the UCITS or AIF, which ultimately bears responsibility for these activities.
Depending on the administrative services provided, the agreements should describe the specific services in sufficient detail and include provisions on, among others, timing, service levels, standards, service provider’s liability and flow of information, as set out in the UCI Law, the AIFM Law and the relevant CSSF circulars and EU delegated regulation.
In case of licensed managers of UCITS and AIF, draft agreements relating to administrative services need to be provided to the CSSF in advance, during the approval process.
In accordance with MiFIR/MiFID II rules, as transposed into national law, trading venues in Luxembourg can be divided into three categories: regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). Operators of a regulated market, an MTF or an OTF are subject to the authorisation and supervision of the CSSF. Authorisation to operate an MTF and an OTF can also be granted to investment firms. The only entity authorised to operate the business of a trading venue in Luxembourg is the Luxembourg Stock Exchange, which operates the regulated market named Bourse de Luxembourg and an MTF named Euro MTF. At present, there are no OTFs based in Luxembourg.
In addition, MiCA introduced a specific legal framework applicable to crypto-asset service providers, including crypto-asset trading platforms, requiring these service providers to be authorised by the competent authority and setting out governance and prudential requirements to be fulfilled, including permanent minimum capital requirements.
In general, the regulatory regime relating to trading is the same for all asset classes. However, specific rules on transparency and trading are slightly different for equity and debt instruments. In addition, specific rules apply with regard to crypto-assets (see 12.5 Regulation of Blockchain Asset Trading Platforms).
The emergence of cryptocurrency exchanges and the significance of the crypto sector has led to the adoption of and proposals for new regulations. Following the implementation of the fifth anti-money laundering directive, virtual asset service providers have been required to register with the CSSF, and further changes are expected following the adoption of the proposed sixth anti-money laundering directive (see 1.1 Evolution of the Fintech Market).
Further, MiCA introduced a prudential regime relating to cryptocurrency exchanges.
The emergence of cryptocurrency exchanges and the growth of the sector around virtual assets has also prompted the CSSF to issue FAQs on virtual assets to guide banks and investment funds on its position regarding the possibility of these entities engaging in activities involving virtual assets. For example, UCITS, other funds addressing non-professional customers and pension funds are not allowed to invest directly or indirectly in virtual assets, including virtual currencies. Additional regulatory changes at European level are expected with respect to decentralised exchanges (see 8.5 Decentralised Finance (DeFi)).
Listing standards vary depending on the relevant trading venue and the type of financial instrument. In accordance with the Law of 30 May 2018 on markets in financial instruments, as amended, regulated markets shall have clear and transparent rules regarding the admission to trading of financial instruments. For listing on the Luxembourg Stock Exchange’s regulated market, issuers must publish a prospectus prepared in accordance with regulation (EU) 2017/1129 on prospectuses (the Prospectus Regulation) that has been reviewed and approved by the CSSF. Alternatively, the prospectus may be approved by a competent authority of another EU member state and passported to Luxembourg. For listing on the Euro MTF in Luxembourg, the prospectus must be approved by the Luxembourg Stock Exchange.
Following the listing and admission to trading on either trading venue, issuers must regularly disclose regulated information concerning their business and the listed security.
In accordance with the MiFID II/MiFIR framework, the Financial Sector Law requires that investment firms and credit institutions that are authorised to execute orders on behalf of their clients must implement procedures and arrangements which provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or their own trading interests. Otherwise, comparable client orders must be executed in accordance with the time of their reception.
There are currently no peer-to-peer trading platforms located in Luxembourg. The regulator has so far not provided specific guidance on the regulatory environment applicable to them, and whether specific rules on eg, AML and loan origination apply should be checked on a case-by-case basis.
In accordance with the rules on best execution provided by the MiFID II framework, the Financial Sector Law requires investment firms and credit institutions to take sufficient steps when executing orders to obtain the best possible result for their clients. This includes taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. However, if the customer has given specific instructions, the order must be executed following such instructions.
The MiFID II legal framework, as transposed into Luxembourg law, in principle prohibits the possibility of routing client orders to a particular trading venue or execution venue to receive any remuneration, discount or non-monetary benefit, which would infringe the requirements on conflicts of interest or inducements. In practice, and as clarified by guidance issued by ESMA, payments for order flows between brokers and market makers are in general not permitted.
Fees, commissions or non-monetary benefits from a third party may only be accepted if such benefit is designed to enhance the quality of the relevant service to the client and does not impair the service provider’s duty to act honestly, fairly and professionally in accordance with the best interest of its clients. In addition, the benefits received must be clearly disclosed to the client before providing the relevant service.
The basic legal framework to preserve market integrity is laid out in Regulation (EU) No 596/2014 on market abuse (the Market Abuse Regulation), which is directly applicable in Luxembourg.
The Market Abuse Regulation, together with the delegated and implementing acts, imposes rules against market abuse which consists of unlawful behaviour in the financial markets. These rules include dealing, disclosure and recommending/inducing prohibitions on persons in possession of inside information, ongoing issuer disclosure obligations and prohibition on market manipulation. The CSSF is the competent authority in Luxembourg for the purposes of the Market Abuse Regulation and has the supervisory and investigatory powers to ensure that the provisions of the Market Abuse Regulation are applied in Luxembourg. Non-compliance may lead to administrative sanctions or criminal liability.
The rules applicable in Luxembourg for the creation and usage of high-frequency and algorithmic trading have been implemented in the Law of 30 May 2018 on markets in financial instruments, transposing MiFID II. These rules apply to trading of all financial instruments, and no difference is made between different asset classes within the scope of MiFID II.
Investment firms, credit institutions and certain other entities incorporated in Luxembourg that engage in algorithmic trading must have effective systems and risk controls in place that ensure, among others, that the trading systems:
In addition, such systems need to be fully tested and properly monitored, and effective business continuity arrangements need to be in place to deal with any failure of the systems. Engagement in algorithmic trading needs to be notified to the CSSF.
Specific requirements apply in accordance with the MiFID II legal framework if the entity engaging in algorithmic trading is pursuing a market making strategy. An entity is considered to pursue a market making strategy when dealing on its own account, as a member or participant of a trading venue, its strategy involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market. These requirements include entering into a binding market making agreement with the trading venue and carrying out the market making continuously during a specific proportion of the trading hours.
The applicable regulations do not distinguish between funds and dealers engaged in high-frequency or algorithmic trading.
Programmers who develop and create trading algorithms are not directly regulated, however, the investment firm using such trading algorithms or other electronic trading tools must ensure that the trading tools it uses comply with the regulatory requirements (see 8.1 Creation and Usage Regulations). An investment firm that outsources or procures software or hardware used in algorithmic trading activities remains fully responsible for its legal obligations relating to algorithmic trading.
There are no specific regulations governing DeFi in Luxembourg. Since DeFi includes a broad range of financial services, it should be assessed on a case-by-case basis whether a certain activity or product would fall within the scope of existing financial services regulation (see 12.8 Impact of Regulation on “DeFi” Platforms). At European level, MiCA failed to address directly DeFi. Nevertheless, ESMA is actively monitoring DeFi developments and cooperating with international organisations such as the Internal Organisation of Securities Commissions and the Financial Stability Board to evaluate whether and to what extent additional regulatory action will be necessary.
If a financial research platform conducts investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments, under the currently applicable MiFID II legal framework, such services are considered ancillary services. Consequently, an entity which engages solely in investment research is not subject to the regulatory regime or subject to registration.
The Market Abuse Regulation prohibits the dissemination of information, including rumours, which is likely to give false or misleading information on eg, the price of a financial instrument in the media, including the internet or by any other means. Any person engaging in such a form of market manipulation may face administrative or criminal sanctions
There are no specific rules in Luxembourg directed at the conversation curation of financial research platforms. With regard to dissemination of inside information and activities qualifying as market manipulation, the provisions of the Market Abuse Regulation apply (see 9.2 Regulation of Unverified Information).
Insurance underwriting is a licensed activity in Luxembourg, governed by the Law of 7 December 2015 on the insurance sector, as amended, and insurance companies located in Luxembourg are supervised by the CAA. In particular, insurance contracts are subject to the specific regulatory requirements laid out in the Law of 27 July 1997 on insurance contracts, as amended, which requires eg, providing certain precontractual information to customers. Consumer and data protection requirements must also be taken into consideration, as applicable to the specific underwriting processes.
The main types of insurance in Luxembourg are life insurance and non-life insurance, which are governed by separate legal provisions as outlined in the Law of 7 December 2015 on the insurance sector, as amended. Life insurance contracts under the Luxembourg legal framework provide an important part of Luxembourg’s wealth management offering. In addition, the Consumer Code applies to insurance contracts concluded with consumers, unless specific provisions of the Law of 27 July 1997 on the insurance contract, as amended, state otherwise.
Regtech providers are not directly regulated in Luxembourg. However, they might fall within the scope of the existing financial services regulation depending on their activities. If regtech companies provide services for regulated financial service entities, they may need to be licensed as a support PFS in accordance with the Financial Sector Law. Relevant support PFS licences that may be required for regtech providers include authorisation to act as client communication agent, administrative agent, primary IT systems operator or secondary IT systems and communication networks operator. Regtech entities providing merely technical solutions would not typically be subject to these licence requirements.
There are no specific contractual terms dictated by regulation that financial service firms would need to impose on regtech service providers. In addition to terms following general industry practice, if the service provided falls under the scope of outsourcing, specific contractual requirements apply (see 2.7 Outsourcing of Regulated Functions).
Blockchain-based products and solutions are increasingly used by traditional players of the financial services industry in Luxembourg. For example, the European Investment Bank has continued to develop the digitalisation of capital markets by issuing digital bonds on private and public blockchains. Two out of the total three digital bonds issued so far are governed by Luxembourg law. The euro-denominated digital bonds issued in late 2022 involved also the Central Bank of Luxembourg, which, together with the Central Bank of France, provided a digital representation of euro central bank money in the form of tokens.
In addition, since January 2022, the Luxembourg Stock Exchange has admitted security tokens to be registered onto the Securities Official List (SOL), which marks an important step towards making DLT securities mainstream and enhancing visibility. Due to the current regulatory framework applicable in the EU, security tokens cannot be admitted to trading on a regulated market or MTF. However, thanks to the DLT Pilot Regime (see 2.5 Regulatory Sandbox), MTFs can be granted temporary exemptions, for a period of up to six years, from certain existing requirements in order to enable DLT to also be used for trading (see 12.5 Regulation of Blockchain Asset Trading Platforms).
The CSSF has indicated that it applies a principle of technology neutrality towards the use of blockchain, and has acknowledged that innovative processes and technologies such as DLT, when properly used, can improve the provision of financial services. However, at the same time the CSSF has highlighted that DLT entails specific risks that require understanding, mitigation and monitoring.
In line with this approach, the CSSF published in 2022 a non-binding document in the form of a White Paper, which aims at guiding interested professionals in the conduct of their due diligence process related to DLT and its use in the provision of services in the financial sector. The purpose of the White Paper is to ensure that risks and advantages in the use of such technologies are appropriately taken into consideration, without providing a positive or negative assessment on DLT. The White Paper emphasises the main risks related to DLT, both in terms of governance and technical risks, by proposing key questions and recommendations that should be considered by market participants when performing their risk analysis and due diligence processes.
There is currently no general legal framework or single legal definition of blockchain assets applicable in Luxembourg. Moreover, there are several related terms often used in this context, eg, the Luxembourg regulator does not use the term “blockchain assets” in its guidance, but uses the term “virtual assets”, while the term “crypto-assets” has been used at an EU level, eg, in MiCA and in documentation issued by ESMA.
Regardless of the terminology used, blockchain assets may, or may not, be considered a form of regulated financial instruments falling within the scope of existing financial services regulation, and such assessment should be made on a case-by-case basis depending on the characteristics of the asset. Specific classifications of “blockchain assets” have been adopted by the legislature, firstly in the context of anti-money laundering legislation and secondly, in the context of MiCA.
With regard to AML/CTF legislation, the Luxembourg AML Law was amended in 2020 in accordance with the fifth EU anti-money laundering directive (2018/843/EU), by introducing the obligation of virtual asset service providers to register with the CSSF and to comply with certain AML/CTF obligations. Virtual assets are defined as a digital representation of value, including virtual currencies, that can be digitally traded, or transferred, and can be used for payment or investment purposes, however excluding virtual assets that fulfil the conditions of electronic money, as defined in the Payment Services Law, and virtual assets that fulfil the conditions of financial instruments, as defined in the Financial Sector Law.
In addition, MiCA regulates crypto-assets that so far have fallen outside of the scope of specific regulation. The definition of crypto-assets includes any digital representation of value or rights that may be transferred or stored electronically, using a distributed ledger or similar technology. The applicable new rules, which include in particular transparency and authorisation requirements, will differ based on the characteristic of the token, as MiCA differentiates between e-money tokens, asset-referenced tokens and utility tokens.
Lastly, in assessing the legal classifications of blockchain assets, financial market participants should take into account guidance published by the Luxembourg regulator. Through two sets of FAQs on virtual assets, the CSSF has provided guidance on virtual assets for investment funds and banks. With regard to the classification of virtual assets, the CSSF has emphasised that, although all tokens constitute a digital representation value that is provided by a technology using DLT and cryptography, the tokens come with a variety of rights. The intrinsic characteristics and functions of the token determine the risks and whether or not it is possible for a professional of the financial sector to get involved in them, and accordingly, the type of virtual assets targeted by the FAQs varies depending on the specific question. However, the FAQs do not provide comprehensive guidance on when virtual assets would qualify as financial instruments in accordance with the Financial Sector Law, which still remains subject to a case-by-case assessment.
In 2019, Luxembourg passed a new law which permits the use of blockchain/DLT for the holding and managing of securities accounts. This legal basis, which deemed the use of DLT and blockchain technologies equivalent to other secured electronic recording mechanisms for the transmission of securities, was supplemented in 2021 by allowing these technologies to be used also for the issuance of dematerialised securities. However, the securities issuance accounts relating to securities admitted to trading on a regulated market or an MTF can be held only with a settlement organisation.
In addition, depending on the nature of the financial instrument, the issuer may be subject to:
The regulation of blockchain asset trading platforms depends on the regulatory status of the assets traded on the platform. For blockchain assets that do not qualify as financial instruments under the MiFID II framework, the relevant trading platforms are now subject to the regulatory requirements set out in MiCA, which will apply from 30 December 2024.
In addition, if the service of a trading platform falls within the scope of virtual asset services as defined in the AML Law, service providers who are established or provide services in Luxembourg need to register with the CSSF and comply with AML/CTF obligations. Virtual asset services include transfer of virtual assets, exchange between virtual assets and fiat currencies, including the exchange between virtual currencies and fiat currencies and the exchange between one or more forms of virtual assets.
If the blockchain assets qualify as financial instruments under the MiFID II framework, the trading venues would also fall within the scope of the MiFID II rules on trading venues. Pursuant to advice published in 2019, ESMA took the preliminary view that if crypto-assets qualify as financial instruments, platforms trading these assets with a central order book and/or matching orders under other trading models would be likely to qualify as multilateral systems. Such platforms should therefore operate as regulated markets, MTFs or OTFs.
The currently applicable EU regulatory framework requires the transfer of any such instrument to be settled through central securities depositories (CSD) in accordance with Regulation (EU) No 909/2014 on central securities depositories, as amended (CSDR), and accordingly, DLT financial instruments cannot currently be admitted to trading on a regulated market, MTF or OTF. However, in view of encouraging technological innovation in the area of settlement, the DLT Pilot Regime provides a possibility for MTFs and CSD to be exempt from certain provisions of CSDR. The CSDR as last amended in 2023 now allows the possibility to grant authorisation to non-operational CSD whose compliance with regulatory requirements cannot be assessed, if the competent authority believes that the CSD will comply by the time it begins its activities. This is particularly relevant with respect to the use of DLT and the application of the DLT Pilot Regime.
While there is no specific regulation targeting funds that invest in blockchain assets, according to the recently updated ESMA Q&As on AIFMD, managers of an undertaking investing in crypto-assets may be subject to the directive, if the relevant undertaking meets the definition of an alternative investment fund (AIF). Funds that raise capital from a number of investors to invest in crypto-assets in accordance with a defined investment policy for the benefit of those investors, will qualify as an AIF in accordance with the AIFMD.
Although the AIFMD does not provide a list of eligible or non-eligible assets, the CSSF has recently published FAQs on the possibility of investment funds to invest in virtual assets. Pursuant to the position of the CSSF, an AIF may invest directly (and indirectly) in virtual assets if its units are marketed only to professional investors, and a Luxembourg-authorised AIFM must obtain an authorisation from the CSSF for this investment strategy. Accordingly, the CSSF has indicated that UCITS and UCIs addressing non-professional customers and pension funds are not allowed to invest, directly or indirectly, in virtual assets (as defined in the AML Law).
In case the services provided by the fund qualify as virtual asset services in accordance with the AML Law, the fund will need to register as a virtual asset service provider.
In accordance with the AML Law, virtual currencies – ie, digital representations of value that are not issued or guaranteed by a central bank or a public authority, which are not necessarily attached to a legally established currency and do not possess a legal status of currency or money, but are accepted by persons as a means of exchange and which can be transferred, stored and traded digitally, are also considered to be virtual assets. Therefore, the relevant AML/CTF obligations also apply to virtual currencies (see 12.3 Classification of Blockchain Assets).
DeFi is currently not defined in financial services regulation applicable in Luxembourg. As it may include a broad range of financial services that utilise public, distributed ledgers, the question of whether DeFi platforms would fall within the scope of existing financial services regulation would need to be assessed on a case-by-case basis depending on the type of activities conducted.
There are currently no specific provisions relating to non-fungible tokens (NFTs) and NFT platforms in Luxembourg. Unless NFTs are considered to be virtual assets or financial instruments, they would not fall within the scope of existing financial services regulations. For example, guidance issued by the Financial Action Task Force outlines that digital assets which are unique, rather than interchangeable, and which are used as collectibles rather than as payment or investment instruments, would generally not be considered virtual assets.
Nonetheless, whether or not NFTs could be used for payment or investment purposes, and thus qualify as virtual assets, should be assessed on a case-by-case basis. If an NTF qualifies as a virtual asset under the AML Law, specific registration and AML/CTF obligations would apply (see 12.3 Classification of Blockchain Assets). Moreover, NFTs are also excluded from the scope of MiCA, unless their de facto uses or features would qualify as crypto-assets under MiCA.
The main regulation governing open banking, Directive (EU) 2015/2366 on payment services (PSD2), has been transposed into Luxembourg law by the Law of 20 July 2018 amending the Payment Services Law. The legal framework aims to open up the EU payment market to entities offering payment services based on access to the payment account, including account information services and payment initiation services. PSD2 enables customers to share their data securely via application programming interfaces with banks and third parties, allowing the customers to compare products, initiate payments and request account information.
Although PSD 2 has significantly impacted the payment sector in the EU, it can be argued that so far open banking in Europe has not fully lived up to its expectations. Some technical issues faced by third-party providers due to PSD2 rules have required further fine-tuning to the legal framework, which has for example, required the EBA to extend the frequency of customer re-authentication from 90 days to 180 days. In addition, in June 2023 the European Commission presented a legislative proposal for an open finance framework which aims at establishing clear rights and obligations to manage customer data sharing.
Concerns raised by open banking include risks relating to data protection and security breaches. Both topics are highly regulated by the European Union, as the GDPR also applies to open banking, and financial sector regulation, including PSD2 and DORA, which will apply from January 2025 and includes strict requirements to increase cybersecurity and the resilience of ICT infrastructures. So far, there have not been any significant enforcement actions by the competent authorities in Luxembourg relating to open banking.
There are no specific elements relating to fraud in financial services. The general definition of fraud under the Luxembourg criminal code applies, which requires the employment of fraudulent manoeuvres or abuse of trust or credulity. The CSSF has highlighted the main elements to detect suspicious providers, including unsolicited contact, offers of high profits or returns, tight deadlines, trial investments, and unclear identification of contracting parties, among other suspicious manoeuvres.
The CSSF provides recommendations and warnings in order to detect and report fraudulent activities. In particular, the CSSF is mostly vigilant with respect to falsification of websites of supervised entities, identity theft and cold calling.
44 Avenue John F. Kennedy
L-1855 Luxembourg
+352 27 18 02 00
+352 27 18 02 11
luxembourg@gsk-lux.com www.gsk-lux.com