The Luxembourg financial sector operates within one of the most demanding regulatory environments in Europe. As a leading international financial centre, the Grand Duchy must apply European and international anti-money laundering (AML) and counter-terrorist financing (CFT) standards with the utmost rigour. In 2026, the convergence of several landmark legislative texts is redefining the obligations of professionals across the industry. This article provides a comprehensive overview of the key regulations every professional must be familiar with.
The Luxembourg legal framework: the Law of 12 November 2004
The cornerstone of AML compliance in Luxembourg remains the Law of 12 November 2004 on combating money laundering and terrorist financing, commonly referred to as the AML/CFT Law. This law, amended on numerous occasions to transpose successive European directives, establishes the fundamental obligations of obliged entities: identifying and verifying client identity, continuously monitoring business relationships, filing Suspicious Activity Reports (SARs) with the Financial Intelligence Unit (FIU), and retaining records and documents.
The AML/CFT Law applies to a broad range of professionals: credit institutions, investment firms, management companies, life insurance companies, professionals of the financial sector (PSF), as well as lawyers, notaries, accountants and real estate agents in the context of certain activities. Each obliged entity must implement a compliance framework proportionate to its size and the nature of its activities.
CSSF Circular 17/650: regulatory requirements in detail
CSSF Circular 17/650, which entered into force in January 2018, provides the detailed regulatory framework for entities supervised by the Commission de Surveillance du Secteur Financier (CSSF). This foundational text sets out the precise obligations of professionals with regard to AML governance, risk management and internal procedures.
Among the key requirements of this circular:
- The mandatory appointment of a Compliance Officer (RC) and a Responsible Person (RR), commonly known as the MLRO (Money Laundering Reporting Officer) and Deputy MLRO.
- The obligation to conduct a firm-wide risk assessment (Business Risk Assessment or BRA) and to update it on a regular basis.
- Requirements for ongoing training of staff involved in AML/CFT compliance.
- Detailed procedures for Customer Due Diligence (CDD), including the identification of beneficial owners and an understanding of the purpose and nature of the business relationship.
- Rules applicable to Politically Exposed Persons (PEPs), requiring Enhanced Due Diligence measures for business relationships involving PEPs or their close associates.
CSSF Circular 19/732: reinforcements and clarifications
CSSF Circular 19/732 supplemented and strengthened the framework established by Circular 17/650. It incorporates the recommendations of the Financial Action Task Force (FATF) and the guidelines of the European Banking Authority (EBA) on risk factors and simplified or enhanced due diligence measures.
This circular pays particular attention to ongoing transaction monitoring, requiring automated systems capable of detecting unusual or suspicious transactions. It also clarifies obligations with regard to sanctions list screening (UN, EU, OFAC) and transaction filtering, imposing real-time or near-real-time screening for new business relationships.
AMLD5: the 5th Anti-Money Laundering Directive
The 5th Anti-Money Laundering Directive (Directive 2018/843/EU), transposed into Luxembourg law, introduced several significant innovations. It extended the scope of obliged entities to include cryptocurrency exchange platforms and custodian wallet providers. It enhanced transparency regarding beneficial owners by making registers partially accessible to the public.
AMLD5 also lowered thresholds for anonymous prepaid cards, strengthened due diligence obligations for transactions involving high-risk third countries, and required Member States to establish centralised automated mechanisms for identifying holders of bank accounts.
AMLD6: harmonised criminal sanctions
The 6th Anti-Money Laundering Directive (Directive 2018/1673/EU), whose transposition was required to be completed before the end of 2020, marked a turning point in the harmonisation of criminal sanctions across the European Union. It establishes minimum rules on the definition of criminal offences relating to money laundering and identifies 22 predicate offences, including cybercrime, environmental offences and tax crimes.
AMLD6 also introduces criminal liability for legal entities, the criminalisation of aiding, abetting and attempted money laundering, and minimum custodial sentences of at least four years for the most serious cases. This directive significantly reinforces the repressive framework and demands heightened vigilance from professionals in detecting complex money laundering schemes.
AMLR: the single European regulation
The Anti-Money Laundering Regulation (AMLR) represents a paradigm shift in the European approach to combating money laundering. Unlike directives, which require national transposition, the regulation is directly applicable in all Member States, thereby eliminating differences in interpretation and gaps in implementation.
The AMLR establishes a single rulebook covering due diligence obligations, beneficial ownership identification and reporting requirements. It harmonises the requirements for CDD, EDD and SDD (Simplified Due Diligence), and introduces stricter rules for cash transactions and crypto-assets.
A key element of the AMLR is the creation of the AMLA (Anti-Money Laundering Authority), a dedicated European authority based in Frankfurt, endowed with powers of direct supervision over the highest-risk financial entities. AMLA will be fully operational by 2028 and will have direct investigative and sanctioning powers.
Impact on customer due diligence (CDD and EDD)
Taken together, these regulatory texts are redefining the standards for Customer Due Diligence and Enhanced Due Diligence. Luxembourg professionals must now:
- Verify the identity of clients and beneficial owners using reliable and independent sources, with a preference for electronic data and biometric verification where possible.
- Assess the risk profile of each client under a Risk-Based Approach, taking into account factors such as industry sector, geographical location, legal structure and the nature of transactions.
- Apply Enhanced Due Diligence (EDD) measures for high-risk clients, PEPs, complex cross-border business relationships, and countries identified as high-risk by the European Commission.
- Ensure ongoing monitoring of business relationships, including periodic screening against sanctions lists, tracking changes in PEP status, and detecting unusual transactions.
Practical implications for Luxembourg professionals
For banks, these developments require stronger compliance teams, upgraded transaction monitoring systems and greater attention to cross-border flows, particularly those involving third countries.
Investment funds and their management companies must adapt their KYC/KYB procedures to account for the complexity of investment structures, identify beneficial owners through multiple layers of legal vehicles, and ensure due diligence proportionate to the risks identified.
Support PSF, fund administrators and depositaries must integrate these new requirements into their daily operational processes, ensuring complete traceability and exploitable audit trails for CSSF inspections.
How e-KYC.lu helps professionals navigate this complexity
Faced with this accumulation of regulatory texts, digital tools have become indispensable. The e-KYC.lu platform was designed specifically for the Luxembourg context and enables professionals to:
- Centralise KYC file management with a complete workflow (Draft, In Progress, Pending Review, Approved/Rejected) and per-file encryption of sensitive data.
- Automate AML screening in real time against international sanctions lists, PEP databases and adverse media sources.
- Train teams through recognised AML/CFT certifications, covering the obligations of the Compliance Officer, sanctions, KYB and CDD.
- Generate comprehensive audit reports that are exportable and ready to support internal reviews and regulatory inspections.
Conclusion: anticipate to stay compliant
2026 marks a decisive turning point for AML compliance in Europe and, by extension, in Luxembourg. The phased entry into force of the AMLR and the rising influence of AMLA will impose ever-higher standards on financial sector professionals. Entities that anticipate these changes and invest today in robust, automated compliance tools will be best placed to meet these challenges.
Compliance is no longer merely a regulatory obligation — it is a competitive advantage. Clients, partners and regulators expect Luxembourg professionals to demonstrate an unwavering commitment to combating money laundering and terrorist financing.