The national authorities responsible for the regulation and supervision of the banking sector in Luxembourg are the Commission de Surveillance du Secteur Financier (the “CSSF”) and the Central Bank of Luxembourg (the “BCL”).

The CSSF

The CSSF is responsible for the prudential supervision of the Luxembourg financial sector. The CSSF is also the (i) national resolution authority for the resolution of credit institutions and certain investment firms in the framework of the Single Resolution Mechanism and the Single Resolution Fund under EU Regulation 2014/806 of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending EU Regulation 2010/1093 of 24 November 2010, (“SRMR”) and (ii) the CSSF, acting through its resolution board (“RB”) (please see answer to question 23 for the powers of the RB), acts as the resolution authority of failing national or transnational banks with the view to limiting their systemic impact as provided by the law of 18 December 2015 on the failure of credit institutions and certain investment firms (the “BRRD Law”) (transposing EU Directive 2014/59 of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (“BRRD I”), as amended by EU Directive 2019/879 of 20 May 2019 as regards the loss-absorbing and recapitalisation capacity of credit institutions and investment firms and Directive 98/26/EC (“BRRD II”)).

The BCL

The BCL is part of the European System of Central Banks and is specifically responsible for, inter alia: (i) the supervision of liquidity of credit institutions, in cooperation with the CSSF; (ii) control over the smoothness and efficiency of payments systems; (iii) the empowerment of financial stability; and (iv) the implementation of monetary policies.

In accordance with the provisions of the law of 5 April 1993 on the financial sector, as amended (the “LFS”), the following activities trigger the requirement of a banking license:

• granting of loans for its own account and taking of deposits or other repayable funds from the public;
• currency exchange dealers’ activities consisting of operations involving the purchase or sale of foreign currencies in cash; and
• dealing on own account or underwriting of financial instruments and/or placing financial instruments on a firm commitment basis, provided that certain conditions are met.

Pursuant to the relevant provisions of the LFS, professionals of the financial sector performing lending operations (such as financial leasing and factoring operations) fall under the scope of the license requirements. However, those professional should seek for a license as a professional of the financial sector and not as a credit institution. It is worth noting that the granting of loans could be an activity exempted from licensing requirements, in so far as, among others, loans are not granted to the public.

No different categories of banking licenses exist under Luxembourg law. A banking license under Luxembourg law permits the holder of such license the performance of all activities or the provisions of all services that are permissible for any Luxembourg credit institution as referred to in our answer to question 4 below.

That being said, it is to be noted that banks issuing covered bonds may engage in other banking and financial activities only in so far as these are incidental and ancillary to their main activity. Although specific provisions relating to credit institutions issuing covered bonds currently apply, the Law of 8 December 2021 on the issuance of covered bonds (the “Covered Bonds Law”), which will enter into force on 8 July 2022, will permit any credit institution incorporated in Luxembourg to issue covered bonds provided that certain financial criteria are met by the relevant institution. Hence, following the entry into force of the Covered Bonds Law, no such a limitation of activities as mentioned above would apply to credit institutions issuing covered bonds.

In addition to the above, the LFS lays down specific authorisation regimes for professionals performing the following activities of the financial sector (“PFS”):

• provision of any investment service or activity listed under the LFS (e.g private portfolio management, investment advice, dealing on own account);
• performance of activities such as registrar agents, professional depositaries of financial instruments and central account keepers;
• performance of activities such as communication, IT systems and e-archiving; and
• approved publication arrangement (“APA”) or approved reporting mechanism (“ARM”).

Pursuant to the provisions of the LFS any entity holding a credit institution license may perform all other banking and financial activities falling under the scope of the LFS, including portfolio management and advice as well as payment services and issuance of electronic money.

Credit institutions willing to perform payment services and/or issue electronic money, shall also comply with the relevant provisions of the Law of 10 November 2009 on payment services.

No. However, the CSSF recently created an “innovation hub”, being a dedicated point of contact for any person wishing to present an innovative project or to exchange views on the major challenges faced in relation to financial innovation in Luxembourg in order to establish a direct and permanent communication with the market participants. This approach allows the CSSF to follow and closely monitor any developments and expectations of, or forthcoming challenges posed to, the FinTech industry.

Pending the entry into force of the Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (the “MICAR”), there is currently no legal framework in Luxembourg that governs the issuance or custody of crypto currencies. For the time being, the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the “AML/CFT Law”) is the only regulation which applies to the issuance or custody of crypto-assets. Accordingly, any credit institution that intends to provide virtual asset services within the scope of article 1 (20c) of the AML/CFT Law including safekeeping, has to register as a virtual asset provider (the “VASP”) beforehand with the CSSF. It is to be noted that credit institutions, even if they are licensed, shall proceed with the VASP registration and comply with the applicable obligations stemming from the AML/CFT Law.

In addition, the CSSF frequently asked questions on virtual assets for credit institutions, as lastly updated on 4 January 2022 (the “CSSF FAQ”) provides that credit institutions that intend to offer virtual asset services, either in scope of article 1 (20c) of the AML/CFT Law or any other activity in relation to virtual assets, such as the issuance of asset-referenced tokens and e-money tokens or dematerialised record-keeping via DLT, shall submit and present beforehand a detailed business case to the CSSF. Such business case shall include a risk-benefit assessment, required adaptations to the credit institution’s governance and risk management frameworks, the effective handling of counterparty and concentration risk and the implementation of investor protection rules.

It is also worth noting that, on 16 January 2024, the EBA extended its guidelines on money laundering and terrorist financing risk factors to crypto-asset service providers (the “CASPs”) through the issue of guidance to CASPs to effectively manage their exposure to money laundering and terrorist financing risks. The new guidelines highlight money laundering and terrorist financing risk factors and mitigating measures that CASPs need to consider, representing an important step forward in the EU’s fight against financial crime.  MICAR brings crypto-asset services and activities within the EU regulatory scope and ensures that CASPs become subject to EU money laundering and terrorist financing obligations and supervision.  By doing so, it prevents credit and financial institutions from engaging with providers of crypto-asset services, which will provide a stratified mitigation of risk.

According to the CSSF FAQ, credit institutions are not allowed to open bank accounts in virtual assets and hence cannot take deposits in virtual currencies, facilitate or execute the settlement of payments in virtual currencies. However, credit institutions may open accounts, which are comparable to securities accounts for the safekeeping of traditional financial instruments, that allow customers to deposit virtual assets. Such accounts are segregated from the bank’s own assets.

Pursuant to the CSSF FAQ, credit institutions that directly invest in virtual assets shall adopt a conservative approach when risk-weighting such assets under the Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended, commonly known as the capital requirements regulation (“CRR”). Gross exposures to virtual assets shall receive a 1250% risk weight or alternatively be deducted from capital. The potential recognition of netting effects or the classification as cash or financial instruments shall be duly documented and validated by the authorised management. In addition, operational risks that are not fully covered by CRR risk weights have to be capitalised under Pillar 2 (please see our answer to question 13 for further details on the Pillar 2 regime).

Furthermore, credit institutions that use specialized virtual assets exchange and custody platforms may contractually transfer the corresponding counterparty risk towards the said specialised virtual asset service providers to customers. The CSSF FAQ provides that, to be effective from a risk perspective, such transfer of counterparty risk would require customers to directly contract with the virtual asset service provider. However, a credit institution that does not effectively transfer the counterparty risk to its customers has to comply with the large exposure limits framework provided in the CRR for the counterparty risk it incurs on custody or exchange platforms. In that regard, credit institutions are invited to discuss with CSSF the approach they intend to choose when determining the exposure value and the concentration measure under the large exposure framework.

Regarding credit institutions established within the Eurozone or a country participating to the Single Supervisory Mechanism framework, the application for a bank license shall be submitted via the European Central Bank-run “IMAS Portal” as of February 2022. The European Central Bank (the “ECB”) has exclusive competence to grant bank licenses in accordance with (i) the Council EU Regulation 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions ; and (ii) EU Regulation 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities. The form that is available on the IMAS Portal sets out the applicable information requirements to be met and shall be completed in accordance with the ECB Licensing Guide. The application for a banking license will be assessed by the ECB in close cooperation with the CSSF while the maximum assessment period is 12 months.

The general application process requires information regarding, inter alia, the programme of operations indicating the type and volume of business envisaged, the administrative and accounting structure of the institution, evidence showing the existence in Luxembourg of the central administration, the shareholdings as well as the professional repute and experience of the management.

Regarding the establishment of a branch in Luxembourg of third-country credit institutions, the application for a bank license shall be submitted to the CSSF and it shall be subject to the same authorisation requirements that are applicable for banks established under Luxembourg law.

European Union based credit institutions

Pursuant to the LFS, credit institutions authorized in a member state of the European Union (the “Home Member State”) other than Luxembourg may exercise their activities in Luxembourg through, inter alia, the provision of services, the establishment of a branch or a tied agent, provided that such activities (i) are covered by their authorization granted by the Home Member State; and (ii) fall within the scope of activities listed under Annex I of the LFS or section A or C of Annex II of the LFS. Similarly, any credit institution authorized in Luxembourg may carry on business in another Member State (the “Host Member State”) through the provision of services subject to a notification requirement addressed to the CSSF consisting of the activities listed in Annex I of the LFS that it intends to perform in the Host Member State. The CSSF is responsible for communicating the notification to the competent authority of the Host Member State within one month of its reception. Luxembourg based credit institutions wishing to provide activities in a Host Member State through, inter alia, the establishment of a branch or a tied agent, would have to comply with specific requirements set forth under the LFS.

Third-country based credit institutions

Third-country credit institutions may exercise their activities in Luxembourg through the establishment of a branch, which shall obtain a bank license (see also answer to question 8). By way of derogation, credit institutions established in a third country considered by the CSSF as applying equivalent supervision and authorisation rules to those laid down in the LFS to firms having their central administration or registered office in its jurisdiction, may provide services in Luxembourg through the provision of cross-border services or the establishment of a branch, provided however that the intended services to be provided fall under the scope of a license requirement in the country of origin and by the LFS (the “National Third-Country Regime”). Pursuant to the CSSF Regulation 20-02, jurisdictions which are deemed equivalent for the application of the National Third-Country Regime are as follows: (i) Canada, (ii) the Swiss Confederation, (iii) the United States of America, (iv) Japan, (v) Hong Kong Special Administrative Region of the People’s Republic of China, (vi) Republic of Singapore, (vii) the United Kingdom of Great Britain and Northern Ireland, (viii) People’s Republic of China and (ix) Australia.

A license for credit institution may only be granted to a legal person incorporated under Luxembourg law and which is established in the form of a public law institution, a public limited company (société anonyme), a partnership limited by share (société en commandite par actions) or a cooperative society (société cooperative).

The LFS and CSSF Circular 12/552 on central administration, internal governance and risk management (as updated from time to time) govern in an extensive manner the corporate governance of Luxembourg-based banking institutions, imposing rules relating to their:

• central administration;
• internal governance; and
• risk management.

The supervisory body shall have the overall responsibility for the institution. It shall define, monitor and bear responsibility for the implementation of robust central administration, governance and internal control arrangements, which shall include a clearly structured internal organisation and independent internal control functions with appropriate authority, stature and resources with respect to their responsibilities.

The central administration of a banking institution is divided into the decision-making centre, it comprising the authorised management and the heads of the business functions, and the administrative centre, which includes the administrative, accounting and IT organisation and shall ensure, among others, proper administration, execution of operations, complete recording of operations and accurate production of information. The members of the management body must have already acquired an adequate level of professional experience through the performance of similar activities and thus be of high professional repute. The latter is assessed on the basis of police records and any source that evidences their good reputation and/or offers a guarantee for the irreproachable conduct of their duties. The prudential approval procedure sets out the fit and proper approval process for the appointment of key function holders and members of the management body in credit institutions. Recent amendments to CSSF Circular 12/552 have enhanced the provisions with respect to the diversity and independence of the management body.

Furthermore, internal governance arrangements pursue to eliminate or limit conflicts of interest. The Luxembourg legal framework requires that the organisation chart of the credit institution is established based on the principle of segregation of duties, pursuant to which the duties and responsibilities will be assigned so as to avoid making them incompatible for the same person. In that context the management body is required to document data related to loans provided to the management body and share these data with the CSSF upon its request. The Commission Delegated EU Regulation 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU, introduces rules aimed to mitigate the conflict of interest between the credit institution and its clients. In that context, article 41(2) provides that when a credit institution is engaged in the marketing of its own instruments, clear and effective arrangement should be at place for the identification, prevention and/or management of the potential conflict of interest. In the same context, and as analysed in question 12, special rules regulate the remuneration policy of credit institutions.

Credit institutions are also required to have dedicated internal control functions, such as a risk control function, a compliance function and an internal audit function. The internal control functions are permanent and independent functions, each with sufficient authority. The degree of the measures required is subject to the principle of proportionality, meaning that more complex, riskier and significant institutions must have in place enhanced internal governance and risk management arrangements.

The aim of the procedures and arrangements implemented in relation to remuneration is to help ensure that risks are managed in an efficient and durable manner. Credit institutions must comply with the requirements concerning the governance arrangements and remuneration policies of the Directive 2013/36/EU (“CRD IV”) and Directive 2019/878/EU (“CRD V”), as transposed into the LFS with the Law of 20 May 2020 (the “CRD V Law”). Furthermore, credit institutions must comply with the disclosure requirements of the CRR, as amended by the EU Regulation 2019/876, the (“CRR II”), the criteria set out in the relevant EU regulatory technical standards, the European Banking Authority (the “EBA”) guidelines on remuneration policies and best practices and the applicable CSSF circulars. The CRD V Law, introduced some novel provisions. Most importantly, the rules governing the remuneration policy may henceforth apply on a consolidated, sub-consolidated or solo basis, depending on specific parameters. Furthermore, the above rules apply to all employees whose activities have a material impact on the risk profile of a given credit institution, and not only to the management body. The content of the latter term is defined in the LFS which should be read in conjunction with the Commission Delegated EU Regulation 2021/923. Smaller and non-complex institutions, benefit from some waivers concerning the application of a limited number of remuneration requirements. At the same time, the CRD V Law recognised and implemented for the first time the gender-neutral nature of the remuneration policy. Further, credit institutions are also required to comply with obligations relating to disclosure of their remuneration policy deriving from CRR II.

The legal rules governing the capital requirements of credit institutions are imposed at an EU level in the CRR. The so-called Pillar 1 of the Basel III Framework (“P1R”) requires credit institutions to maintain and satisfy at all times a total capital ratio of 8% of their risk-weighted assets, composed of 4.5% of Common Equity Tier 1 capital (“CET1”) (as defined in the CRR), 1.5% of Additional Tier 1 (“AT1”) capital (as defined in the CRR), and 2% of Tier 2 capital (“AT2”) (as defined in the CRR). In addition to the P1R ratios, the CSSF is capable of imposing bank-specific capital requirements (Pillar 2 Requirements – “P2R”) that have micro-prudential considerations and cover risks that are underestimated or not covered by, P1R. Both P1R and P2R are binding and obligatory for credit institutions, which is not the case for the Pillar 2 Guidance rules (“P2G”), which constitute suggestions of the CSSF to the banks relating to their own funds.

On top of the P1R and P2R ratios, credit institutions in Luxembourg are required to hold and maintain the following buffers:

• a capital-conservation buffer of CET1 equal to 2.5% of their total risk exposure amount;
• an institution-specific countercyclical capital buffer of CET1 (equivalent to their total risk exposure). The CSSF is responsible for setting the countercyclical buffer rates applicable in Luxembourg on a quarterly basis. According to CSSF Regulation 23-06, a countercyclical capital buffer rate of 0.5% applied to credit institutions for the first quarter of 2024;
• a Global-Systemically-Important-Institutions (“G-SII”) buffer;
• an Other-Systemically-Important-Institutions (“O-SII”) buffer (for the analysis of G-SII and O-SII please see answer 21); and
• a systemic-risk buffer for systemic banks of at least 1% based on the exposures to which the systemic risk buffer applies, which may apply to exposures in Luxembourg as well as to exposures in third countries. The rationale of this buffer, as clarified in the CRD V Law, is the mitigation of systemic risks, to the extent that these are not already covered by the capital buffers for systemically important institutions (G-SIIs/O-SIIs) or the countercyclical capital buffer. No maximum limit applies to this buffer.

Based on the above, and especially since there is no G-SII in Luxembourg, there are no major deviations related to P1R ratios between credit institutions. On the other hand, P2R requirements, since by nature are tailored to the specificities and particularities of each institution, are in principle capable of introducing (major) deviations between the own-funds treatment of credit institutions.

The Leverage Ratio (“LR”) is imposed by the CRR and is directly applicable in Luxembourg. Credit institutions should always maintain their LR at 3% which constitutes the quotient of the division between the CET1 capital of a credit institution and its total exposure measure (as defined in the CRR). The rationale behind this metric, is to capture exposures of the credit institution which are not reflected in the P1R ratios, like credit default swaps, or off-balance sheet positions.

The obligation of credit institutions to retain liquid assets is assessed through the LCR and NSFR ratios, which are imposed in the CRR and are directly applicable in Luxembourg.

The LCR certifies that financial institutions hold at all times liquid assets, the total value of which equals, or is greater than, the net liquidity outflows that might be experienced under stressed conditions over a short period of time (30 days). Net cash outflows must be computed on the basis of a number of assumptions concerning runoff and drawdown rates.

The NSFR aims to ensure the resilience of financial institutions over a longer time horizon by requiring financial institutions to raise stable funding at least equal to their stable assets or illiquid assets that cannot be easily turned into cash over the following 12 months. Following the CRR II, the NSFR is applicable for all credit institutions as of 28 June 2021.

The proposed amendment of the CRR dated 4 December 2023 (the “CRR III”) and the Capital Requirements Directive (CRD) (to be amended by a further Directive, CRD VI, the so-called 2021 Banking Package) shall come into force at the beginning of 2025 and full alignment with Basel III standards is expected by June 2025. The CRR III seeks to limit an institution’s risk of excessive reductions in capital, to allow for uniformity of internal calculations between institutions. This implementation pertains to credit risk and it will lead to an increase of thresholds imposed on regulatory capital requirements, which will have an adverse effect on fees and profitability. The areas currently most affected by the output floor changes are real estate lending, followed by corporate lending and retail lending. It is worth noting that the output floor changes are being gradually phased in to give financial institutions sufficient time to implement the necessary procedures to adhere, with the aim of being fully applicable by 2032.

Credit institutions established in Luxembourg, being either a public limited liability company (société anonyme), or a partnership limited by share (société en commandite par actions) or a cooperative society (société cooperative), are subject to the Law of 10 August 1915 on commercial companies, as amended, and thus are required to publish their financial statements.

On top of the general corporate law requirements, credit institutions should comply with disclosure provisions relating to prudential supervision, imposed by the CSSF circular 19/731 (which repealed circulars 15/602 and 19/710) and the Commission Implementing EU Regulation2021/451 of 17 December 2020 laying down implementing technical standards for the application of EU Regulation 575/2013 with regard to supervisory reporting of institutions and repealing Implementing EU Regulation 680/2014. According to the later, credit institutions are required to transmit data relating to their activities on a monthly, quarterly, half-yearly or annual basis, depending on the subject matter. The CSSF circular 19/731 governs the annual disclosure of information of credit institutions, including annual accounts. The receiver of the above data will either be the CSSF or the ECB depending on whether the supervised credit institution qualifies as significant or not.

On an EU level, the CRR requires credit institutions to report on a consolidated basis figures relating to own-funds and eligible liabilities, capital requirements, liquidity, leverage and solvency ratios, large exposure limits, and arrangements concerning exposures to transferred credit risk.

According to the LFS, the CSSF exercises prudential supervision on a consolidated basis with respect to credit institutions which are a parent institution in Luxembourg, or an EU parent institution, and to credit institutions whose parent company is a financial holding company or a mixed financial holding company in an EU member-state. The consolidated supervision will be exercised by the CSSF only in cases where the latter would be competent to supervise the parent entity on a solo-basis.

The main consequence of consolidated supervision is that the supervisor manages to have a more holistic view in the financial situation of the group so as to account for considerations relating to the financial stability and soundness of the credit institution. In that manner, the supervisor can monitor more closely credit institutions and prevent them from escaping compliance with supervisory standards by moving activities into subsidiaries or by double-leveraging their capital.

According to the LFS, any natural or legal person aiming to acquire, directly or indirectly a qualifying holding (e. g. a holding of 10% or more of the capital or of the voting rights of a credit institution or a holding that makes it possible to exercise a significant influence over the management of the bank) or to further increase, directly or indirectly such a qualifying holding as a result of which the proportion of the voting rights or of the capital held would reach or exceed 20%, 33 1/3% or 50% or so that the credit institution would become their subsidiary, is required to first notify in writing such decision to the CSSF. The CSSF shall also be notified prior to the disposal of qualifying holdings in credit institutions for approval. At the same time, on becoming aware of the acquisition or disposal, credit institutions shall also inform the CSSF accordingly. They shall also, at least once a year, inform the CSSF of the names of shareholders and members possessing qualifying holdings and the amounts of such holdings.

Special rules apply in cases where the acquirer is a credit institution or a PFS. In those cases, the authorisation of the CSSF is not required unless the qualifying holding exceeds 40 million euros and 5 per cent of a credit institution’s own funds.

In all of the above cases, if the authorisation, approval and or notification procedure is not followed, the CSSF can impose administrative penalties/measures.

Finally, further insight into the specificities of the above provisions is provided by the CSSF Circular 17/669 which transposes the Joint Guidelines of ESMA, EBA and EIOPA on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector.

The LFS and the CSSF Circular 12/552 impose rules governing the eligibility of shareholders acquiring or owning a qualifying holding, relating to the transparency of the direct and indirect holdings in the credit institution and the establishment and guarantee of the sound and prudent management of the credit institution, it being related to the reputation of the acquirer, the reputation and experience of those who will direct the credit institution as a result of the proposed acquisition, the financial soundness of the proposed acquirer, the capability of the credit institution to continue to comply with the prudential requirements and to be subject to effective supervision following the acquisition and to AML/CTF Law considerations .

There is no distinction between domestic and foreign shareholding in banks under Luxembourg banking, hence no restrictions on foreign shareholdings in banks apply.

G-SIIs and O-SIIs are required to comply with special capital buffers. The G-SII buffer, is a mandatory capital surcharge built up of CET1 and applied at the consolidated level of the identified banking groups’ additional capital requirements for systemically important banks. The capital surcharge may vary between 1% and 3.5% depending on the degree of systemic importance of the relevant bank. According to publicly available information, there is no bank established in Luxembourg identified as a G-SII. The O-SII buffer is applied on a consolidated/sub-consolidated or solo basis. In this respect, the CSSF takes its decisions after consultation with the BCL and after requesting the opinion of the Comité du Risque Systémique. As per European Systemic Risk Board (the “ESRB”) changes, from the 6^th of October 2023, the combined buffer requirements for Luxembourg are 3 to 3.5%. The CSSF and the BCL have jointly developed a calibration methodology designed to translate the systemic importance of the institutions into O-SII buffer rates.

General administrative penalties imposed by the CSSF

Entitles subject to the CSSF’ supervision, including credit institutions (and the members of the management body, the effective managers or the persons responsible for a breach of a violation of banking regulations) may be subject to the following administrative penalties imposed by the CSSF, depending on the seriousness of the relevant infringement:

• a warning,
• a reprimand,
• a fine of between 250 and 250,000 euros,
• one or more of the following measures:
  • a temporary or definitive prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity,
  • a temporary or definitive prohibition on participation in the profession by the de jure or de facto, directors or senior management personnel of persons or entities subject to the supervision of the CSSF.

Administrative penalties and other administrative measures for breach of authorization, approval requirements and requirements for acquisitions of qualifying holdings

In addition to the above, the CSSF has the power to impose the following administrative penalties and other administrative measures for breach of authorization, approval requirements and requirements for acquisitions of qualifying holdings:

(i) issue a public statement which identifies the natural person or relevant responsible entity and the nature of the breach;

(ii) enjoin the natural or legal person responsible to cease and to desist from a repetition of that relevant conduct which is in breach of the banking regulations;

(iii) in the case of a legal person, administrative pecuniary penalties of up to 10% of the total annual net turnover (of the undertaking in the preceding business year);

(iv) in the case of a natural person, administrative pecuniary penalties of up to 5,000,000 euros;

(v) administrative pecuniary penalties of up to twice the amount of the benefit derived from the breach where that benefit can be determined; or

suspend the voting rights attached to shares or units held by the shareholders or members held responsible for the breaches of authorization, approval requirements and requirements for acquisitions of qualifying holdings.

Criminal Penalties

The CSSF is, in particular, responsible for the supervision of the professionals falling within its competence for the purposes of the implementation of this LFS. To this end, it may apply all the measures and exercise all the powers, including sanctioning powers, conferred on it, in accordance with the applicable legal provisions. Without prejudice to the application of more severe penalties provided for by other legal provisions, where applicable, infringements of the LFS may result in fines of up to EUR 125,000 and/or and a term of imprisonment between eight days and five years.

Specific sanctions to CRR Institutions

The CSSF may also apply other administrative penalties and other administrative measures specific to CRR Institutions (as defined in the LFS) such as the launching of a procedure for the withdrawal of the given credit institution’s authorization in accordance with the CRR rules or imposing a temporary ban against the relevant members of the management body of the credit institution or any other natural person held responsible for the breach, from exercising its functions within the given credit institutions.

The BRRD Law designates the CSSF as the national resolution authority. The CSSF exercises the powers and functions conferred to it under the BRRD Law through the RB (as defined in answer 1). The RB carries out its resolution functions independently from the supervisory functions of the CSSF and closely cooperate with the ECB.

Preparation of a resolution plan and assessment of resolvability prior to any resolution

The RB prepares a resolution plan for each credit institution falling under its competence (except for institutions being part of a group subject to a consolidation) and assess the resolvability of such institutions. The resolution plan is drawn up in accordance with the requirements set under the BRRD Law and should contain measures (including resolution tools) to be taken by the RB in the event the relevant credit institution meet the conditions for resolution.

Conditions for resolution

The RB shall take a resolution action towards a given institution if it considers that all of the following conditions are met:

– the relevant institution is failing or is likely to fail,
– having regard to timing and other relevant circumstances, there is no reasonable prospect that any alternative private sector measures or supervisory action would prevent the failure of the institution; and
– a resolution action is necessary in the public interest.

Provided that the conditions for resolution are met, the BR has the power to apply a certain number of resolution tools, exercise resolution powers and ancillary powers as described below.

Resolution tools

The following resolution measures (individually or in any combination, except for the asset separation measure which shall be applied simultaneously with another resolution tool) to the relevant bank:

– the sale of the business tool: in order to give effect to this tool, the RB shall transfer shares or other instruments of ownership issued by of the bank under resolution and all or any of its assets, rights or liabilities to a purchaser which is not a bridge institution;
– the bridge institution tool: the aim of this tool is to maintain critical functions of the bank under resolution through the temporary transfer good bank assets to one or more banks wholly of partially owned by public authorities and controlled by the RB;
– separation of assets tool: the impaired assets would be transferred to one or more asset management entities wholly of partially owned by public authorities and controlled by the RB. The relevant management entity should manage such assets transferred to it with a view to maximize their value through eventual sale or orderly wind-down;
– apply bail-in measures: to convert debt into shares or write it down.

The resolution method will depend on the individual bank and the resolution plan that has been prepared for it.

Resolution powers and ancillary powers

Besides the exercise of the resolution tools, the BRRD Law confers a certain number of resolution powers and ancillary powers to the RB, including, among others, the followings.

– appointment of a special manager to replace the management body of the relevant institution which shall have all the powers of the shareholders and of the management body of the institution under resolution;
– to require any person to provide any information required for the RB to decide upon and prepare a resolution action, including updates and supplements of information provided in the resolution plans;
– to conduct on-site investigations for information gathering purposes;
– to take control of the relevant institution and exercise all the rights and powers conferred upon the shareholders, other owners and the management body of that institution;
– to transfer shares or other instruments of ownership issued by the relevant institution;
– to transfer to another entity, with the consent of that entity, rights, assets or liabilities of the institution under resolution;
– to reduce, including reducing to zero of the principal amount of eligible liabilities;
– to convert eligible liabilities into ordinary shares or other instruments of ownership;
– to cancel debt instruments (except for secured liabilities; including covered bonds and liabilities in the form of financial instruments used for hedging purposes which form an integral part of the cover pool and which are secured in a way similar to covered bonds);
– to reduce, including to reduce to zero, the nominal amount of shares or other instruments of ownership of relevant institution and to cancel such shares or other instruments of ownership;
– to require the relevant institution or a relevant parent institution to issue new shares or other instruments of ownership or other capital instruments, including preference shares and contingent convertible instruments;
– to amend or alter the maturity of debt instruments and other eligible liabilities issued by the relevant institution (or amount of interest payable under such debt instruments and other eligible liabilities);
– to remove or replace the management body and senior management;
– with regards to assets, rights, liabilities, shares and other instruments located in a third country, require that the administrator, receiver or other person exercising control of the institution under resolution and the recipient take all necessary steps to ensure that the transfer, write down, conversion or action becomes effective;
– suspension of any payment or delivery obligations pursuant to any contract to which an institution under resolution is a party;
– to restrict secured creditors of an institution under resolution from enforcing security interests in relation to any assets of that institution; and
– to suspend the termination rights of any party to a contract with an institution under resolution.

Resolution objectives

When applying the resolution tools and exercising the resolution powers, the RB shall consider the following resolution objectives, and choose the tools and powers that best achieve the objectives that are relevant in the circumstances of the case:

– ensuring the continuity of critical functions carried out by the institution;
– avoidance of a significant adverse effect on the financial system, in particular by preventing contagion, including to market infrastructures, and by maintaining market discipline;
– protection of public funds by minimizing reliance on extraordinary public financial support;
– protection of depositors; and
– protection of client funds and client assets.

General principles governing resolution

The RB shall ensure that the resolution action complies with the following general principles:
– the shareholder of the institution under resolution shall bear first losses,
– creditors of the institution under resolution bear losses after the shareholders in accordance with the order of priority of their claims under normal insolvency proceedings, save as expressly provided otherwise in the BRRD Law;
– creditors of the same class are treated in an equitable manner, except where otherwise provided in the BRRD Law;
– no creditor shall incur greater losses than would have been incurred if the relevant institution had been wound up under normal insolvency proceedings;
– replacement of the management body and senior management, except in those cases when the retention of the management body and senior management is considered to be necessary for the achievement of the resolution objectives;
– management body and senior management shall provide all necessary assistance for the achievement of the resolution objectives; and
– full protection of covered deposits.

Despite the relevant measures that shall be taken by the RB in the event of the failure of a bank (as provided for in the BRRD Law, see our answer to question 23 above), client’s assets and cash deposits are protected through the following schemes existing under Luxembourg law:

• the Investor Compensation Scheme (Système d’Indemnisation des Investisseurs Luxembourg), being the recognised Luxembourg Investor Compensation Scheme as referred to in Directive 97/9/EC and chaired by the CSSF. The main purpose of the Investor Compensation Scheme is to ensure coverage for the claims (funds and financial instruments that its members hold, manage or administer on behalf of their clients) resulting from the incapacity of a credit institution or an investment firm. In case the relevant criteria are met and the institution holding the investor’s assets is no longer able to fulfil its commitments, investors are repaid by the Investor Compensation Scheme. The repayment covers a maximum amount of up to EUR 20,000 per investor; and

• the Deposit Guarantee Fund (Fonds de Garantie des Dépôts Luxembourg), being the recognised Luxembourg Deposit Guarantee Scheme referred to in Directive 2014/49/EU of 16 April 2014 on Deposit Guarantee Schemes. The main purpose of the Deposit Guarantee Fund is to ensure compensation of depositors in case of unavailability of their deposits. It collects the contributions due by participating credit institutions, manages the financial means and, in the event of insolvency of a member institution, makes the repayments as instructed by the Conseil de protection des déposants et des investisseurs (being the internal executive body of the CSSF in charge of managing and administering Luxembourg compensation schemes. The membership to the Deposit Guarantee Fund is compulsory for all credit institutions and Luxembourg branches of credit institutions having their registered office in a third country. In case the relevant criteria are met and the institution holding the depositor’s assets is no longer able to fulfil its commitments, depositors are repaid by the Deposit Guarantee Scheme. The repayment covers an amount of up to EUR 100,000 per person and per institution, except for certain type of deposits for which the coverage may be higher than EUR 100,000 but cannot exceed EUR 2,500,000 for a 12 months period after the relevant amount has been credited to a bank account held with a failed institution (i.e. deposits resulting (i) from real estate transactions relating to private residential properties, (ii) that serve social purposes and are linked to particular life events of a depositor or (ii) based on the payment of insurance benefits or compensation for criminal injuries or wrongful conviction).

Luxembourg law provides for a bail-in tool in bank resolution deriving from the BRRD Law and the SRMR (please see our answer to question 23 for further details on the resolution regime for banks).

The CSSF, as the national resolution authority and acting through the RB, has the power to write-down or convert relevant capital instruments and eligible liabilities of a failing bank under its remit in order to absorb losses and before any resolution action is taken. The bail-in tool should be exercised by the RB in accordance with the priority of claims under normal insolvency proceedings and subject to the following order:

(i) CET1 items;

(ii) AT1 instruments;

(iii) AT2 instruments;

(iv) unsecured subordinated liabilities (subordinated loans, bearer bonds and participation rights which do not meet the requirements for AT1 or T2 instruments);

(v) other eligible liabilities, in accordance with their ranking provided for in the Luxembourg’s normal insolvency proceedings.

The following liabilities – irrespective of their applicable law – are explicitly excluded from the exercise of a bail-in tool:

• covered deposits,
• secured liabilities including covered bonds and liabilities in the form of financial instruments used for hedging purposes which form an integral part of the cover pool and which are secured in a way similar to covered bonds,
• any liability resulting from the safekeeping of client assets or client money,
• any liability resulting from a fiduciary relationship,
• liabilities to other credit institutions (excluding entities that are part of the same group) with an original maturity of less than seven days;
• liabilities with a remaining maturity of less than seven days, owed to payment systems, securities delivery and settlement systems or to operators and other participants of such systems, if those liabilities result from the participation in the system; and

– liabilities owed to

(a) employees, for accrued salary, pension benefits,

(b) commercial or trade creditors arising from the provision to the institution or group entity of goods or services that are critical to the ongoing functioning of its operations,

(c) Luxembourg tax and social security authorities with respect to their preferred claims; and

(d) deposit guarantee schemes based on contribution obligations.

The BRRD Law does not provide for the application of the bail-in tool in the context of a mere liquidity crisis. According to the BRRD Law, the RB may apply the bail-in tool for the purpose of either (i) recapitalizing an institution that meets the conditions for resolution to the extent sufficient to restore its ability to comply with the conditions for authorization, or (ii) converting to equity/reducing the principal amount of claims or debt instruments that are transferred either to a bridge institution or under the sale of business tool or the asset separation tool.

The total loss-absorbing capacity (“TLAC“) requirements adopted on 9 November 2015 by the Financial Stability Board (the “FSB”). have been implemented within the EU legislation through the adoption of the EU revised rules on capital requirements, liquidity and resolution (CRR II/ CRD IV/ CRD V/ BRRD II/ SRMR2 (the “Banking Package”) which have been transposed into Luxembourg law following the entry into force of the CRD V Law. The TLAC ratio applies to systemically important institutions being either G-SIIs or O-SIIs which must, at all times, respect an external TLAC requirement of 18% of total risk exposure amount and of 6.75% of leverage ratio exposure measure from 1 January 2022 onwards.

Furthermore, banks which are non-G-SIIs but are part of a banking group with total assets in excess of EUR 100 billion shall also comply with an external TLAC requirement of 13.5% of total risk exposure amount and 5% of leverage ratio exposure measure, calculated on a consolidated basis at resolution group level.

Although there is, in principle, no minimum TLAC requirements for banks that are neither a G-SIIs nor part of a banking group with total assets in excess of EUR 100 billion, the RB may decide to apply the requirements laid down in the above paragraph to a given institution under its remit, if the RB assesses that the failure of such an entity is reasonably likely to pose a systemic risk.

Recent trends in bank regulation are mainly driven by initiatives taken at the EU and international levels, in addition to national legislative initiatives.

At the EU level, the regulatory changes will be brought by the further amendments to the EU Banking Package launched by the European Commission, which will further strengthen the resilience of credit institutions to economic shocks, require banks to systematically identify, disclose and manage sustainability risks as part of their risk management as well as harmonize supervisory powers and tools for overseeing banks.

Non-Performing Loans

Furthermore, the EU Directive 2021/2167 of 24 November 2021 on credit servicers and credit purchasers and amending Directives 2008/48/EC and 2014/17/EU, governing the sale, purchase, and servicing of Non-Performing Loans (“NPLs”) from EU banks (the “NPLs Directive”) has become effective on 30 December 2023. On 24 March 2023, a draft bill was submitted to the Luxembourg Parliament aiming to, inter alia, transpose the NPLs Directive and is since pending to be adopted. Once adopted, the bill will permit credit institutions to sell their NPLs to a credit purchaser who would then delegate the servicing of the NPLs to an appointed credit manager responsible for the provision of credit management activities.  The draft law also provides that the credit managers would qualify as professionals of the financial sector within the meaning of the LFS and therefore the LFS would set out the authorisation rules applicable to the credit managers together with the activities concerned.  Accordingly, the above will enable credit institutions holding large volumes of NPLs on their balance sheets to sell such NPLs on the secondary market, ultimately tackling high NPL ratios.

Innovation, Payments and digital assets

As part of the EU’s digital strategy and in order to ensure better conditions for the development and use of innovative technologies, regulations regarding artificial intelligence, retail payments and digital assets are going to be prioritised in the European Union.

Regarding retail payments, new regulations are going to accelerate the transformation of the payment sector. We will therefore expect in 2024 and 2025 several changes regarding, amongst other, evolving payment preferences of customers and merchants, the growing use of enabling technologies such as digital wallets or DLT, or the enhancement of anti-fraud measures.A recent trend is the adoption of EU Regulation 2023/1114 of 31 May 2023 on markets in crypto-assets, and amending EU Regulations 1093/2010 and 1095/2010 and Directives 2013/36/EU and 2019/1937 (“MiCAR”) which will apply at EU Level from mid to late 2024, where the use of financial technologies and digitalization of the banking and financial activities and more specifically the implementation of technological innovations in the field of capital markets (with the use of secured electronic registration systems, such as distributed ledger technology) has gained and will continue to play a significant role in the digitalization of the Luxembourg financial sector. MiCAR provides a regulated framework for the development of crypto asset markets, with the introduction of Crypto-Asset Service Providers (CASPs), subject to AML-CTF obligations.

On 9 December 2023, the proposed EU Regulation laying down harmonised rules on the use of artificial intelligence (the “AIA”) has been approved by the European Parliament and the Council. The agreed text will have to be adopted in the near future at the EU level and will be the world’s first comprehensive regulation on AI.

Sustainable Finance

In addition, the transition towards environmentally sustainable activities in the financial services sector will continue to reshape the economy and the financial system.

Under the Directive 2022/2464 of 14 December 2022 amending EU Regulation 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting (the “CSRD”), which entered into force on 5 January 2023, several firms have new reporting requirements on sustainability which will, among others, ensure that investors and other stakeholders have access to the information they need to assess the impact of companies on people and the environment and for investors to assess financial risks and opportunities arising from climate change and other sustainability issues. The first companies will have to apply the new rules in the 2024 financial year, for reports published in 2025.

Sustainability-related disclosures in the financial services sector

Banking regulation relating to sustainable finance is well under way, which aims at integrating Environmental, Social and Governance (ESG) criteria into financial services with a view to supporting sustainable economic growth. Against this background, it is imperative for Luxembourg banks to diversify their offerings to include sustainable finance products and services in order to remain competitive in the global arena.Digitalisation of banking and financial activities

The financial sector is undergoing a profound transformation to embrace digital transformation and benefit from the technological innovations which will reshape the banking industry’s architecture. In the context of the EU digital finance package, including MiCAR and the Digital Operational Resilience Act (“DORA”), the financial sector as a whole will need to swiftly establish thorough testing of Information Communication Technologies (ICT) risks for the purpose of enhancing the digital operational resilience of the data-driven financial system. In view of this, the Luxembourg banks will need to further develop better and more innovative financial products for consumers to succeed in this ever-increasing competitive environment whilst regulating the risks stemming from its growing dependency on software and digital processes.

Consequences of the surging inflation & global economic slowdown

As a measure to tackle the surging inflation affecting the global economy, major central banks, including the ECB, raised their policy interest rates to restrictive levels in 2023, leading to, among others, credit tightening from banks and challenge for companies in refinancing their debt. The rapid rise in interest rates in 2023 is also having an impact on the real economy as it has reduced the financing capacities of households and businesses resulting from measures taken by banks in tightening their lending conditions in response to the increased macroeconomic uncertainty.

Although inflation seems to temper in 2024 in Luxembourg, according to the projections from the Luxembourg National Institute for Statistics and Economic Studies of the Grand Duchy of Luxembourg – (“STATEC”), economic uncertainty persists, and financial and nonfinancial risks remain high. Having experienced a decline in overall activity in 2023, the Luxembourg financial sector is geared toward a gradual reversal of this trend. However financial institutions remain potentially vulnerable against a backdrop of rising interest rates.

Vulnerabilities in the residential real estate sector

In addition, the continued increase of the property prices and mortgage lending in Luxembourg continue to lead to a rising of household indebtedness. The high level of household debt is a significant risk for the real economy (given the importance of the real estate sector to financial and macroeconomic stability) and deserves a continued monitoring, from a financial stability perspective, as also recommended by the ESRB in its report on vulnerabilities in the residential real estate sectors of the EEA countries published on 11 February 2022 (the ESRB 2024 Report).  According to the ESRB 2024 Report on vulnerabilities in the residential real estate sectors of the EEA countries published on February 2024, macroprudential measures implemented so far have been partially effective in addressing the risks in the housing market in Luxembourg.