Guide comparatif de la réglementation bancaire – Finance et banque


Pour imprimer cet article, il vous suffit de vous inscrire ou de vous connecter sur Mondaq.com.

1 Cadre juridique

1.1 Quelles dispositions législatives et réglementaires régissent le secteur bancaire dans votre juridiction?

La principale loi régissant les établissements de crédit au Luxembourg est la loi du 5 avril 1993 relative au secteur financier, telle que modifiée (ci-après la «loi bancaire»), qui couvre:

  • accès aux activités professionnelles du secteur financier (y compris l'agrément des établissements de crédit de droit luxembourgeois, et l'agrément pour la création de succursales et la libre prestation de services au Luxembourg par les établissements de crédit de droit étranger);
  • obligations professionnelles, règles prudentielles et règles de conduite dans le secteur financier;
  • surveillance prudentielle du secteur financier;
  • règles et obligations prudentielles en matière de planification du redressement, de soutien financier intragroupe et d'intervention précoce; et
  • les sanctions.

Le Luxembourg étant un État membre de l'UE, la réglementation bancaire européenne est également applicable aux établissements de crédit luxembourgeois – en particulier, le règlement (UE) n ° 575/2013 du Parlement européen et du Conseil du 26 juin 2013 sur les exigences prudentielles applicables aux établissements de crédit et à l'investissement entreprises, tel que modifié (CRR). La loi bancaire transpose en droit luxembourgeois, entre autres, la directive 2013/36 / UE du Parlement européen et du Conseil du 26 juin 2013 relative à l'accès à l'activité des établissements de crédit et à la surveillance prudentielle des établissements de crédit et des entreprises d'investissement (CRD IV ).

De nombreuses lois et réglementations spécifiques (tant au niveau européen que luxembourgeois) s'appliquent également, en fonction des activités exercées par les établissements de crédit luxembourgeois (par exemple, services d'investissement, titrisation, opérations sur dérivés de gré à gré, opérations de financement sur titres, réglementation des indices de référence) .

Les établissements de crédit luxembourgeois sont également soumis à la loi du 18 décembre 2015 relative aux mesures de résolution, d'assainissement et de liquidation des établissements de crédit et de certaines entreprises d'investissement et aux systèmes de garantie des dépôts et d'indemnisation des investisseurs («  Loi BRR ''), qui met en œuvre la directive 2014/59 / UE du Parlement européen et du Conseil du 15 mai 2014 établissant un cadre pour le redressement et la résolution des établissements de crédit et des entreprises d'investissement (BRRD); et à la loi du 17 juin 1992 relative aux comptes annuels et consolidés des établissements de crédit de droit luxembourgeois («loi des comptes»).

Le cadre juridique est complété par des règlements grand-ducaux, Commission de Surveillance du Secteur Financier (CSSF) et circulaires de la CSSF sur une variété de sujets spécifiques. L'une des circulaires les plus importantes est la circulaire CSSF 12/552 sur l'administration centrale, la gouvernance interne et la gestion des risques des établissements de crédit, des entreprises d'investissement et des professionnels effectuant des opérations de crédit, telle que modifiée. A la date de publication, une mise à jour de la circulaire CSSF 12/552 est imminente.

Les termes «établissement de crédit» et «banque» sont utilisés de manière interchangeable tout au long de cette période de questions.

1.2 Quels instruments bilatéraux et multilatéraux sur le secteur bancaire ont des effets dans votre juridiction? Comment la coopération réglementaire et la surveillance consolidée sont-elles assurées?

Un certain nombre d'organisations internationales travaillent sur des sujets qui intéressent le secteur financier dans son ensemble, et les établissements de crédit en particulier.

Le Luxembourg est un État membre de l'Organisation de coopération et de développement économiques (OCDE), qui travaille à l'établissement de normes et de meilleures politiques pour un large éventail de sujets, tels que la corruption et l'évasion fiscale. Le Luxembourg est également membre du Groupe d'action financière (GAFI), qui fixe des normes, formule des recommandations et promeut la mise en œuvre effective des mesures juridiques, réglementaires et opérationnelles de lutte contre le blanchiment d'argent et le financement du terrorisme.

La CSSF fait partie des autorités de contrôle bancaire membres du Comité de Bâle sur le contrôle bancaire, qui est le principal normalisateur mondial de la réglementation prudentielle des banques.

La Commission européenne, la Banque centrale européenne (BCE) et l'OCDE sont membres du Conseil de stabilité financière (FSB), une organisation internationale qui surveille et formule des recommandations pour le système financier mondial.

Le travail effectué par ces organisations influence généralement la législation européenne, qui est applicable aux établissements de crédit au Luxembourg. Par exemple, le Cadre de Bâle est transposé via CRD IV et CRR; et les recommandations du GAFI sont mises en œuvre au niveau européen via la directive (UE) 2015/849 du Parlement européen et du Conseil du 20 mai 2015 relative à la prévention de l'utilisation du système financier aux fins du blanchiment de capitaux ou du financement du terrorisme, tel que modifié.

Le système financier de l'UE est supervisé par le système européen de surveillance financière (SESF). L'ESFS se compose de:

  • le Comité européen du risque systémique, qui est chargé de la surveillance macroprudentielle du système financier de l'UE et de la prévention et de l'atténuation du risque systémique;
  • les trois autorités européennes de surveillance – l'Autorité bancaire européenne, l'Autorité européenne des marchés financiers et l'Autorité européenne des assurances et des pensions professionnelles; et
  • autorités nationales de contrôle.

La surveillance bancaire est en outre assurée par le mécanisme de surveillance unique (MSU), qui comprend la BCE et les autorités de surveillance nationales et qui, avec le mécanisme de résolution unique, forment l'Union bancaire de l'UE.

Les différentes autorités faisant partie du SESF sont tenues, en vertu de leurs réglementations respectives, de coopérer entre elles et d'assurer la circulation d'informations appropriées et fiables entre elles. De même, les règlements établissant le MSU exigent une coopération entre la BCE et le SESF, ainsi qu'une coopération au sein du MSU entre la BCE et les autorités nationales de surveillance.

Enfin, des directives et règlements spécifiques de l'UE, tels que CRD IV et CRR, contiennent des dispositions spécifiques sur la coopération entre les autorités et la surveillance consolidée. La loi bancaire (qui met en œuvre la CRD IV au Luxembourg) comprend un certain nombre de dispositions relatives à la coopération, la coordination et l'échange d'informations entre les autorités compétentes (voir en particulier la question 5.1).

1.3 Quels organismes sont chargés de faire appliquer les lois et réglementations applicables? Quels pouvoirs (y compris les sanctions) ont-ils?

CSSF: Le régulateur luxembourgeois du secteur financier est la CSSF, qui relève de l'autorité du ministère luxembourgeois des Finances.

Les pouvoirs de la CSSF comprennent le droit de:

  • avoir accès à tout document sous quelque forme que ce soit et en recevoir une copie;
  • demander des informations à toute personne et, le cas échéant, convoquer une telle personne afin d'obtenir des informations;
  • effectuer des inspections ou des enquêtes sur place à l'égard des personnes soumises à sa surveillance prudentielle;
  • exiger des enregistrements téléphoniques existants ou d'autres enregistrements de communications électroniques ou de trafic de données existants;
  • exiger la cessation de toute pratique contraire aux dispositions du CRR, de la loi bancaire et de leurs mesures d'application, et prendre des mesures pour empêcher la répétition de telles pratiques;
  • demander le gel et / ou la séquestration d'actifs auprès du tribunal de grande instance de Luxembourg;
  • imposer une interdiction temporaire d'activité professionnelle à l'égard des personnes soumises à sa surveillance prudentielle, ainsi que des membres de l'organe de direction, des salariés et des agents liés liés à ces personnes;
  • demander aux commissaires aux comptes agréés des personnes soumises à sa surveillance prudentielle de fournir des informations;
  • adopte tout type de mesure nécessaire pour garantir que les personnes soumises à sa surveillance prudentielle continuent de se conformer aux exigences du CRR, du règlement (UE) n ° 600/2014 du Parlement européen et du Conseil du 15 mai 2014 sur les marchés financiers instruments, la loi bancaire et leurs mesures d’application;
  • renvoyer les informations au procureur de la République pour des poursuites pénales;
  • exiger des commissaires aux comptes ou des experts agréés qu'ils effectuent sur place des vérifications ou des enquêtes sur les personnes soumises à sa surveillance prudentielle, aux frais de la personne concernée;
  • émettre une communication au public;
  • suspendre la commercialisation ou la vente d'instruments financiers ou de dépôts structurés dans certains cas spécifiques;
  • exiger la révocation d'une personne physique du conseil d'administration d'un établissement de crédit;
  • sous certaines conditions, exiger des fournisseurs de réseaux de communications et de communications électroniques qu'ils remettent des enregistrements de communications électroniques; et
  • exigent généralement de toute personne soumise à sa surveillance toute information pouvant être utile à l'accomplissement de sa mission de surveillance.

La CSSF dispose également de pouvoirs d'injonction et de suspension, par lesquels elle peut enjoindre à une personne soumise à sa surveillance, dans un délai déterminé, de remédier à toute situation ou de cesser toute pratique contraire aux dispositions légales, réglementaires ou statutaires, ou de cesser toute conduite et s'abstenir de répéter tout comportement qui serait contraire à ces dispositions. Lorsque la situation en question n'a pas été corrigée dans le délai imparti, la CSSF peut:

  • suspendre les membres de l'organe de direction ou toute autre personne;
  • suspendre l'exercice des droits de vote attachés aux actions détenues par les actionnaires ou membres de l'entité surveillée; ou
  • suspendre les activités de l'entité supervisée ou un domaine particulier de ces activités.

La CSSF peut publier des circulaires et des règlements sur des sujets spécifiques liés à ses pouvoirs de surveillance.

La CSSF peut infliger des sanctions administratives aux personnes morales soumises à sa surveillance et aux membres de l'organe de direction, aux dirigeants effectifs ou aux personnes responsables d'une infraction à ces personnes morales si:

  • ils ne se conforment pas aux lois, réglementations, dispositions légales ou instructions applicables;
  • ils refusent de fournir les documents comptables ou autres informations demandées;
  • ils ont fourni de la documentation ou d'autres informations qui se révèlent incomplètes, incorrectes ou fausses;
  • ils s'opposent à l'exercice des pouvoirs de surveillance, d'inspection et d'enquête de la CSSF;
  • ils contreviennent aux règles régissant la publication des bilans et des comptes;
  • ils n'agissent pas en réponse aux injonctions de la CSSF; ou
  • ils agissent de manière à compromettre la gestion saine et prudente de l'entité contrôlée concernée.

Dans de tels cas, la CSSF peut imposer les sanctions suivantes:

  • un avertissement;
  • une réprimande;
  • une amende comprise entre 250 et 250 000 €;
  • une interdiction temporaire ou permanente de l'exécution d'un nombre quelconque d'opérations ou d'activités, ainsi que toute autre restriction aux activités de la personne ou de l'entité; et / ou
  • une interdiction temporaire ou définitive de l'exercice de la profession des administrateurs ou dirigeants de personnes ou entités soumises au contrôle de la CSSF.

Ces sanctions peuvent être publiées.

La loi bancaire contient en outre un certain nombre de sanctions spécifiques qui peuvent être imposées pour:

  • violations spécifiques de la loi bancaire;
  • violations spécifiques commises par les institutions du CRR; ou
  • violations spécifiques liées à la fourniture de services d'investissement, à la réalisation d'activités d'investissement ou à la fourniture de services de communication de données.

Ces sanctions comprennent:

  • des sanctions pécuniaires administratives pouvant aller jusqu'à 10% du chiffre d'affaires annuel net total;
  • des sanctions pécuniaires administratives pouvant aller jusqu'à 5 millions d'euros; ou
  • des sanctions administratives pécuniaires pouvant aller jusqu'à deux fois le montant de la prestation dérivée du manquement.

D'autres sanctions peuvent être prévues dans des lois spécifiques.

BCE: La BCE joue un rôle central dans la surveillance des établissements de crédit dans le cadre du MSU. La BCE est notamment chargée:

  • octroi et retrait d'agrément d'établissements de crédit;
  • évaluer les acquisitions et cessions de participations éligibles (voir question 9.2);
  • assurer le respect des exigences prudentielles de l'UE;
  • assurer le respect des exigences de gouvernance de l'UE; et
  • effectuer des examens de surveillance, des inspections sur place et des enquêtes.

La BCE est également responsable du fonctionnement efficace et cohérent du MSU. La BCE supervise directement un certain nombre d'établissements de crédit «importants»; considérant que les établissements de crédit «moins importants» sont surveillés par leurs autorités nationales de surveillance en coopération avec la BCE.

La BCE peut adopter des règlements. La BCE a le pouvoir d'imposer des sanctions en cas de non-respect par les établissements des obligations découlant des décisions ou des règlements de la BCE, conformément au règlement (CE) n ° 2532/98 du Conseil du 23 novembre 1998 concernant les pouvoirs de la Banque centrale européenne d'imposer des sanctions. Ces sanctions comprennent des amendes et des astreintes.

Banque Centrale du Luxembourg (BCL): La BCL est la banque centrale luxembourgeoise et fait partie du Système européen de banques centrales. La BCL met en œuvre les décisions prises par la BCE au Luxembourg et est compétente pour les opérations de politique monétaire en faveur des établissements de crédit luxembourgeois.

La BCL est également chargée de:

  • surveiller la situation générale de liquidité sur les marchés et des opérateurs de marché;
  • garantir l'efficacité et la sécurité des systèmes de paiement et des systèmes de règlement de titres, ainsi que la sécurité des instruments de paiement; la BCL peut demander des informations aux systèmes de paiement et de règlement-livraison de titres et peut également effectuer des visites sur place à cet égard;
  • contribuer à assurer la stabilité financière en coopérant avec les autorités de surveillance prudentielle; et
  • collecter des informations statistiques auprès des autorités nationales compétentes ou directement auprès des agents économiques, y compris les établissements de crédit; la BCL peut effectuer des vérifications ponctuelles des informations fournies.

La BCL a un pouvoir réglementaire et peut édicter des règlements et des circulaires sur des sujets liés à ses missions. Il applique également les décisions de la BCE et met en œuvre les sanctions imposées par la BCE.

Commissariat aux Assurances (CAA): La CAA est le régulateur luxembourgeois responsable du secteur des assurances. Les établissements de crédit qui fournissent des services liés à l'assurance peuvent être soumis à la surveillance de la CAA pour ces services.

1.4 Quelles sont les priorités actuelles des régulateurs et comment le régulateur s'engage-t-il avec le secteur bancaire?

Les priorités actuelles de la CSSF sont les suivantes:

  • La prochaine visite du GAFI au Luxembourg: La CSSF a organisé des conférences, en collaboration avec l'Association des banquiers luxembourgeois, afin de sensibiliser le secteur financier à la visite à venir et d'expliquer la méthodologie utilisée par le GAFI.
  • Brexit: le législateur luxembourgeois a adopté deux lois le 8 avril 2019 concernant les mesures à prendre concernant le secteur financier en cas de retrait du Royaume-Uni de Grande-Bretagne et d'Irlande du Nord de l'Union européenne (ci-après les «lois sur le Brexit»). Le but des lois sur le Brexit était d'anticiper la perte par les entreprises établies et agréées au Royaume-Uni, y compris les établissements de crédit, du bénéfice de leurs droits de passeport en cas de Brexit «  dur '' (car elles seront considérées comme des «  entreprises de pays tiers 'après le Brexit), et d'assurer la continuité des contrats existants, le bon fonctionnement et la stabilité des marchés financiers en permettant aux entreprises britanniques de poursuivre leurs activités au Luxembourg pendant une période transitoire. La CSSF a publié le 15 juillet 2019 deux communiqués de presse (ainsi que des communiqués de presse de suivi) fournissant des détails sur la période transitoire et comment déposer une demande pour pouvoir bénéficier de cette période transitoire. Comme le Brexit a eu lieu le 31 janvier 2020 et que l'accord sur le Brexit a été approuvé, le Brexit «  dur '' que les lois sur le Brexit prévoyaient ne s'est pas produit. La CSSF a publié un communiqué de presse le 31 janvier 2020 indiquant que les décisions individuelles prises en vertu des lois sur le Brexit pour accorder aux entités britanniques le bénéfice d'une période de transition seraient désormais caduques et que la période de transition prévue par l'accord sur le Brexit s'appliquait à la place. Le secteur financier luxembourgeois est donc désormais dans une période d'attente jusqu'au 31 décembre 2020; et il n'y a pas encore eu de confirmation de la part de la CSSF qu'un processus similaire à celui prévu par les lois sur le Brexit sera appliqué après cette date.

2 Forme et structure

2.1 Quels types de banques se trouvent généralement dans votre juridiction?

La loi modifiée du 5 avril 1993 relative au secteur financier («loi bancaire») couvre deux types de banques: les banques universelles et les banques émettant des obligations hypothécaires.

Au 2 janvier 2020, le secteur bancaire luxembourgeois était composé de 129 banques, dont:

  • 83 banques universelles;
  • deux banques émettant des obligations hypothécaires;
  • 13 succursales d'établissements de crédit de pays tiers; et
  • 31 succursales d'établissements de crédit établis dans l'Union européenne.

La banque d'entreprise, la banque privée, la gestion et la conservation de fonds d'investissement sont les principaux domaines d'activité des banques au Luxembourg.

2.2 Comment ces banques sont-elles généralement structurées?

Un établissement de crédit luxembourgeois doit être une personne morale de droit luxembourgeois sous la forme d'un établissement de droit public, d'une société anonyme, d'une société en commandite par actions ou d'une société coopérative.

2.3 Existe-t-il des restrictions à la propriété étrangère des banques?

Il n'y a aucune restriction à la propriété étrangère des banques. Dans la mesure où une entité étrangère acquiert ou cède une banque luxembourgeoise, les dispositions relatives aux acquisitions et cessions de participations éligibles (voir question 9) s'appliquent.

2.4 Les banques ayant un siège à l'étranger peuvent-elles opérer dans votre juridiction sur la base de leur licence étrangère?

Les banques établies dans une juridiction étrangère peuvent opérer au Luxembourg. Cependant, une distinction est faite entre les banques établies dans un État membre de l'UE et les banques établies dans une juridiction en dehors de l'Union européenne (un pays tiers).

Banques établies dans un État membre de l'UE: Les établissements de crédit établis et agréés dans un autre État membre de l'UE peuvent opérer au Luxembourg via une prestation de services transfrontalière, via l'établissement d'une succursale au Luxembourg ou via l'utilisation d'un agent lié, dans la mesure où les activités à exercer au Luxembourg sont couverts par leur licence et sont énumérés à l'annexe I ou aux sections A ou C de l'annexe II de la loi bancaire (voir question 3.1). Dans ce cas, aucune autorisation des autorités luxembourgeoises n'est requise et le régime de passeport européen s'applique. Les établissements financiers tels que définis à l'article 4, paragraphe 1, point 26, du règlement (UE) no 575/2013 du Parlement européen et du Conseil du 26 juin 2013 concernant les exigences prudentielles applicables aux établissements de crédit et aux entreprises d'investissement, tel que modifié, peuvent également opérer au Luxembourg, sous réserve de certaines conditions spécifiques.

Banques établies dans un pays tiers: Les établissements de crédit de pays tiers qui souhaitent établir une succursale au Luxembourg afin d'exercer leurs activités bancaires sont soumis aux mêmes exigences d'agrément que les établissements de crédit luxembourgeois. Lorsque l'établissement de crédit d'un pays tiers candidat a l'intention d'exercer des activités impliquant la gestion de fonds de tiers, il doit disposer de fonds propres séparés et distincts des actifs de ses actionnaires. La succursale doit également avoir à sa disposition permanente un capital de dotation ou une assise financière équivalente à celle requise d'une personne de droit luxembourgeois exerçant les mêmes activités.

Les établissements de crédit d'un pays tiers qui ne sont pas établis au Luxembourg, mais qui viennent occasionnellement et temporairement au Luxembourg afin, entre autres, de collecter des dépôts et autres fonds remboursables auprès du public et de fournir tout autre service soumis à la loi bancaire, doit obtenir une autorisation. L'obtention de l'agrément exige que l'établissement de crédit du pays tiers soit soumis à des règles d'agrément et de surveillance équivalentes à celles de la loi bancaire dans son pays d'origine.

Des conditions spécifiques s'appliquent lorsqu'un établissement de crédit d'un pays tiers a l'intention de fournir des services d'investissement au Luxembourg. Si l'établissement de crédit du pays tiers a l'intention de fournir des services d'investissement à des contreparties éligibles et à des clients professionnels au sens de la section A de l'annexe III de la loi bancaire (c'est-à-dire des clients professionnels en soi, qui sont certains types d'entités considérées comme des clients professionnels en vertu de la loi bancaire), elle peut créer une succursale au Luxembourg soumise aux mêmes conditions d'agrément que les établissements de crédit et les entreprises d'investissement de droit luxembourgeois. Cependant, il peut également opérer au Luxembourg sans créer de succursale si:

  • il est autorisé dans sa juridiction d'origine à fournir les services d'investissement qu'il entend fournir au Luxembourg;
  • soit la Commission européenne (en vertu de l'article 47 du règlement (UE) n ° 600/2014 du Parlement européen et du Conseil du 15 mai 2014 sur les marchés d'instruments financiers (MiFIR)) ou le Commission de Surveillance du Secteur Financier (CSSF) a adopté une décision d'équivalence confirmant que le régime juridique et de surveillance du pays tiers établit des règles prudentielles et de conduite des affaires équivalentes à celles de la directive MiFIR 2014/65 / UE du Parlement européen et du Conseil du 15 mai 2014 sur les marchés d'instruments financiers, la directive 2013/36 / UE du Parlement européen et du Conseil du 26 juin 2013 concernant l'accès à l'activité des établissements de crédit et la surveillance prudentielle des établissements de crédit et des entreprises d'investissement ou la loi bancaire, selon le cas ; et
  • des accords de coopération ont été conclus entre l'Autorité européenne des marchés financiers ou la CSSF, selon le cas, et l'autorité compétente concernée du pays tiers.

Si l'établissement de crédit du pays tiers a l'intention de fournir des services d'investissement à des clients de détail ou à des clients professionnels au sens de la section B de l'annexe III de la loi bancaire (c'est-à-dire des clients qui ne sont pas des clients professionnels en soi, mais qui ont demandé à être traités comme des clients professionnels), il doit établir une succursale au Luxembourg qui est soumise aux mêmes conditions d'agrément que les établissements de crédit et les entreprises d'investissement de droit luxembourgeois et à un certain nombre de conditions supplémentaires.

3 Autorisation

3.1 Quelles licences sont nécessaires pour fournir des services bancaires dans votre juridiction? Quelles activités couvrent-ils?

Aucune personne de droit luxembourgeois ne peut exercer l'activité d'un établissement de crédit sans être titulaire d'une autorisation écrite du ministre des finances. Les entités agréées en tant qu'établissement de crédit au Luxembourg sont titulaires d'une «licence bancaire universelle».

Les établissements de crédit sont autorisés à:

  • effectuer les activités bancaires suivantes:

    • acceptation des dépôts et autres fonds remboursables;
    • prêt;
    • crédit-bail financier;
    • fourniture de services de paiement;
    • fourniture de garanties et d'engagements;
    • négociation pour compte propre ou pour compte de clients d'instruments du marché monétaire, de devises, de contrats à terme et d'options financières, d'instruments de change et de taux d'intérêt et de valeurs mobilières;
    • participation à des émissions de titres et fourniture de services liés à ces émissions;
    • conseils aux entreprises sur la structure du capital, la stratégie industrielle et les questions et conseils connexes, ainsi que les services liés aux fusions et acquisitions;
    • courtage d'argent;
    • gestion de portefeuille et conseil;
    • garde et administration de valeurs mobilières;
    • services de référence de crédit;
    • services de garde; et
    • émission de monnaie électronique;
  • fournir les services d'investissement suivants et effectuer les activités d'investissement suivantes:

    • réception et transmission d'ordres concernant des instruments financiers;
    • exécution d'ordres pour le compte de clients;
    • négocier pour son propre compte;
    • gestion de portefeuille;
    • Conseil d'investissement;
    • souscription d'instruments financiers et / ou placement d'instruments financiers sur la base d'un engagement ferme;
    • placement d'instruments financiers sans engagement ferme;
    • exploitation d'installations commerciales multilatérales; et
    • exploitation d'installations commerciales organisées;
  • fournir des services auxiliaires tels que:

    • garde et administration d'instruments financiers pour le compte de clients;
    • l'octroi de crédits ou de prêts aux investisseurs pour leur permettre d'effectuer une transaction sur un ou plusieurs instruments financiers;
    • conseils aux entreprises sur la structure du capital, la stratégie industrielle et les questions connexes;
    • services de change, lorsqu'ils sont liés à la fourniture de services d'investissement;
    • recherche en investissement et analyse financière ou autres formes de recommandation concernant des transactions sur instruments financiers; et
  • services liés à la souscription; et
  • exercer toute autre activité relevant du champ d'application de la loi du 5 avril 1993 relative au secteur financier, telle que modifiée («  loi bancaire '') (y compris les activités d'agent de registre, de dépositaire professionnel d'instruments financiers, de dépositaire professionnel d'actifs autres que les instruments financiers, opérateur d'un marché réglementé agréé au Luxembourg, agent de change, recouvrement de créances, professionnels du crédit, professionnels du prêt de titres, family office, administrateur de fonds mutuels d'épargne, domiciliatrice, professionnel de la constitution et de la gestion de sociétés, agent de communication client, administratif agent du secteur financier, opérateur primaire de systèmes informatiques du secteur financier, opérateur de systèmes informatiques secondaires et de réseaux de communication du secteur financier, prestataire de services de dématérialisation du secteur financier, prestataire de services de conservation du secteur financier).

3.2 Quelles conditions doivent être remplies pour obtenir une licence?

La loi sur les banques définit un certain nombre d'exigences de base auxquelles un établissement doit se conformer pour obtenir l'agrément en tant qu'établissement de crédit. L'établissement de crédit proposé doit être établi sous l'une des formes juridiques définies à la question 2.2.

Le demandeur doit prouver l'existence au Luxembourg de l'administration centrale (c'est-à-dire à la fois du centre de décision et du centre administratif) et du siège social de l'établissement de crédit proposé. Certains aspects administratifs peuvent être externalisés ou réalisés à l'étranger par des filiales si le candidat est dans un contexte de groupe. L'établissement de crédit doit disposer de dispositifs de gouvernance interne solides, notamment:

  • une structure organisationnelle claire avec des lignes de responsabilité bien définies, transparentes et cohérentes;
  • des processus efficaces pour identifier, gérer, surveiller et signaler les risques auxquels ils sont ou pourraient être exposés; et
  • des mécanismes de contrôle interne adéquats, y compris des procédures administratives et comptables saines et des politiques et pratiques de rémunération permettant et favorisant une gestion saine et efficace des risques, ainsi que des dispositifs de contrôle et de sécurité pour les systèmes de traitement de l'information.

Des exigences organisationnelles spécifiques doivent être satisfaites si l'établissement de crédit fournit des services d'investissement et / ou exerce des activités d'investissement.

Le demandeur doit fournir le Commission de Surveillance du Secteur Financier (CSSF) avec l'identité de ses actionnaires, directs ou indirects et personnes physiques ou morales, qui détiennent des participations éligibles dans l'établissement à agréer ou, en l'absence de participations éligibles, des 20 principaux actionnaires. La CSSF évalue la participation de l'établissement à agréer et vérifie si:

  • la gestion saine et prudente de l'établissement de crédit peut être assurée;
  • les actionnaires ont une bonne réputation professionnelle et possèdent des connaissances, des compétences et une expérience suffisantes;
  • la surveillance prudentielle peut être exercée sans entrave et la surveillance sur une base consolidée est assurée;
  • la structure de l'actionnariat est transparente et bien organisée;
  • les actionnaires sont solides financièrement; et
  • il existe des motifs raisonnables de soupçonner que des activités de blanchiment d'argent ou de financement du terrorisme sont en cours ou ont été entreprises, ou qu'il existe un risque accru de telles activités.

Les membres de l'organe de direction doivent à tout moment avoir une réputation suffisante et posséder des connaissances, des compétences et une expérience suffisantes pour exercer leurs fonctions.

Le candidat doit disposer d'un capital social d'au moins 8,7 millions d'euros (voir question 4.2).

L'établissement doit faire contrôler ses comptes annuels par un ou plusieurs commissaires aux comptes agréés. En règle générale, l'un des «Big Four» est désigné à cet effet.

L'agrément est également soumis à l'adhésion de l'établissement de crédit proposé au système de garantie des dépôts luxembourgeois (Fonds de Garantie des Dépôts Luxembourg) (voir question 10.2) et le dispositif luxembourgeois de protection des investisseurs (Système d'Indemnisation des Dépôts Luxembourg).

3.3 Quelle est la procédure d'obtention d'une licence? Combien de temps cela prend-il généralement?

La procédure d'agrément débute généralement par une réunion entre le demandeur et la CSSF pour discuter de la demande d'agrément en tant qu'établissement de crédit. La CSSF recommande que ces discussions préliminaires aient lieu avant le dépôt officiel du dossier de candidature.

La demande officielle d'agrément est introduite via une demande écrite à déposer auprès de la CSSF, tant par voie électronique que sur papier. La demande doit être accompagnée de toutes les informations nécessaires à son évaluation et d'un programme d'opérations indiquant le type et le volume d'activités envisagées ainsi que la structure administrative et comptable de l'institution. Le contenu minimum du dossier de candidature, ainsi que la liste des documents à fournir avec le dossier de demande de licence bancaire, sont disponibles sur le site internet de la CSSF.

La Banque centrale européenne (BCE) est compétente pour autoriser tous les établissements de crédit établis dans les États membres de l'UE participant au mécanisme de surveillance unique (y compris le Luxembourg). La CSSF notifie la réception d'un dossier de candidature à la BCE et le dossier de candidature est évalué à la fois par la CSSF et la BCE. Si la CSSF juge le dossier de candidature satisfaisant, elle soumettra à la BCE une proposition d'agrément de l'établissement de crédit et la BCE accordera alors l'agrément et en informera la CSSF.

La CSSF doit notifier sa décision dans les six mois suivant la réception de la demande ou, si la demande est incomplète, dans les six mois à compter de la réception des informations nécessaires à l'adoption de la décision. L'absence de décision dans un délai de six mois est considérée comme un refus. En tout état de cause, une décision est adoptée dans les 12 mois suivant la réception de la demande et l'absence de décision est considérée comme une notification de refus.

L'autorisation est accordée pour une durée illimitée.

La demande est soumise à une taxe initiale de 15 000 €. Des frais de licence annuels s'appliquent en fonction de la taille du bilan de l'établissement de crédit. Une somme forfaitaire annuelle est également due pour la participation au système de garantie des dépôts luxembourgeois (Fonds de Garantie des Dépôts Luxembourg), en fonction du montant des dépôts garantis.

4 Capital réglementaire et liquidité

4.1 Comment les banques sont-elles généralement financées dans votre juridiction?

À l'instar d'autres banques de la zone euro après la crise financière de 2008, les dépôts des clients représentent la principale source de financement. En 2016, les dépôts dus à la clientèle représentaient 45,82% du passif total; ce chiffre a augmenté régulièrement pour atteindre 48,84% en 2018. Ces dépôts proviennent d'entreprises non financières et financières, de clients privés et / ou de détail, et des comptes courants des fonds d'investissement. Le deuxième grand domaine de financement des banques luxembourgeoises concerne les engagements interbancaires, qui représentaient 31,08% du total des engagements en 2018.

4.2 Quelles exigences de capital minimum s'appliquent aux banques de votre juridiction?

Les établissements de crédit doivent disposer d'un capital social d'au moins 8,7 millions d'euros souscrit, entièrement libéré et conforme aux dispositions pertinentes du règlement (UE) n ° 575/2013 du Parlement européen et du Conseil du 26 juin 2013 sur les exigences prudentielles pour les établissements de crédit et les entreprises d'investissement, tel que modifié (CRR) (articles 28 et, le cas échéant, 29). Ils sont également soumis à des règles spécifiques d'adéquation des fonds propres et doivent maintenir un certain nombre de coussins de fonds propres.

En vertu du CRR, les établissements de crédit doivent maintenir, à tout moment, un ratio de fonds propres total (c'est-à-dire les fonds propres de l'établissement de crédit exprimés en pourcentage du montant total de l'exposition au risque, calculé conformément aux dispositions pertinentes du CRR) de 8%. The capital ratio must be composed of 4.5% of Common Equity Tier 1 capital, 1.5% of Additional Tier 1 capital and 2% of Tier 2 capital (each as defined under the CRR).

Under the Law of 5 April 1993 on the financial sector, as amended, credit institutions must maintain a capital conservation buffer composed of Common Equity Tier 1 capital equal to 2.5% of their total risk exposure amount calculated in accordance with the CRR, and an institution-specific countercyclical capital buffer composed of Common Equity Tier 1 capital which is equivalent to their total risk exposure amount calculated in accordance with the CRR multiplied by the weighted average of the countercyclical buffer rates. The CSSF is responsible for setting the countercyclical buffer rates applicable in Luxembourg. As per CSSF Regulation 19-08 of 1 October 2019, the countercyclical buffer rate for the fourth quarter of 2019, which is applicable as from 1 January 2020, is 0.25%.

Credit institutions may also, under certain conditions, be required to maintain a systemic risk buffer of Common Equity Tier 1 capital.

‘Globally systemically important institutions' and ‘other systemically important institutions' (as defined in question 5.2(b)) must maintain the additional capital buffers set out in question 5.2(b).

4.3 Quelles conditions de réserve légale s'appliquent aux banques de votre juridiction?

The European Central Bank requires credit institutions established in the euro area to hold deposits on accounts with their national central bank. These are called ‘minimum' reserves. The reserve requirements are set out in Regulation (EC) No 1745/2003 of the European Central Bank of 12 September 2013 on the application of minimum reserves, as amended. In this respect, is should be noted that:

  • branches in the euro area of credit institutions established outside the euro area are also subject to the minimum reserve requirements; et
  • branches of euro area credit institutions which are located outside the euro area are not subject to the minimum reserve requirements.

Since 18 January 2012, the reserve ratio is:

  • 1% for overnight deposits, deposits with agreed maturity or period of notice up to two years, debt securities issued with maturity up to two years and money market paper; et
  • 0% for deposits with agreed maturity or period of notice over two years, repos and debt securities issued with maturity over two years.

5 Surveillance des groupes bancaires

5.1 Quelles exigences s'appliquent en matière de surveillance des groupes bancaires dans votre juridiction?

The Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') – which implements, among others, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV) and Directive 2002/87/EC of the European Parliament and of the Council of 16 December 2002 on the supplementary supervision of credit institutions, insurance undertakings and investment firms in a financial conglomerate, as amended – contains provisions on:

  • the supervision of credit institutions carrying on business in more than one EU member state;
  • the supervision of credit institutions subject to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR) on a consolidated basis; et
  • the supplementary supervision of credit institutions in a financial conglomerate.

The CRR also includes provisions with respect to prudential consolidation to which credit institutions may be subject.

The prudential supervision of Luxembourg credit institutions by the Commission de Surveillance du Secteur Financier (CSSF) covers the activities performed by such credit institution in other EU member states via the establishment of branches or the cross-border provision of services. The Banking Act also sets out the CSSF's powers with respect to Luxembourg branches of credit institutions from other EU member states, and the respective rights and competence of the CSSF and other competent authorities.

There are certain cases where the CSSF is required to exercise prudential supervision on a consolidated basis, meaning on the basis of the situation that results from applying the CRR requirements to a credit institution as if that credit institution formed, together with one or more other entities, a single institution. Such consolidated supervision applies, for instance:

  • to Luxembourg parent credit institutions;
  • to Luxembourg parent financial holding companies having as a subsidiary a Luxembourg credit institution; et
  • under certain conditions, where the relevant group includes a Luxembourg credit institution and such credit institution shows the largest balance-sheet total.

The consolidated supervision covers, for instance, the items referred to in Article 11 of the CRR (eg, requirements with respect to own funds and eligible liabilities, capital requirements, large exposures and leverage), capital adequacy, internal governance requirements, certain intra-group transactions, risk management processes and internal control mechanisms, and the professional repute, experience, knowledge and skills of the members of the management body of a financial holding company or mixed financial holding company.

The CSSF must identify any group of companies that constitutes a financial conglomerate as defined in the Banking Act. The CSSF exercises supplementary supervision over Luxembourg credit institutions that belong to a financial conglomerate if the CSSF assumes the role of ‘coordinator' for the supervision of regulated entities in that financial conglomerate. The Banking Act sets out the different scenarios in which the CSSF may act as coordinator; this is the case, for instance, where:

  • the financial conglomerate is headed by a credit institution or an investment firm authorised in Luxembourg;
  • it is headed by a mixed financial holding company which is the parent of a credit institution or investment firm authorised in Luxembourg; ou
  • a Luxembourg credit institution or investment firm belongs to a financial conglomerate, subject to certain specific conditions.

All the financial sector entities within a financial conglomerate – whether regulated or not and whether established in an EU member state or in a third country – fall within the scope of the supplementary supervision of the CSSF. The supplementary supervision to be carried out by the CSSF covers the financial position of the financial conglomerate, and in particular the capital adequacy, risk concentration, intra-group transactions, internal control mechanisms and risk management processes.

The Banking Act contains rules on:

  • cooperation, coordination and exchange of information between competent authorities;
  • access to and verification of information;
  • the powers and enforcement measures of competent authorities; et
  • the measures at the disposal of the CSSF in order to effectively exercise its supervision.

5.2 Comment les banques d'importance systémique sont-elles surveillées dans votre juridiction?

‘Systemically important' banks must be distinguished from ‘significant' banks, as these concepts entail different consequences.

Significant and less significant institutions: The European Central Bank (ECB) directly supervises ‘significant' credit institutions; whereas ‘less significant' credit institutions are supervised by their national supervisory authorities in cooperation with the ECB. A credit institution will be considered as significant if it fulfils at least one of the significance criteria set out in Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions. These criteria include:

  • the credit institution's size;
  • its economic importance for the European Union as a whole or a specific EU member state;
  • the significance of its cross-border activities;
  • whether it has requested direct public financial assistance from the European Stability Mechanism or the European Financial Stability Facility; et
  • whether the credit institution is one of the three most significant credit institutions established in an EU member state.

The ECB maintains a list of significant credit institutions.

Systemically important institutions: CRD IV defines ‘globally systemically important institutions' (G-SIIs) and ‘other systemically important institutions' (O-SIIs). The CSSF is the authority designated to identify the systemically important institutions authorised in Luxembourg, which include G-SIIs and O-SIIs. The CSSF takes its decisions in this respect after consultation with the Banque Centrale du Luxembourg (BCL) and the Luxembourg Systemic Risk Committee.

G-SIIs and O-SIIs are subject to additional capital requirements. G-SIIs must maintain an additional capital buffer (the G-SII buffer) that consists of Common Equity Tier 1 capital and varies between 1% and 3.5%, depending on the degree of systemic importance of the bank. O-SIIs may, subject to certain conditions, be required by the CSSF to maintain an additional capital buffer (the O-SII buffer) that consists of Common Equity Tier 1 capital. According to CSSF Regulation 19-09 of 29 October 2019 concerning systemically important institutions authorised in Luxembourg, there are as at the date of this publication no G-SIIs in Luxembourg. Eight O-SIIs have been identified, which are subject to O-SII buffers between 0.5% and 1% (depending on the institution) as of 1 January 2020.

5.3 Quel est le rôle de la banque centrale?

See question 1.3(c) above for the role of the BCL in general. As mentioned under question 5.2, the BCL also has a consultation role with respect to the supervision of systemically important institutions.

6 activités

6.1 Quelles réglementations spécifiques s'appliquent aux activités bancaires suivantes dans votre juridiction: (a) Prêt hypothécaire? (b) Crédit à la consommation? (c) Services d'investissement? et (d) les services de paiement et la monnaie électronique?

Mortgage lending: Mortgage credit is one of the activities listed in Annex I of the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') that credit institutions are authorised to perform.

Specific provisions on mortgage lending have been introduced in the Luxembourg Consumer Code by the Luxembourg law of 23 December 2016 which implements Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property.

See question 10.1 concerning specific requirements for consumer protection.

The Banking Act was amended by the law of 4 December 2019 on macro-prudential measures concerning residential mortgages. This law was adopted following a recommendation by the European Systemic Risk Board in order to prevent the overheating of the mortgage lending market in Luxembourg. The new provisions allow the Commission de Surveillance du Secteur Financier (CSSF) – in collaboration with the BCL, the Commissariat aux Assurances and the Luxembourg Systemic Risk Committee – to impose on credit institutions, insurance companies and other professionals of the financial sector additional guidelines on credit criteria for mortgage loans relating to residential real estate located in Luxembourg. These measures can be taken only where they are required to counter the dysfunction of the national financial system or reduce the risks for the national financial stability stemming from developments in the real estate sector in Luxembourg.

Consumer credit: Consumer credit is one of the activities listed in Annex I of the Banking Act that credit institutions are authorised to perform.

Specific provisions on consumer credit have been introduced in the Consumer Code by the Luxembourg law of 8 April 2011 which implements Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers.

See question 10.1 concerning specific requirements for consumer protection.

Investment services: At a European level, investment services are regulated by Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFID II) and Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFIR).

MiFID II has been implemented in Luxembourg by the law of 30 May 2018 on markets in financial instruments (‘MIFID Law'), which amends the Banking Act.

Credit institutions are authorised to perform MiFID II investment services subject to the provisions of the Banking Act, the MIFID Law and MiFIR (see question 3.1).

Payment services and e-money: Payment services and the activity of electronic money institutions are governed by the Luxembourg law of 10 November 2009 on payment services, on the activity of electronic money institutions and settlement finality in payment and securities settlement systems, as amended (‘2009 Law') which implements into Luxembourg law the provisions of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market and of Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions.

Credit institutions are authorised to provide payment services as defined in the 2009 Law and to issue electronic money within the meaning of the 2009 Law, subject to the provisions of the Banking Act and the 2009 Law.

7 Reporting, organisational requirements, governance and risk management

7.1 What key reporting and disclosure requirements apply to banks in your jurisdiction?

Banks are subject to extensive reporting requirements, and in particular prudential reporting requirements under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR). This includes reporting on own funds, financial information, large exposures, leverage, liquidity, losses stemming from lending collateralised by immovable property and asset encumbrance. The content and format of the reporting are harmonised by Commission Implementing Regulation (EU) No 680/2014 of 16 April 2014 laying down implementing technical standards with regard to supervisory reporting of institutions according to the CRR.

There are additional reporting requirements covered by Luxembourg provisions. Banks must, for instance, provide:

  • information on participating interests and subordinated loans;
  • information on staff expenses and taxes;
  • a list of their head offices, agencies, branches and representative offices;
  • an analysis of shareholdings; et
  • a list of persons responsible for certain functions and activities.

Ad hoc reports may also be requested by the Commission de Surveillance du Secteur Financier (CSSF).

In order to assist banks with their reporting obligations, the CSSF published Circular 14/593, as amended, on supervisory requirements applicable to credit institutions, as well as Circular 19/731, which lists the documents to be submitted to the CSSF and the European Central Bank on an annual basis, as well as the appropriate timing for submission. The CSSF also published a guide on reporting requirements for credit institutions.

Depending on their activities, banks may also be subject to specific reporting requirements under specific regulations. For instance, Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories requires settlement internalisers (ie, credit institutions which execute transfer orders on behalf of clients or on their own account other than through a securities settlement system) to report to the CSSF on a quarterly basis the aggregated volume and value of all securities transactions that they settle outside securities settlement systems. Likewise, Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories and Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse require banks that are counterparties to derivative contracts and securities financing transactions, respectively, to report the details of such contracts and transactions to trade repositories.

Banks have an obligation to publish their duly approved annual accounts together with the management reports and the reports from the persons responsible for auditing the accounts in accordance with the Accounts Law. Banks are further subject to periodic statistical reporting to the Banque Centrale du Luxembourg.

7.2 What key organisational and governance requirements apply to banks in your jurisdiction?

Generally, credit institutions must have in place effective policies and procedures to ensure compliance with their legal obligations and avoid conflicts of interest. From a systems perspective, credit institutions must invest appropriately to ensure continuity and regularity of services, and have appropriate risk management and security systems in place. Outsourcing is permitted; however, it must be contractualised and banks remain fully liable for any outsourced functions. Banks must ensure accurate recordkeeping for all services and transactions and ensure that, in respect of client assets, those assets' ownership rights are protected. Client financial instruments may not be used on own account, except where a client has provided express permission.

The Law of 5 April 1993 on the financial sector, as amended and the CRR require the management body of institutions to define, oversee and be accountable for the implementation of governance arrangements. The key accountabilities include the strategic objectives, risk strategy, and internal governance. In addition, the management body must ensure the integrity of the financial reporting system and exercise effective oversight of the daily management of the bank. There is a prohibition against combining the role of chair of the management body and chief executive officer. In respect of the composition of the management body, particular attention must be paid to the experience, skills, and knowledge of individual members, but also of the management body as a whole. There are detailed requirements in respect of time commitment and the number of directorships which may be held simultaneously. Credit institutions must also ensure that adequate human and financial resources are dedicated to the induction and training of members of the management body.

In addition, CSSF Circular 12/552 sets out detailed requirements relating to internal governance arrangements and specific requirements for the finance and IT functions. Banks must have appropriate internal communication and whistleblower arrangements and must also have put in place crisis management protocols, which have been tested. All governance arrangements must be documented in writing. Following the implementation of CSSF Circular 12/552 in late 2012, this was a major area of focus for banks in Luxembourg.

7.3 What key risk management requirements apply to banks in your jurisdiction?

Banks in Luxembourg must have adequate internal control systems in place to promote sound and effective risk management. The CSSF recommends that larger or more complex institutions have a risk committee to assist the management body in order to facilitate effective risk control at management body level. CSSF Circular 12/552 requires the management body to approve a risk policy which implements the risk strategy of the institutions. This policy must include:

  • the institution's risk tolerance determination;
  • an internal limits system with limits risk taking in accordance with the risk tolerance;
  • measures aimed to promote a sound risk culture;
  • the existence of a risk control function and management arrangements for limits breaches and corrective measures for such breaches;
  • the definition of a risk management information system; et
  • crisis management and business continuity arrangements.

Further, the management body must set a capital and liquidity policy which:

  • defines internal standards in relation to the management, scope and quality of the regulatory and internal own funds and liquidity reserves;
  • defines processes to ensure reliable management information;
  • ensures the permanent adequacy of the regulatory and internal own funds and liquidity reserves;
  • effectively manages stress situations; et
  • designates the functions in charge of the management, functioning and improvement of the processes, limit systems, procedures and internal controls.

CSSF Circular 12/552 requires the establishment of three distinct internal control functions (risk, internal audit and compliance). The risk and compliance functions form part of the second line of defence, while the internal audit function constitutes the third line of defence. Each of the three control functions shall be under the responsibility of a separate head of function (who, for the risk control function, is referred to as the ‘chief risk officer'). The principle of proportionality applies and it is therefore possible to merge the risk management and compliance functions on a case-by-case basis. The risk management function (as well as the compliance and audit functions) must be permanent and independent, and hold sufficient authority. The chief risk officer must have direct access to the members of the management body or its chair (or chair of the risk committee), the external auditor and the CSSF. The bank shall ensure that individuals working within the risk management function have a high level of professional experience and that the function is appropriately resourced. It is not permissible to outsource the risk management function. Under the principle of proportionality, a full-time chief risk officer may not be required for smaller institutions and this is evaluated on a case-by-case basis.

There are a number of important tasks which fall within the remit of the risk management function:

  • monitoring risk limits and their compatibility with the strategies, activities and organisational and operational structure of the bank;
  • systematic production of accurate risk management information for authorised management to understand the risks to which the institution is or may be exposed;
  • the development of effective terminology, methods and technical resources to anticipate risk, as well as to identify, measure, report, manage, and monitor risks;
  • the development of conservative assumptions in particular regarding dependencies between risks; et
  • the anticipation and recognition of risks arising in a changing environment.

An annual risk management report relating to the tasks of the risk management function is prepared and submitted to the management body, in addition to regular and ad hoc reporting. Any serious problems, shortcomings or irregularities must be reported immediately by the risk management function to authorised management and the management body. It is also noteworthy that Luxembourg credit institutions must take risks into account when assessing new or expanded product offerings.

7.4 What are the requirements for internal and external audit in your jurisdiction?

External audit: Credit institutions must have their annual accounts audited by one or more approved statutory auditors. One of the ‘Big Four' is typically appointed in order to perform this task. Any change in the approved statutory auditor must be authorised in advance by the CSSF.

The Accounts Law specifies the content that must be included in the report of the approved statutory auditors. The approved statutory auditors must also express an opinion concerning the consistency of the management report with the annual accounts and provide an audit opinion stating clearly whether the annual accounts give a true and fair view in accordance with the relevant financial reporting framework and whether the annual accounts comply with the applicable statutory requirements.

Internal audit: As mentioned under question 7.3, CSSF Circular 12/552 requires the establishment of three distinct internal control functions, which includes an internal audit function.

The internal audit function shall be under the responsibility of a specific head of function (the ‘chief internal auditor'). The appointment and removal of the person in charge of the internal audit function must be approved by the board of directors of the bank and reported in writing to the CSSF. The ‘chief internal auditor' must have direct access to the members of the management body or its chair, the external auditor and the CSSF.

The internal audit function must be permanent, independent and objective, and have sufficient authority. It must be able to express itself freely and access all relevant external and internal data in order to fulfil its mission. The members of the internal audit function must individually and collectively possess high professional skills in the field of banking and financial activities, and be able to cover all activities of the institution; ongoing training must be organised. The internal audit function must be appropriately resourced.

The main task of the internal audit function is to review and assess the central administration and the internal governance arrangements of the credit institution and to ensure that they are adequate and operate effectively. The internal audit function shall in particular assess:

  • the monitoring of compliance with applicable laws and regulations and the prudential requirements imposed by the CSSF;
  • the efficiency and effectiveness of internal controls;
  • the adequacy of the administrative, accounting and IT organisation;
  • the safeguarding of securities and assets;
  • the adequacy of the segregation of duties and of the execution of transactions;
  • the accurate and complete registration of transactions;
  • the provision of accurate, complete, relevant and understandable information to the board of directors, relevant committees, authorised management and the CSSF, as applicable;
  • the implementation of decisions taken by the authorised management and by the persons acting by delegation and under its responsibility;
  • compliance with the procedures governing the adequacy of the regulatory and internal own funds and liquidity (reserves);
  • the adequacy of the risk management; et
  • the operation and effectiveness of the compliance and risk management functions.

Each internal audit mission must be documented and subject to a written report. An annual internal audit report relating to the tasks of the internal audit function must also be prepared.

The internal audit function may be outsourced by smaller credit institutions whose risk profile is low and non-complex. Such outsourcing is subject to an assessment by the CSSF. The internal audit function may not be outsourced to the approved statutory auditor which is appointed as external auditor.

CSSF Circular 12/552 contains additional details on the organisation and responsibilities of the internal control functions, including the internal audit function, and the way in which they must execute their work.

8 Senior management

8.1 What requirements apply with regard to the management structure of banks in your jurisdiction?

In Luxembourg, both shareholders and members of the management body must be able to demonstrate that they possess sufficiently good repute and that the members of the management body possess sufficient knowledge, skills and experience to perform their duties. These requirements are applicable both on licence application and on a continuing basis. At least two individuals must be responsible for the management of the credit institutions and those individuals must typically reside in or near Luxembourg.

The board of directors entrusts authorised management with the daily running of the bank, which includes the implementation of all guiding principles and internal governance arrangements approved by the board. The board of directors is responsible for monitoring and overseeing the effectiveness of authorised management. Each member of authorised management is responsible for personally overseeing the activities and functions which fall under their direct responsibility on a regular basis.

There must be a sufficient number of directors so that their collective competencies are appropriate for the nature, scale and complexity of the bank's activities. The board of directors may create dedicated board committees (membership drawn from members of the board of directors) in the fields of audit, risk, compliance, remuneration, nomination and so on. The determination of which committees are required and which topics are discussed are made by the institution having regard to its business activities. Larger institutions typically have a number of board committees. Smaller institutions may not require a board committee.

Commission de Surveillance du Secteur Financier (CSSF) Circular 12/552 also requires the creation of internal control functions: internal audit, compliance and risk. Larger institutions require a dedicated IT officer as well as an information security officer. Smaller institutions may assign responsibility for these roles to a member of authorised management, who is then assisted by external advisers.

To the extent that a credit institutions comprises multiple legal entities, it must be structured in an appropriate manner having regard to the strategy and guiding principles of the bank. At a group level, clear limits on powers and delegation should be established (with appropriate monitoring) and a comprehensive management information system must be put in place to ensure effective communication between legal entities, the board of directors, authorised management, internal control functions and the CSSF.

It should be noted that the concept of a ‘board of directors' as used in question 7 above and throughout this question 8 shall not be read in a strict company law sense, as banks may adopt a legal form that does not provide for a board of directors. Where the relevant bank has a board of supervisors, the references to a ‘board of directors' shall be read as references to the board of supervisors.

8.2 How are directors and senior executives appointed and removed? What selection criteria apply in this regard?

Members of the board of directors, both individually and collectively, must have the necessary professional competence (expertise, understanding and experience), professional standing and personal qualities required according to the bank's guiding principles governing the election and succession of the board. There must not be a majority of directors who take on an executive role within the institution. Depending on the institution's type and size, there may be a requirement in Luxembourg to have one or more directors who either are appointed by the Luxembourg state or represent the staff. In such cases, there are detailed rules for determining the number of directors required and the ratio of executive to non-executive directors.

Members of authorised management, both individually and collectively, must have the necessary professional competence (expertise, understanding and experience), professional standing and personal qualities to manage the institution and effectively determine the business direction. Specific qualities which are required include commitment, availability, objectivity, critical thinking and independence.

On appointment and on a continuing basis, the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') and CSSF Circular 12/552 require members of the board of directors and authorised management (as well as internal control function heads) to evidence professional standing and good repute, assessed on the basis of police records and any other evidence requested. Depending on whether an institution is classified as ‘significant' or ‘less significant', a personal declaration must also be completed with different levels of information required from nominees regarding conflicts of interest, personal shareholdings, professional experience, time commitment and applicable skills.

On removal of a member of the board of directors or authorised management (as well as internal control function heads), different scenarios apply:

  • For resignations, the CSSF must be notified immediately and provided with a copy of the letter of resignation; et
  • For removals, the CSSF must be notified and receive detailed, written justifications for the decision together with a copy of the termination/revocation letter.

In addition to the foregoing, standard company law requirements for appointing and removing members of the board of directors and authorised management also apply.

8.3 What are the legal duties of bank directors and senior executives?

The legal duties of Luxembourg bank directors and executives are similar to those in other major financial centres. The duties are derived both from Luxembourg company law and from financial regulation. The Luxembourg law of 10 August 1915 on commercial companies, as amended requires that directors:

  • act in the best interest of the company;
  • exercise independent judgement;
  • exercise reasonable care, skill, and diligence;
  • avoid conflicts of interest;
  • declare interests;
  • ensure confidentiality; et
  • act within corporate objects and powers.

Luxembourg as a jurisdiction has a high number of banking subsidiaries. In respect of acting within the best interests of the company, it is important to consider director duties in the context of the Luxembourg subsidiary, acknowledging that there may be instances where the interests of the group conflict. Potential claims against directors can be brought in Luxembourg by the state prosecutor (in respect of criminal matters), by liquidators/receivers/administrators and by the company itself. There is also a possibility for shareholders to make a claim against directors on behalf of the company.

In addition to Luxembourg company law and associated jurisprudence, the Ten Principles of Corporate Governance issued by the Luxembourg Stock Exchange (last updated in December 2017) also have persuasive value in determining appropriate courses of action for directors and contain detailed criteria, including those related to independence.

CSSF Circular 12/552 places overall responsibility for the entire credit institution on the board of directors. The board is responsible for ensuring execution of activities and preserving business continuity. It must put in place a sound central administration and internal governance arrangements. Additional specific responsibilities of the board of directors include setting out, in writing:

  • the business strategy of the institution, taking into account the bank's long-term financial interests, solvency and liquidity situation;
  • the risk strategy;
  • the regulatory and internal own funds and liquidity strategy;
  • the guiding principles of a clear and consistent organisational and operational structure regarding the creation and maintenance of legal entities, information systems, security, communication and whistleblowing;
  • the guiding principles relating to the internal control functions, remuneration, and escalation and settlement of any improper behaviours within the bank;
  • the human and material resources required to implement the bank's strategies and guiding principles;
  • the strategies for business continuity management and crisis management;
  • the guiding principles for the appointment and succession of key senior individuals within the credit institution; et
  • the arrangements to delegate and oversee management's implementation of the bank's strategies.

The role of the board of directors and corporate governance in general is a priority for the CSSF and the European Central Bank. Lack of appropriate governance arrangements is a frequent finding by the CSSF in relation to sanctions it has issued in recent years.

8.4 How is executive compensation in the banking sector regulated in your jurisdiction?

Executive compensation is a key lever used to promote sound and effective risk management within the Luxembourg and EU regulatory framework. CSSF Circular 17/658 adopts the European Banking Authority Guidelines on sound remuneration policies under Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV) and disclosures under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended. Additionally, the Banking Act has transposed the relevant restrictions relating to compensation contained in CRD IV. Credit institutions are obliged to develop remuneration policies addressing both variable and non-variable compensation. Certain remuneration and governance data must also be made available on the institution's website. In respect of firms which are significant (in terms of size, internal organisation and the nature, scope and complexity of their activities), there is a requirement to form both a nomination and remuneration committee, which must include non-executive directors.

The credit institution's remuneration policy must identify staff who have the ability to materially influence the risk position of the bank. As a rule, these include all members of the board of directors, senior management and other key senior staff. The policy must have a structure in place to govern the performance assessment of employees and provide a clear link to the bank's risk strategy. Remuneration policies must clearly distinguish between fixed and variable compensation. Variable compensation is capped at twice fixed compensation, with an exception process and regulatory notification procedure for any amounts in excess of such cap.

Additionally, the remuneration payout process requires multi-year deferrals over certain thresholds. Risk-based adjustments related to compensation already granted are also foreseen: institutions must be able to apply malus or clawback arrangements of up to 100% of the total variable remuneration and any adjustments must be performance and risk related. Remuneration policies must use performance and risk criteria and specifically consider:

  • evidence of misconduct or serious error;
  • whether the business subsequently suffers a significant downturn it its financial performance;
  • whether the business in which the staff member works suffers a significant failure of risk management;
  • significant increases in the institution's economic or regulatory capital base; et
  • any regulatory sanction where the conduct of the staff member was a contributing factor.

As at the end of 2017 (most recent data), there were 20 high earners in Luxembourg (ie, staff who were awarded €1 million or more in annual remuneration).

Practically speaking, detailed guidance is required when establishing a Luxembourg bank's remuneration policy to ensure its compliance with EU-level requirements and local employment law.

9 Change of control and transfers of banking business

9.1 How are the assets and liabilities of banks typically transferred in your jurisdiction?

There are no particular provisions with respect to the transfer of assets and liabilities of banks in the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act'). A transfer of assets and liabilities will typically be subject to an asset purchase agreement. Where a change of control of a target entity is involved, the conditions set out under question 9.2 must be complied with. Certain transfers may be subject to specific provisions of the Luxembourg law of 10 August 1915 on commercial companies, as amended.

From a regulatory perspective, the entities involved in the transfer must assess whether the specific assets and liabilities in question constitute a regulated activity requiring an authorisation and ensure that the acquiring entity has the appropriate authorisation. Both the seller and the acquirer must update their respective business plans in order to reflect the change of business resulting from the disposal and acquisition of an activity, respectively (the provision of a business plan is part of the licensing process for Luxembourg credit institutions, and any change to the activities of the credit institution will be a change to the conditions of the initial authorisation which must be notified to the Commission de Surveillance du Secteur Financier (CSSF)).

9.2 What requirements must be met in the event of a change of control?

According to the Banking Act, any natural or legal person – whether acting alone or in concert with other persons that have taken a decision either to acquire, directly or indirectly, a qualifying holding (ie, 10% or more of the voting rights or of the capital) in a Luxembourg bank – shall first notify in writing the CSSF of their intention to acquire such qualifying holding.

The CSSF will conduct a review of the acquisition documentation in order to assess:

  • the professional standing of the acquirers;
  • the professional standing and the professional qualifications of the persons who will direct the daily business of the bank;
  • the financial soundness of the acquirers;
  • the capacity of the bank to keep complying with the prudential requirements under the Banking Act, pursuant to its change of control; et
  • the absence of suspicion of money laundering of terrorist financing by the acquirers.

The CSSF has up to 60 working days (which can be extended up to 90 working days) as from the notification in order to assess these elements and to declare whether it is opposed to the acquisition.

The notification to the CSSF must include written submissions describing the intended acquisition and requesting its prior approval, as well as several documents such as commercial register excerpts, structure charts, corporate documentation relating to the acquirer(s), consolidated accounts, the share purchase agreement and a business plan.

The CSSF carries out its assessment in accordance with the principle of proportionality. It also reviews the proposed acquisition in light of the Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector published by the Joint Committee of the European Supervisory Authorities (JC/GL/2016/01, 20 December 2016).

In case of changes to the composition of the target's management body and its senior staff, the CSSF's approval is also required. The candidate(s) must complete an application form and provide the CSSF with several supporting documents (eg, identity documents, a curriculum vitae, a recent criminal record extract, a declaration of honour, a copy of the highest diploma and a copy of the corporate documentation appointing the candidate).

The seller of a qualifying holding in a credit institution must also notify the CSSF and credit institutions must inform the CSSF without delay of any acquisitions or disposals of holdings in their capital that exceed or fall below certain thresholds.

10 Consumer protection

10.1 What requirements must banks comply with to protect consumers in your jurisdiction?

The Luxembourg Consumer Code includes a number of requirements that must be complied with by professionals when dealing with consumers. These include requirements with respect to information to be provided to consumers, unfair business practices and specific requirements in relation to contracts entered into with consumers, including mortgage loan agreements and consumer credit agreements.

With respect to consumer credit and mortgage lending, the Luxembourg Consumer Code:

  • requires professionals to provide certain information to consumers prior to entering into a contract with them, includes certain conditions with respect to advertising (in particular, specific information that must be mentioned, and the way in which it must be displayed);
  • prohibits certain advertising practices (eg, advertisements that specifically focus on the ease and speed with which credit can be obtained, that make consumers believe that the credit will improve their financial situation, or that mention an attractive interest rate without specifying the conditions to which such rate is subject);
  • obliges lenders to provide consumers with explanations allowing them to compare different offers and to decide whether the relevant credit is suitable to their needs;
  • obliges lenders to assess the solvency of consumers and includes specific provisions on how to perform such assessment;
  • sets out the mandatory minimum content of consumer credit agreements;
  • obliges lenders to provide information on the interest rate and includes specific rules with respect to variable interest rates;
  • sets out requirements with respect to overdraft facilities and overdrafts on current accounts;
  • sets out the right for the consumer to withdraw from the credit agreement during a period of 14 calendar days;
  • gives the consumer the right to prepay a loan, includes rules for the calculation of the effective global annual interest rate;
  • requires mortgage lenders to provide explicit information as to whether advisory services are provided or will be provided;
  • includes specific provisions with respect to late payment and the right for lenders to enforce/attach assets; et
  • includes specific rules of conduct for mortgage lending, as well as knowledge and skill requirements for staff of mortgage lenders.

Any clause or combination of clauses in a consumer credit agreement or a mortgage loan that breaches the Consumer Code is deemed to be void. The Consumer Code also includes administrative and criminal sanctions for lenders and intermediaries.

10.2 How are deposits protected in your jurisdiction?

Deposits are protected by the Fonds de Garantie des Dépôts Luxembourg (FGDL), which is a public body that was established by Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes (‘BRR Law'). The FGDL ensures the repayment to depositors in case of unavailability of their deposits, up to €100,000 per person and per institution. The standard €100,00 protection may be increased to €2.5 million in certain specific cases and subject to specific conditions (eg, deposits resulting from real estate transactions relating to private residential properties). The FGDL must normally repay within seven working days. Certain deposits are excluded from protection (eg, deposits made by other credit institutions on their own behalf and for their own account, deposits by financial institutions, deposits by investment firms, deposits by insurance and reinsurance undertakings, deposits by undertakings for collective investment, deposits by pension and retirement funds and deposits by public authorities).

All Luxembourg credit institutions, as well as Luxembourg branches of credit institutions having their registered office in a third country, must be members of the FGDL. The FGDL collects contributions from member institutions on an annual basis and the amount of each institution's contribution is calculated based on the amount of covered deposits and the degree of risk incurred by the institution. The FGDL reached the initial target level of available financial means equivalent to 0.8% of the amount of covered deposits of member institutions at the end of 2018. The FGDL will continue to collect contributions until 2026, in order to reach a level of available financial means equivalent to 1.6% of the amount of covered deposits of member institutions.

There is also an investor compensation scheme (Système d'indemnisation des investisseurs Luxembourg) which, subject to certain conditions, protects customers holding financial instruments.

11 Data security and cybersecurity

11.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?

In the European Union, the protection of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

The GDPR defines the concept of ‘personal data' and establishes rules relating to the processing of such personal data, including a number of obligations to be complied with by controllers and processors of personal data. Il:

  • sets out the conditions under which the processing of personal data is deemed to be lawful and principles applicable to personal data processing (eg, lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality);
  • includes specific conditions in order to evidence the consent given by data subjects to such processing;
  • sets out rules applicable to the processing of special categories of personal data;
  • gives rights to data subjects with respect to their personal data (eg, the right to information, right of access, right of rectification, right to erasure, right to restriction, right to data portability, right to object);
  • sets out the respective responsibilities of controllers and processors of personal data;
  • introduces the concepts of data protection by design and by default;
  • includes the obligation to ensure the security of the personal data;
  • sets out conditions with respect to the notification of data breaches;
  • obliges controllers to perform data protection impact assessments for certain activities;
  • includes rules concerning the appointment of a data protection officer;
  • regulates transfers of personal data; et
  • includes the obligation for controllers to maintain records of processing activities (mapping of data flows).

The GDPR entered into force on 25 May 2018. Prior to its entry into force, banks established extensive GDPR compliance projects in order to assess their personal data processing activities, map personal data flows both within and outside their organisations, and ensure compliance with the new requirements. As the potential sanctions for GDPR breaches include fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial years, and in light of the reputational risk involved in case of personal data breaches, compliance is taken seriously by banks, which now need to integrate personal data protection into their day-to-day operations.

Challenges faced by banks during the implementation phase include:

  • the collection of user consent;
  • the concepts of ‘controller' and ‘processor', and the correct allocation of responsibilities in webs of service providers, data storage and data deletion, which may be complex in matrixed institutions with numerous electronic backups;
  • data classification and mapping of data flows within complex international groups; et
  • the need to adapt business practices.

11.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?

At the EU level, a number of initiatives have been presented or are currently ongoing in the area of cybersecurity. The European Commission issued a recommendation on coordinated response to large-scale cybersecurity incidents and crises (Commission Recommendation (EU) 2017/1584 of 13 September 2017), and more recently a recommendation on cybersecurity of 5G networks (C(2019) 2335 final).

In terms of legislation, Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification was published in the Official Journal of the EU on 7 June 2019, and aims to achieve a high level of cybersecurity, cyber resilience and trust within the European Union. It has reformed ENISA, which supports EU member states, EU institutions, bodies, offices and agencies in improving cybersecurity; and has introduced a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, services and processes in the European Union. The first EU piece of legislation on cybersecurity was Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union which had to be implemented by the EU Member States by 9 May 2018.

At the national level, Luxembourg published its third national cybersecurity strategy for the 2018-2020 period (‘NCSS III'). The NCSS III includes guidelines on strengthening public confidence in the digital environment, the protection of digital infrastructure and the promotion of the economy, with objectives such as:

  • the dissemination of information on risks;
  • the combating of cybercrime;
  • the identification of critical digital infrastructure;
  • the adaptation of the emergency response plan for cyberattacks;
  • the development of skills and abilities in the field of cyber defence;
  • the improvement of risk management and training; et
  • the promotion of start-ups to develop the digital security ecosystem.

As banks handle very sensitive information, cybersecurity is particularly important to the banking sector. The Law of 5 April 1993 on the financial sector, as amended contains a general requirement for credit institutions to have in place effective control and security arrangements for information processing systems, as well as sound security mechanisms designed to guarantee the security and authentication of the means of transfer of information, to minimise the risk of data corruption and of unauthorised access and to prevent information leakage in order to maintain the confidentiality of data at all times. le Commission de Surveillance du Secteur Financier (CSSF) issued a number of circulars which address issues related to confidentiality, IT and security, including:

  • CSSF Circular 12/552;
  • CSSF Circular 15/603 on security of internet payments;
  • CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure; et
  • several circulars related to Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2), including CSSF Circular 19/713 concerning the European Banking Authority Guidelines on the security measures for operational and security risks of payment services under PSD2.

These circulars include:

  • requirements to be complied with in case of IT and cloud outsourcing;
  • the obligation to have backup and recovery plans and ensure business continuity;
  • the obligation to monitor security vulnerabilities;
  • the requirement to have an IT function (including an information security officer);
  • specific requirements in the field of security of internet payments (eg, the implementation of a security policy, the performance of a risk assessment, incident monitoring, the implementation of security measures and the use of strong customer authentication);
  • the obligation to ensure data and systems integrity; et
  • reporting and auditing requirements.

The growing importance of data, the increased risk of cyberattacks and the related regulatory requirements mean that banks will need to continue to invest in their cybersecurity capabilities and IT infrastructure.

12 Financial crime and banking secrecy

12.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for banks?

Luxembourg follows the Financial Action Task Force recommendations, implemented in the European legal framework by Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended (AMLD 4), as amended by Directive (EU) 2018/843 (AMLD 5) and Directive (EU) 2018/1673 (AMLD 6).

AMLD 4 has been implemented in Luxembourg by the law of 12 November 2004 on the fight against money laundering and terrorist financing (AML/CTF), as amended (‘AML Law'). The specific requirements (eg, the types of information or documentation that must be requested by banks in order to identify customers) are detailed in grand-ducal regulations, Commission de Surveillance du Secteur Financier (CSSF) regulations and CSSF circulars. Two of the most important texts in this respect are the Grand-Ducal Regulation of 1 February 2010 providing details on certain provisions of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended; and CSSF Regulation 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing

Credit institutions are ‘professionals' within the meaning of the AML Law, and must in particular:

  • identify each customer and verify its identity on the basis of documents, data or information obtained from a reliable and independent source;
  • identify the beneficial owner and take measures to verify his or her identity;
  • take measures to understand the ownership and control structure of each customer;
  • assess and, to the extent appropriate, obtain information on the purpose and the intended nature of the business relationship;
  • conduct ongoing due diligence of the business relationship to ensure that the transactions being conducted are consistent with the credit institution's knowledge of each customer, its business and its risk profile; et
  • ensure that the documents, data and information held are kept up to date.

One important characteristic of the current AML/CTF regime is the requirement for professionals to adopt a risk-based approach in order to determine the extent of the measures they are applying to ensure compliance with the AML/CTF requirements.

A register of beneficial owners (Registre des bénéficiaires effectifs (RBE)) has been introduced in Luxembourg further to the law of 13 January 2019 creating a register of beneficial owners and implementing Article 30 of AMLD 4 (‘UBO Law'). The UBO Law obliges entities registered with the Luxembourg trade and companies register (RCS) to provide the RBE with certain information concerning their ultimate beneficial owner(s) and to provide such information to professionals in the context of the performance of their customer due diligence obligations under the AML Law. The requirement to provide information with respect to beneficial owners to the RBE also applies to credit institutions, which are registered with the RCS.

On 20 December 2019, the CSSF published Circular 19/732 concerning clarifications on the identification and verification of the identity of the ultimate beneficial owners in order to provide guidance to all professionals subject to AML/CTF obligations on the practical implementation of the identification requirements of the ultimate beneficial owner(s), as well as on the reasonable measures that should be taken to verify their identity.

12.2 Does banking secrecy apply in your jurisdiction?

Oui. Pursuant to Article 41 of the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act'), natural and legal persons subject to the prudential supervision of the CSSF or established in Luxembourg and subject to the supervision of the European Central Bank or a foreign supervisory authority for the exercise of an activity referred to in the Banking Act, as well as members of the management body, directors, employees and any other persons working for these natural or legal persons, shall keep secret all information entrusted to them in the context of their professional activity or their mandate. The disclosure of such information is punishable, under Article 458 of the Luxembourg Criminal Code, by a prison term of between eight days and six months and a fine of between €500 and €5,000.

There are a number of exceptions to the secrecy requirement. This is the case, for instance, where the revelation of information is required or authorised by applicable law, or where information must be provided to national, European or international supervision or resolution authorities, subject to certain conditions.

13 Competition

13.1 What specific challenges or concerns does the banking sector present from a competition perspective? Are there any pro-competition measures that are targeted specifically at banks?

Luxembourg benefits from an AAA credit rating and is home to 129 international banks. In addition, the banking industry is supported by specialised accountants, consultants, law firms and IT specialists with a multilingual and diverse international workforce. As a financial centre, it has positioned itself as a gateway to EU markets for non-EU financial participants. Specialties include cross-border private and corporate banking, fund administration, custody, wealth management, and treasury services.

The Luxembourg government continues to adopt a pragmatic and efficient approach with respect to the financial sector, taking measures to ensure the reliability, predictability and competitiveness of the industry as required. The financial sector is of strategic importance to Luxembourg and its competitiveness globally is constantly assessed with measures taken as appropriate to retain that standing.

As in other jurisdictions, competition for traditional banking is largely from fintech companies and other ‘disruptors' seeking to disintermediate the classical bank-client relationship. There are no specific pro-competition measures in place and the competition which the banking sector faces is very similar to other large markets.

14 Recovery, resolution and liquidation

14.1 What options are available where banks are failing in your jurisdiction?

The failure of banks is governed by the Law of 5 April 1993 on the financial sector, as amended (‘Banking Act') and the Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes (‘BRR Law'). The Banking Act contains prudential rules and obligations in relation to recovery planning, intra-group financial support and early intervention; the BRR Law covers the resolution of banks.

Recovery: Credit institutions must draw up and maintain a recovery plan that provides for measures to be taken by the credit institution to restore its financial position following a significant deterioration of its financial situation, which must be updated at least once a year and is subject to an assessment by the Commission de Surveillance du Secteur Financier (CSSF). The recovery plan must include a number of elements, including:

  • a communication and disclosure plan outlining how the bank intends to manage any potentially negative market reactions;
  • a range of capital and liquidity actions required to maintain or restore the viability and financial position of the bank;
  • a detailed description of how recovery planning is integrated into the corporate governance structure of the bank;
  • arrangements and measures to conserve or restore the own funds of the bank;
  • arrangements and measures to ensure the bank has adequate access to contingency funding sources; et
  • arrangements and measures to restructure liabilities or business lines.

The Banking Act includes specific provisions for group recovery plans. Recovery plans must be kept confidential and may be shared only with third parties which have participated in their drafting and transposition. The failure to draw up, maintain and update recovery plans is subject to specific administrative penalties, which include fines of up to 10% of the total annual net turnover of the bank in the preceding business year, or up to €5 million for individuals.

The Banking Act also includes provisions regulating the entry into group financial support agreements, which may be entered into only subject to specific conditions and with the authorisation of the relevant competent authorities.

Where a bank infringes or is likely in the near future to infringe the requirements of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR), the Banking Act, their implementing measures or certain provisions of Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments, the CSSF may take a number of early intervention measures. The CSSF may:

  • require the management body of the bank to:

    • update the recovery plan;
    • implement one or more of the arrangements or measures of the recovery plan;
    • prepare an action plan to address the situation and a timetable for its implementation;
    • convene a meeting of the bank's shareholders; ou
    • draw up a plan for the negotiation on restructuring of debt;
  • require the bank to remove or replace one or more members of the management body or authorised management, change its business strategy or change its legal or operational structures; et
  • acquire, including through on-site inspections, all information necessary to update the resolution plan and prepare for the possible resolution of the bank.

Where there is a significant deterioration in the financial situation of a bank, or where there are serious infringements of applicable laws or regulations or of the statutes of the bank, or serious administrative irregularities, and the taking of early intervention measures is not sufficient to reverse that deterioration, the CSSF may also require the removal of the authorised management or management body.

Finally, where the replacement of the authorised management or management body is deemed to be insufficient, the CSSF may appoint a temporary administrator to temporarily replace the management body or temporarily work with the management body. The powers, role and duties of the temporary administrator are determined by the CSSF.

Resolution: The BRR Law contains extensive provisions on the resolution of credit institutions. Any reference in this Q&A to the ‘Resolution Board' is a reference to the CSSF acting in its capacity as resolution authority in Luxembourg. The Resolution Board carries out its resolution functions independently from the CSSF's supervisory functions.

Prior to any resolution, the Resolution Board must prepare a resolution plan and perform a resolvability assessment for each credit institution. Specific provisions apply for groups. The resolution plan provides for the resolution actions that the Resolution Board may take where the relevant credit institution meets the conditions for resolution. Its content is detailed in the BRR Law.

The Resolution Board shall take a resolution action where all the following conditions are met:

  • The credit institution is failing or likely to fail;
  • There is no reasonable prospect that any alternative private sector measures or supervisory action would prevent the failure of the institution within a reasonable timeframe; et
  • A resolution action is necessary in the public interest.

The Resolution Board has a number of resolution tools, resolution powers and other powers at its disposal. Ceux-ci inclus:

  • the power to appoint a special manager to replace the management body of the institution under resolution, which shall have all the powers of the shareholders and of the management body;
  • the power to transfer to a purchaser shares or other instruments of ownership issued by, and/or all of any assets, rights or liabilities of, the bank under resolution (the ‘sale of business' tool);
  • the power to transfer to a bridge institution, which shall be a legal person that is wholly or partially owned by one or more public authorities and controlled by the Resolution Board, shares or other instruments of ownership issued by, and/or all of any assets, rights or liabilities of, the bank under resolution (the ‘bridge institution' tool);
  • the power to transfer assets, rights or liabilities of the bank under resolution or of a bridge institution to one or more asset management vehicles (the ‘asset separation' tool);
  • write-down and conversion powers in relation to liabilities of the bank under resolution (the ‘bail-in' tool);
  • the power to write down or convert relevant capital instruments;
  • a number of general and ancillary powers, including:

    • the power to take control of an institution;
    • the power to transfer rights, assets or liabilities of an institution;
    • the power to reduce the principal amount of eligible liabilities;
    • the power to convert eligible liabilities into ordinary shares or other instruments of ownership;
    • the power to cancel debt instruments;
    • the power to amend or alter the maturity of debt instruments; et
    • the power to close out or terminate financial or derivatives contracts;
  • the power to require an institution or any of its group entities to provide any services or facilities;
  • powers in respect of assets, rights, liabilities, shares and other instruments located in a third country;
  • the power to suspend any payment or delivery obligations pursuant to any contract;
  • the power to restrict the enforcement of security interests;
  • the power to temporarily suspend termination rights of any party to a contract with an institution under resolution;
  • the power to require an institution to contact potential purchasers in view of the resolution of the institution; et
  • information-gathering and investigatory powers.

The objectives of resolution (which must be taken into account by the Resolution Board when applying the resolution tools and exercising its resolution powers) are:

  • the continuity of critical functions;
  • the avoidance of significant adverse effect on the financial system;
  • the protection of public funds;
  • the protection of depositors; et
  • the protection of client funds and client assets.

The Resolution Board must also take into account certain general principles set out in the BRR Law. For instance, the shareholders of the institution under resolution shall bear first losses, creditors in the same class shall be treated in an equitable manner and covered deposits shall be fully protected.

The Resolution Board may impose administrative penalties on banks, members of their management body and other natural persons responsible in case of specific infringements with respect to resolution as set out in the BRR Law. These penalties include:

  • warnings;
  • public statements;
  • orders requiring the cessation of a specific conduct;
  • temporary or permanent bans from exercising certain functions;
  • temporary bans from carrying out certain activities;
  • suspension of voting rights; et
  • fines (which can reach up to 10% of the total annual net turnover of the bank in the preceding business year or, for individuals, up to €5 million).

The BRR Law established the Luxembourg Resolution Fund (Fonds de Résolution Luxembourg (FRL)), the purpose of which is to collect contributions due under the BRR Law, manage the financial means so collected and participate in the financing of the resolution of failing institutions. The FRL must have adequate financial means, which must reach 1% of the amount of covered deposits of all the institutions authorised under the Banking Act by 31 December 2024. In order to collect these financial means, the FRL collects annual ex ante contributions from banks, among others. Where the FRL's financial means are not sufficient to cover the losses, costs or other expenses incurred, the FRL may raise extraordinary contributions ex post. The FRL may also borrow money.

The resolution of Luxembourg banks is further subject to Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund.

14.2 What insolvency and liquidation regime applies to banks in your jurisdiction?

In addition to resolution, the BRR Law covers the reorganisation and winding up of credit institutions. In terms of specific procedures, the BRR Law covers suspension of payments, voluntary liquidation and judicial winding-up proceedings. The BRR Law further specifies that the following do not apply to credit institutions:

  • Book III of the Luxembourg Commercial Code (which covers bankruptcy and suspension of payments, among other things);
  • the provisions of the Law of 4 April 1886 on court-approved compositions and arrangements with creditors aimed at preventing bankruptcy; et
  • the provision of the Grand-ducal Decree of 24 May 1935 supplementing the legislation relating to suspension of payments, compositions and arrangements with creditors aimed at preventing bankruptcy and bankruptcy following on from the setting-up of a controlled management scheme.

Suspension of payments: Suspension of payments proceedings may be started where:

  • the bank has lost its creditworthiness or has reached an impasse regarding liquidity, whether it is in a state of cessation of payments or not;
  • the execution of the bank's commitments is compromised; ou
  • the authorisation of the bank has been withdrawn and the decision in this respect is not yet final.

Only the CSSF or the bank concerned may apply for suspension of payments proceedings. The application is lodged with the Tribunal d'Arrondissement (district court) of Luxembourg sitting in commercial matters. Where the application is made by the bank, the bank shall, under penalty of inadmissibility of the application, inform the CSSF prior to bringing the matter before the court. The lodging of the application results in the suspension of all payments by the bank and a prohibition of all acts other than precautionary measures pending a final decision. The BRR Law details the procedure. The judgment determines, for a period not exceeding six months, the conditions and arrangements for the suspension of payments and appoints one or more administrators, who shall be in charge of the management of the bank's assets. The written authorisation by the administrator(s) is required for all acts and decisions of the bank. The suspension of payments has universal effect and applies to branches and assets of the institution located abroad.

Voluntary liquidation: A bank may start voluntary liquidation proceedings only after notifying the CSSF of its intention to do so; the notification must be made at least one month prior to convening the general meeting which shall decide on the voluntary liquidation. Specific publication requirements apply to the notice convening the meeting. A report on the completion of the voluntary liquidation and the arrangements of such voluntary liquidation must be transmitted to the CSSF.

Judicial winding-up: The dissolution and winding-up of a bank may take place where:

  • it is apparent that the suspension of payments set out above cannot rectify the situation that caused it;
  • the financial situation of the bank is affected to such an extent that the bank will no longer be able to comply with the commitments with respect to the rights of holders of claims or participations; et
  • the authorisation of the bank has been withdrawn and the decision in this respect became final.

Only the CSSF or the state prosecutor may apply to the Tribunal d'Arrondissement of Luxembourg sitting in commercial matters to order the dissolution and winding-up of a bank. When ordering the winding-up, the Tribunal d'Arrondissement appoints an official receiver and one or more liquidators, determines the winding-up method and may make applicable the general rules governing bankruptcy. The liquidators inform the known creditors located abroad of the winding-up. Any creditor has the right and obligation to deposit its claim with the registry of the Tribunal d'Arrondissement.

15 Trends and predictions

15.1 How would you describe the current banking landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

In terms of anti-money laundering/counter-terrorist financing (AML/CTF), and especially in light of the upcoming vising of the Financial Action Task Force to Luxembourg, one major focus is the implementation of Directive (EU) 2018/843 (AMLD 5). The latest update in this respect is the publication on 23 December 2019 of Draft Bill 7512 establishing a central electronic data retrieval system for payment accounts and bank accounts identified by an international bank account number, as well as safe-deposit boxes held by Luxembourg credit institutions.

From a regulatory perspective, credit institutions must prepare for the amendments to banking regulation that result from the latest EU Banking Reform Package. In particular, Directive (EU) 2019/878 of the European Parliament and of the Council of 20 May 2019 amending CRD IV (CRD V), Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR) (CRR II) and Directive (EU) 2019/879 of the European Parliament and of the Council of 20 May 2019 amending BRRD (BRRD II) entered into force on 20 June 2019. The new rules and requirements include:

  • a binding leverage ratio;
  • a net stable funding ratio;
  • new rules with respect to market risk;
  • the introduction of proportionality;
  • rules with respect to environmental, social and governance (ESG) related risks; et
  • rules on intermediate EU parent undertakings and financial holding companies.

The growth of the Luxembourg fintech ecosystem is also an interesting development. An increasing number of players in payments, lending and investments may compete with services traditionally offered by banks. On the other hand, fintechs specialised in cybersecurity and authentication, big data, artificial intelligence and regtech, for instance, may provide opportunities for banks in Luxembourg.

Luxembourg, like other EU countries, is affected by Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability )related disclosures in the financial services sector and Regulation (EU) 2019/2089 of the European Parliament and of the Council of 27 November 2019 amending Regulation (EU) 2016/1011 as regards EU Climate Transition Benchmarks, EU Paris-aligned Benchmarks and sustainability-related disclosures for benchmarks. In addition, it will be following the current EU Proposal on the establishment of a framework to facilitate sustainable investment 2018/0178. Together, these initiatives will affect the manner in which banks lends funds and require changes to internal approval processes and monitoring systems. CRR II and CRD V also contain measures which will require credit institutions to take into account ESG risks. This will affect both the supervision of credit institutions and the evaluation of assets against specific ESG criteria.

The Luxembourg Stock Exchange distinguished itself internationally by launching the Luxembourg Green Exchange (LGX) in 2016. This is the world fs first dedicated green bond exchange and lists 50% of the world fs green bonds. The platform currently supports bonds and funds, and intends to extend to indexes. At the end of 2018, more than $120 billion worth of green bonds from around the world were listed on the LGX. This initiative, together with EU-level sustainable finance regulation, has positioned Luxembourg for success as sustainable finance evolves from the headlines to regulatory and operational reality.

According to recent surveys in the banking sector, banks expect that costs will increase the most in compliance and IT, and decrease the most in operations over the next three years. Some of the most important topics identified by banks as being part of their transformation agenda are process optimisation, digital banking platforms, upskilling of employees and outsourcing/insourcing.

15.2 Does your jurisdiction regulate cryptocurrencies? Are there any legislative developments with respect to cryptocurrencies or fintech in general?

Cryptocurrencies as such are not currently subject to specific regulation in Luxembourg.

On 14 March 2018 the Commission de Surveillance du Secteur Financier (CSSF) issued a warning on virtual currencies and a warning on initial coin offerings (ICOs) and tokens. In these warnings, the CSSF explained what virtual currencies and ICOs are, and informed supervised entities and the public about the different risks associated therewith (eg, volatility and price bubble risk, lack of protection and risk of theft, liquidity shortage, operational disruption, misleading information, lack of transparency, risk of price manipulation, fraud and money laundering, loss of capital). The CSSF also stressed in both warnings that the warnings concern only virtual currencies and fundraising through ICOs as such, without questioning the underlying technology; the CSSF recognises that the underlying blockchain technology can bring certain benefits to financial sector activities.

In terms of legislative developments, a law of 1 March 2019 has amended the law of 1 August 2001 on the circulation of securities in order to introduce the recognition of the maintenance of securities accounts, and the crediting of securities to securities accounts, within or through secured electronic registration mechanisms, including distributed electronic ledgers or databases.

With respect to fintech in general, the CSSF issued Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure, which sets out requirements to be complied with where cloud computing infrastructures are used. It also issued a position on robo-advice, where it explained what comprises robo-advice and how this fits within the existing regulatory landscape; and a FAQ on AML/CTF and IT requirements for specific customer on-boarding/know-your-customer methods which focuses on identification and verification of identity through video chat and the requirements that must be complied with when such a video system is used by professionals subject to AML/CTF obligations (eg, credit institutions). In December 2018 the CSSF published a white paper on artificial intelligence and related opportunities, risks and recommendations for the financial sector.

There is no specific licence for fintechs in Luxembourg, but the activities performed by fintechs may be subject to licensing requirements under the Law of 5 April 1993 on the financial sector, as amended or other applicable laws and regulations.

16 Tips and traps

16.1 What are your top tips for banking entities operating in your jurisdiction and what potential issues would you highlight?

Outsourcing: Luxembourg offers a flexible environment to outsource back to group companies, which is a very common operating model and makes Luxembourg an attractive EU hub, especially post-Brexit. A number of requirements must be taken into account and specific rules apply in case of IT outsourcing and use of cloud computing infrastructure.

Substance: Luxembourg offers a great deal of flexibility in terms of substance, but ‘letterbox' entities are not acceptable. Applicable regulations provide for proportionality in certain cases, but minimal substance – especially with respect to risk and compliance – is required. Parties typically seek local advice to understand the appropriate balance.

Exemptions from the Law of 5 April 1993 on the financial sector: Not all activities require a banking licence. Lending activities, for instance, could be performed under a different and less onerous licence. Relevant entities can also benefit from exemptions – for instance, where they perform a one-off transaction or provide regulated services within their group. A common practice is to obtain a clearance letter from the Commission de Surveillance du Secteur Financier confirming that an authorisation is not required for a particular activity or structure.

Le contenu de cet article est destiné à fournir une
guide du sujet. Les conseils d'un spécialiste doivent être recherchés
sur votre situation particulière.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *