Circular CSSF 26/906 on central administration, internal governance and risk management for payment and electronic money institutions – governance taken to the next level?

On 20 January 2026, the CSSF published Circular 26/906, establishing a comprehensive set of rules on central administration, internal governance, and risk management for payment institutions, electronic money institutions, and, based on the principle of proportionality, account information service providers (“Circular”). This long-awaited document consolidates all key governance principles in one circular designed as a governance handbook¹, repeals the application to payment institutions and electronic money institutions of circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155, amends Circulars CSSF 11/510 and CSSF 11/520 and will apply as of 30 June 2026.

Legal basis

The Circular offers detailed guidance on Articles 11(2) and 24-7(2) of the Luxembourg Law of 10 November 2009 on payment services, as amended (“LPS 2009”), requiring institutions to have their central administration and registered office in Luxembourg and to maintain robust internal governance arrangements.

Key governance principles and the application of the principle of proportionality

The CSSF clarifies key concepts and principles for internal governance in particular by listing core characteristics of robust central administration and internal governance arrangements, including integrity, robustness, effectiveness, adequacy, consistency, comprehensiveness, transparency, and compliance. It also emphasizes the principle of proportionality, ensuring the governance requirements are tailored to the size and complexity of each institution and gives examples of criteria to be used for the purposes of applying the principle of proportionality².

Institutions are required to foster a strong internal risk and compliance culture to be reflected in strategies, policies, procedures, and training, with clear leadership (“tone from the top”) from supervisory and management bodies.

Supervisory and management bodies

The Circular details the roles and responsibilities of the supervisory body and the management body, including their composition, qualifications, and functioning. 

It highlights the importance of documenting decisions and minutes for accountability and enhanced supervision. Interestingly, it provides a detailed list of elements the supervisory body shall approve and lay down in writing, including the business strategy, the program of activities, the risk strategy and a series of guiding principles. These strategies and guiding principles are to be implemented by the management body by way of written internal policies and procedures.

Special emphasis is placed on training programs³. 

Composition of the supervisory body, chairperson and independent members

The CSSF recommends that meetings of the supervisory body are held at least on a quarterly basis and at the registered office of the institution in Luxembourg with the physical presence of a majority of members.

The supervisory body cannot be composed in majority of executive members, and its decision-making cannot be dominated by one individual member. 

The supervisory body elects a chairperson from among its members. The chairperson ensures proper functioning, promotes informed discussion, and may propose the appointment of independent members. The chairperson must not take on an executive role unless justified and accepted by the CSSF. The presence of one or more independent members is recommended by the CSSF as good practice, strengthening oversight and counter-powers within the institution.

Specialised committees

Based on the application of the proportionality principle, the CSSF may recommend that certain institutions set up specialised committees of the supervisory body to provide critical assessments in their areas of competence. Permanent members of such committees shall be non-executive members of the supervisory body. Each committee shall have at least three members. The specialised committees shall be chaired by one of their members who have in-depth knowledge in the area of activities of the committee they chair. 

Management body

The management body (composed of at least two persons) is responsible for managing the institution and empowered to determine the direction of its activity. Its members must in principle be permanently on-site. 

Prohibited terminology in communications and marketing

The Circular strictly prohibits the use of terminology reserved for credit institutions (such as “banking services”, “deposits”, “bank”, “neo-bank”, “bank accounts”, etc.) in communications and marketing under the responsibility of the management body, thereby signaling conspicuously the banning for payment and e-money institutions to hold themselves out as credit institutions.

Internal control functions

The Circular explicitly refers to the “three lines of defence” model namely 1) business units, 2) support functions (including compliance and risk control), and 3) internal audit. The Circular outlines the responsibilities and organisation of these functions, including the roles of Chief Compliance Officer, Chief Internal Auditor, and, where applicable, Chief Risk Officer whose appointments and departures are subject to information and documentation procedure. The Circular also expressly states that the internal control arrangements shall include processes and procedures to prevent fraud and ensure compliance with AML/CFT obligations. Outsourcing of these functions is in principle not permitted (except for operational tasks).

Management of conflicts of interest

The Circular sets out requirements for conflicts of interest management policy, applicable to all staff as well as to the members of the supervisory and management bodies. Specific rules apply notably to related party transactions, which must be escalated to the supervisory body in serious cases.

New product approval process

Rules on new product approval process require thorough analysis of changes in the activities by business units, management, risk control, and compliance functions. No new activity may be undertaken without management body approval after consultation with all relevant parties, especially the internal control functions.

Safeguarding of funds

Institutions must implement mechanisms to safeguard funds received from payment service users or other providers, in line with Articles 14 and 24-10 LPS 2009. The Circular outlines the rules for establishing internal control mechanisms and monitoring to ensure proper control of transactions and reconciliation of funds received, with information from counterparties such as banks or insurance companies. Applying the principle of proportionality, such controls and reconciliations may be performed daily or weekly, and the CSSF recommends using IT-based controls and reconciliation tools. The Circular also provides for specific rules regarding the organisation of contractual relationships with counterparties safeguarding funds through segregated accounts, rules concerning investments of such funds in low-risk, liquid, and secure assets, and requires that all contractual provisions and conditions for safeguarding through insurance or guarantees be reviewed by a legal expert.

Next steps

The CSSF Circular 26/906 marks a significant evolution in the governance framework for payment and electronic money institutions in Luxembourg. By consolidating and clarifying key governance principles, the Circular provides greater legal certainty and operational clarity for concerned institutions, which must now review and, if necessary, adapt conclusively their internal governance arrangements to be compliant by 30 June 2026.