CSSF ICAAP and ILAAP: Filing Under Circulars 07/301 and 20/753
Every spring, a Luxembourg reporting team assembles a document that no COREP or FINREP template captures: the institution’s own account of whether it holds enough capital and enough liquidity to survive the risks it actually runs. That account is the ICAAP and ILAAP file, and in Luxembourg its rules sit in Circular CSSF 07/301. The circular started life on 17 July 2007 as a capital-only text. Circular CSSF 20/753, published on 23 October 2020, rewrote it into the combined internal capital and liquidity adequacy assessment process that CSSF-supervised institutions work to today.
The CSSF ICAAP and ILAAP framework reaches all credit institutions and CRR investment firms incorporated under Luxembourg law, together with Luxembourg branches of third-country credit institutions and investment firms. It rests on Articles 73 and 86 of the Capital Requirements Directive, transposed into Luxembourg law through Articles 18 and 19 of CSSF Regulation N 15-02. Get the pack wrong and the cost lands later, in a weaker Supervisory Review and Evaluation Process outcome that feeds straight into the Pillar 2 capital and liquidity the CSSF expects you to hold.
Two things have moved under the framework since 2020, and both change where the file goes rather than what it contains. The submission circular that told you where to send the pack, Circular CSSF 19/731, was repealed at the end of 2025. And the SREP methodology the pack feeds is being rebuilt for 1 January 2027. Both catch teams that reuse last year’s cover note without re-checking the plumbing behind it.
Related reading: our practical Pillar 2 guide to ICAAP and ILAAP for Luxembourg banks.
Key dates behind the CSSF ICAAP and ILAAP file
ICAAP and ILAAP are ongoing processes, so there is no single filing window the way there is for a quarterly COREP return. What does run on a calendar is the annual submission of the information pack and the supervisory cycle it feeds. These are the reference points worth pinning to the wall.
- 17 July 2007: Circular CSSF 07/301 first issued, covering the ICAAP only.
- 23 October 2020: Circular CSSF 20/753 published (letter dated 21 October 2020), extending 07/301 to the combined ICAAP and ILAAP and amending Circular CSSF 11/506 on stress testing.
- 31 March: the annual deadline for the ICAAP report, consolidated ICAAP report, ILAAP report and consolidated ILAAP report under the now-repealed Circular CSSF 19/731.
- 23 December 2025: Circular CSSF 25/902 repealed Circular CSSF 19/731; the list of documents, entity categories, channels and deadlines moved onto the CSSF website.
- 1 January 2027: the EBA’s revised SREP and supervisory stress-testing guidelines take effect, updating the methodology the CSSF applies to your file.
Hold on to that last line. The document you write to 07/301 is judged under an EBA methodology that is itself changing, which is a good reason to read the circular as a living instrument rather than a settled 2007 text.
What Circular 20/753 rewrote in the 2007 rulebook
Circular CSSF 07/301 in its original form did one job: it implemented the Internal Capital Adequacy Assessment Process. Liquidity sat elsewhere. Circular CSSF 20/753 folded the two together. The consolidated circular now carries the title “Implementation of the Internal Capital and Liquidity Adequacy Assessment Process (ICAAP/ILAAP)”, and its opening obligation is written for both at once: institutions “shall have in place an internal capital and liquidity adequacy assessment process”.
The 2020 amendment did more than bolt liquidity onto a capital text. It re-anchored the whole assessment on two viewpoints that the ECB had set out for significant institutions two years earlier, the normative and the economic perspective, and it wrote in a documentation and reporting structure keyed to the EBA information guidelines. Circular 20/753 also reached sideways to amend Circular CSSF 11/506 on the principles of a sound stress testing programme, so the stress-testing engine that feeds the ICAAP and ILAAP was refreshed in the same move.
Treat 20/753 as a version change, not a footnote. An institution that still runs a capital-only assessment inherited from the pre-2020 text, with liquidity handled as a side exercise, is filing against a superseded shape of the circular. The combined process is the whole point of the current instrument.
The legal chain from CRD Articles 73 and 86 to RCSSF 15-02
The circular does not invent the obligation. It channels European law into Luxembourg practice. Articles 73 and 86 of Directive 2013/36/EU set the duty to run an internal capital adequacy process and to hold adequate liquidity. Luxembourg transposed those through Articles 18 and 19 of CSSF Regulation N 15-02, and Article 3 of that regulation fixes who has to run an ICAAP and ILAAP in the first place. Circular 07/301 then supplies the implementing detail, the documentation and the reporting.
Scope is worth reading slowly. The circular applies to CRR institutions as defined in Regulation N 15-02, which in Luxembourg terms means credit institutions and CRR investment firms established here, plus the Luxembourg branches of credit institutions and investment firms headquartered in a third country. Significant supervised entities fall under the relevant ECB rules through the Single Supervisory Mechanism, so a directly ECB-supervised bank reads the ECB guides alongside 07/301. The less significant institutions the CSSF supervises directly, which is most of the Luxembourg banking population, take 07/301 as their primary reference.
One point the circular settles that trips people up: the ILAAP obligation exists whether or not you write a separate ILAAP report. A firm can present capital and liquidity in a single combined report and still be fully within 07/301. The choice of one document or two is a packaging decision, and the liquidity assessment is required either way. The circular also states plainly that it complements, and does not replace, the general risk-governance principles of Circular CSSF 12/552, which continue to apply to the ICAAP and ILAAP in particular.
Normative and economic perspectives, side by side
The heart of the post-2020 circular is the instruction to assess capital and liquidity from two angles at the same time. The normative perspective is the regulatory one: own funds, the binding capital and liquidity requirements, and the multi-year path of those ratios under baseline and stress. The economic perspective looks at internal capital and liquidity in substance, focusing on the real economic value of assets, liabilities and risks rather than their regulatory measurement.
The circular is explicit that the two can diverge. Because valuation methods and assumptions differ, the available internal capital under the economic perspective may sit well away from the own funds figure under the normative perspective, and the circular tells institutions to take a prudent approach when they set required internal capital. A common misreading is to treat the economic perspective as Pillar 1 capital plus a management buffer. It is a genuinely separate calculation of economic value at risk, and the CSSF expects to see the assumptions behind it, documented and defensible.
Both perspectives are forward-looking and multi-year. The shorter-term horizon, usually one year, has to be complemented by a longer view of at least three years, aligned with the institution’s capital and liquidity planning, so that successive planning horizons join up and the assessment does not walk the firm off a cliff edge just beyond the one-year mark. The assessment runs across a credible baseline (normal times) and a severe, institution-specific adverse scenario (stressed times).
What actually goes in the ICAAP and ILAAP information pack
Sub-chapter II.4 of the circular sets out the information the institution submits, and it is more structured than the free-form label “ICAAP document” suggests. The pack has three layers.
The first layer is general context: the business model and strategy, the risk governance and management framework, the risk appetite framework and statement, the stress testing framework and programme, and the risk data, aggregation and IT systems that sit under all of it. The second layer is the process-specific detail. For the ICAAP that means risk measurement, assessment and aggregation; internal capital and capital allocation; and capital planning. For the ILAAP it means the liquidity and funding risk management framework, the funding strategy, the strategy for liquidity buffers and collateral management, the cost-benefit allocation mechanism, intraday liquidity risk management, and the liquidity contingency plan.
The third layer is the conclusion, and it is the one supervisors read first. The circular requires a clear and concise capital adequacy statement (the CAS) and liquidity adequacy statement (the LAS), setting out current and future capital and liquidity adequacy and spelling out what the assessment means for how the institution is run. The CAS and LAS are not a covering formality. The management body in its supervisory function is required to endorse them, which is why a rushed statement signed off without a real board discussion is one of the weaker signals a file can send.
On format, the circular gives room and then closes a gap. An institution may gather everything into one comprehensive report covering capital and liquidity together, or split it into two reports, or scatter the information across existing internal documents. If it takes the scattered route, it has to build a reader’s manual, a single overarching document that points the assessor to where each piece lives. I have seen how much a clean reader’s manual changes the tone of a review: an assessor who can find the funding strategy and the concentration analysis without three follow-up emails starts from a position of trust rather than suspicion.
The governance the CSSF looks for behind the numbers
07/301 spends as much text on who owns the process as on what it calculates. The management body has to demonstrate real commitment to and knowledge of the ICAAP and ILAAP, and to ensure the institution actually holds the internal capital and liquidity the process says it needs. Authorised management owns the development, implementation and maintenance of the process, in line with the strategy the management body set in its supervisory function.
Outsourcing is where accountability gets tested. The circular allows an institution to outsource the informational needs and technical infrastructure behind the ICAAP and ILAAP, so a group model or a shared calculation engine is permitted. It draws a hard line after that: management decisions, and the internal capital and liquidity management and monitoring, may not be outsourced. Buying the model does not buy an exit from responsibility. Authorised management’s accountability covers the entire process, including any part that runs on someone else’s infrastructure.
Review is annual and layered. The management body reviews the ICAAP and ILAAP at least once a year to confirm that risk coverage still fits the institution’s nature, scale and complexity, that the process is still fully operating, and that its outcomes feed back into real capital, liquidity and risk decisions. That review has to involve the risk control function, and internal audit has to audit the ICAAP and ILAAP under its risk-based plan. A file that describes a sophisticated model but shows no evidence of that annual challenge is describing a process on paper only.
The risk taxonomy the circular expects you to at least assess
The annex to 07/301 tells institutions to build their own internal risk taxonomy rather than lift the regulatory categories wholesale, unless they can show the regulatory taxonomy is fit for their business. It then names a floor. Institutions shall at least assess credit risk (including counterparty credit risk and country risk); market risk (including structural foreign exchange risk); liquidity risk; interest rate risk, differentiating economic-value-of-equity and net-interest-income scenarios; operational risk (including business disruption and systems failure, IT risk, legal and compliance risk, and model risk); risks related to money laundering and terrorist financing; and concentration risks.
Two items on that list surprise teams that think of the ICAAP as a pure capital-modelling exercise. Money laundering and terrorist financing risk belongs in the ICAAP and ILAAP, not only in the AML function’s own reporting, because its crystallisation can produce material economic losses. And interest rate risk in the banking book has to be shown through both an economic-value and an earnings lens, which lines up with the treatment in our IRRBB guide to the EBA banking-book interest rate rules.
The annex then adds a distinctly Luxembourg instruction. Institutions active in private banking or wealth management, undertaking-for-collective-investment administration, or depositary banking have to factor the related reputational risk, operational risk and money laundering and terrorist financing risk into their ICAAP and ILAAP where relevant. Those three business lines describe a large slice of the Luxembourg banking sector, so for many local institutions this sentence is the part of the annex that most shapes their risk inventory.
How the file reaches the CSSF, from 19/731 to 25/902
Here is the moving part that quietly outdates 07/301’s own text. The circular still says, in its reporting box, that the ICAAP and ILAAP information should be submitted to the CSSF “according to the circular CSSF 19/731”. Circular 19/731, issued on 12 December 2019, set the annual submission mechanics: exclusive electronic transmission through the secured channels e-file or SOFiE, and a deadline of 31 March at the latest for the ICAAP report, the consolidated ICAAP report where applicable, the ILAAP report where established separately, and the consolidated ILAAP report where applicable.
Circular CSSF 25/902, published on 23 December 2025, repealed 19/731 outright. The underlying obligation to submit the ICAAP and ILAAP reports every year did not disappear. What changed is where the instructions live. The list of documents to be submitted annually, the categories of institution they apply to, the electronic channels and the corresponding deadlines now sit on the CSSF website, in the prudential-reporting section covering documents to be submitted on an annual basis, refreshed through a summary table rather than frozen into a circular. The transmission channels the CSSF lists there are eDesk, e-file and SOFiE.
The practical trap is the dangling reference. A reporting officer who follows 07/301 to the letter is pointed at a repealed circular, and a checklist that still cites “19/731, 31 March” is citing an instrument that no longer exists. The safe move each cycle is to read the current CSSF annual-documents list for the exact deadline and channel that apply to your institution’s category, rather than trusting the cross-reference printed inside the older circular. The broader submission calendar for Luxembourg banks sits in our CSSF reporting calendar walkthrough, and the ICAAP and ILAAP pack should be planned alongside the audit and internal-control summary reports that share the same annual cadence.
Where the pack feeds the SREP, and why the methodology is moving
The reason the CSSF collects all of this is the SREP. The circular says so directly: the CSSF assesses institutions’ ICAAP and ILAAP as part of the supervisory review and evaluation process, and its documentation requirements are built on the EBA Guidelines on ICAAP and ILAAP information collected for SREP purposes of 3 November 2016 (EBA/GL/2016/10). The SREP methodology the circular names is the EBA’s revised SREP guidelines, EBA/GL/2018/03. For less significant institutions, the CSSF applies the common LSI SREP methodology that the ECB and the national competent authorities developed from 2015 and rolled out to less significant institutions from 2018, built on the EBA guidelines and the ECB approach used for significant institutions, adjusted for proportionality.
Two forward-looking wrinkles matter for anyone planning a 2026 or 2027 file. First, the SREP guideline reference inside 07/301 has already been overtaken once: the EBA consolidated its SREP guidelines into EBA/GL/2022/03 after the circular was written, so the methodology in force moved on while the circular text stayed put. Second, the EBA published revised SREP and supervisory stress-testing guidelines in June 2026, developed under the CRD VI mandate, which apply from 1 January 2027. Those revised guidelines pull the ICT-risk assessment guidelines into the SREP framework and add the CRD VI mandates on the output floor and third-country branches, alongside interest-rate and ESG considerations.
None of that rewrites 07/301 by itself. It does mean the standard your file is judged against is shifting under it, so the SREP dialogue that follows a 2026 submission may look different from the one that followed a 2023 submission. We track the detail of that change in our explainer on the EBA’s revised SREP guidelines and Pillar 2 capital, and the wider CRD VI implementation in Luxembourg in our note on the CRD VI transposition law. For the liquidity side of the assessment, the ILAAP leans on the same buffer and funding metrics covered in our guide to LCR, NSFR and ALMM liquidity reporting.
Frequently Asked Questions
Do we file one ICAAP and ILAAP report or two separate ones?
Either is compliant. Circular 07/301 lets an institution present capital and liquidity in a single combined report, in two separate reports, or split across existing internal documents. If the information is split, the circular requires a reader’s manual as an overarching document so the assessor can locate each element. Consolidated ICAAP and ILAAP reports are added where the institution reports on a consolidated basis.
Is the ICAAP really different from the ILAAP, or is ILAAP just a chapter of it?
They are two assessments the circular deliberately runs in parallel. The ICAAP concerns the amount, types and distribution of internal capital; the ILAAP concerns the level, composition and quality of liquidity buffers. Each produces its own conclusion, the capital adequacy statement and the liquidity adequacy statement. Combining them in one document is a packaging choice and does not merge the two assessments.
Does a small less significant institution have to do all of this?
Yes, subject to proportionality. Any institution in scope under Article 3 of RCSSF 15-02 must run an ICAAP and ILAAP. The circular scales the depth of the process to the nature, scale and complexity of the institution’s activities, so a small, simple bank runs a lighter process than a complex group. Proportionality reduces the sophistication expected, not the obligation itself.
Can we outsource the ICAAP to our group or a service provider?
Partly. The circular permits outsourcing of the informational needs and technical infrastructure, such as a shared calculation engine. It prohibits outsourcing the management decisions and the internal capital and liquidity management and monitoring. Authorised management’s accountability covers the whole process, including any outsourced component, so the responsibility stays in Luxembourg even when the model does not.
What is the submission deadline now that Circular 19/731 is repealed?
The 31 March deadline printed in Circular 19/731 no longer applies as a standalone circular rule, because Circular 25/902 repealed 19/731 on 23 December 2025. The current deadline, entity categories and channels are published on the CSSF’s annual-documents page and should be read there each cycle. Submission remains electronic, through eDesk, e-file or SOFiE.
Does the ICAAP have to cover money laundering risk?
Yes. The annex to 07/301 lists money laundering and terrorist financing risk among the risks institutions shall at least assess, because its crystallisation can cause material economic losses. Institutions in private banking, wealth management, fund administration or depositary banking must also factor the related reputational, operational and money laundering and terrorist financing risks into the assessment where relevant.
How does the ICAAP and ILAAP connect to Pillar 2 capital?
The CSSF reads the ICAAP and ILAAP inside the SREP, and the SREP outcome informs Pillar 2 own funds and liquidity expectations. A well-evidenced assessment supports the institution’s own view of adequacy; a thin one leaves the supervisor to fill the gap with its own, usually more conservative, judgement. The SREP methodology behind that judgement is being revised for 1 January 2027.
Who has to sign off the ICAAP and ILAAP file?
Authorised management develops and maintains the process, but the management body in its supervisory function has to endorse the capital adequacy statement and the liquidity adequacy statement. The annual review must involve the risk control function, and internal audit must audit the process under its risk-based plan. Those three sign-off points are what turn a model into a governed process the CSSF can rely on.
Related Articles
- ICAAP and ILAAP Reporting for Luxembourg Banks – The foundational Pillar 2 guide to what the two assessments cover and how supervisors evaluate them.
- EBA Revised SREP Guidelines and Pillar 2 Capital – How the updated SREP methodology reshapes the assessment your ICAAP and ILAAP feed.
- Liquidity Reporting: LCR, NSFR and ALMM Explained – The regulatory liquidity metrics that sit behind the ILAAP normative perspective.
- IRRBB and the EBA Banking-Book Interest Rate Guidelines – The economic-value and earnings lenses the ICAAP has to apply to interest rate risk.
- CRD VI Luxembourg Transposition Law – The directive changes driving the 2027 SREP revision and the wider Pillar 2 framework.
- CSSF Reporting Calendar – Where the annual ICAAP and ILAAP submission sits among the other returns Luxembourg banks file.
Key Takeaways
- Circular CSSF 07/301 is the Luxembourg ICAAP and ILAAP rulebook; Circular CSSF 20/753, published on 23 October 2020, extended it from a capital-only process to the combined internal capital and liquidity adequacy assessment and refreshed the linked stress-testing circular 11/506.
- The obligation flows from Articles 73 and 86 of the Capital Requirements Directive, transposed by Articles 18 and 19 of CSSF Regulation N 15-02, with scope set by Article 3 of that regulation. It covers Luxembourg credit institutions, CRR investment firms and third-country branches.
- The information pack has three layers: general context, process-specific ICAAP and ILAAP detail, and the capital adequacy statement and liquidity adequacy statement, which the management body in its supervisory function must endorse.
- The assessment runs from two perspectives, the normative (regulatory) and the economic (substance over form), across a horizon of at least three years and through baseline and severe stress scenarios.
- The minimum risk list includes money laundering and terrorist financing risk, interest rate risk on both an economic-value and earnings basis, and concentration risk; private banking, fund administration and depositary institutions must factor related reputational, operational and financial-crime risks.
- The core of the process cannot be outsourced, and it must be reviewed annually with the risk control function involved and audited by internal audit.
- Submission moved: Circular CSSF 19/731, which set the 31 March deadline, was repealed by Circular CSSF 25/902 on 23 December 2025, and the current list, deadlines and channels (eDesk, e-file, SOFiE) live on the CSSF annual-documents page.
- The file feeds the SREP; the guideline the circular names, EBA/GL/2018/03, has been overtaken by EBA/GL/2022/03, and revised SREP guidelines apply from 1 January 2027.
Sources and References
- Circular CSSF 07/301 (as amended by Circulars CSSF 08/338, 09/403, 11/506, 13/568 and 20/753), Implementation of the Internal Capital and Liquidity Adequacy Assessment Process (ICAAP/ILAAP): cssf.lu and full text at cssf07_301eng.pdf.
- Circular CSSF 20/753, amendment of Circular CSSF 07/301 and Circular CSSF 11/506: cssf.lu.
- Circular CSSF 19/731 (repealed), Documents to be submitted to the CSSF and to the European Central Bank on an annual basis: cssf19_731eng.pdf.
- Circular CSSF 25/902, repeal of Circular CSSF 19/731 (23 December 2025): cssf.lu.
- CSSF, Prudential reporting for credit institutions (documents to be submitted on an annual basis): cssf.lu.
- Directive 2013/36/EU (Capital Requirements Directive), Articles 73 and 86: EUR-Lex.
- EBA Guidelines on ICAAP and ILAAP information collected for SREP purposes (EBA/GL/2016/10, 3 November 2016) and the SREP guidelines: EBA SREP page.
- EBA, Final Report on revised SREP and supervisory stress-testing guidelines (applying 1 January 2027): eba.europa.eu.
- ECB Guide to the internal capital adequacy assessment process (ICAAP), November 2018: bankingsupervision.europa.eu.
- ECB, SREP for less significant institutions (common methodology developed from 2015, applied from 2018, full application since 2022): bankingsupervision.europa.eu.
- ECB Guide to the internal liquidity adequacy assessment process (ILAAP), November 2018: bankingsupervision.europa.eu.
- Circular CSSF 12/552 (as amended), central administration, internal governance and risk management: cssf.lu.
Reading 07/301 in 2026, not 2007
The temptation with a circular first issued in 2007 is to treat it as settled ground. The ICAAP and ILAAP framework is the opposite of settled. Circular 20/753 turned it into a combined capital-and-liquidity, two-perspective assessment in 2020. Circular 25/902 pulled the submission mechanics out of a circular and onto a living webpage at the end of 2025.
And the SREP methodology it feeds is on the clock for a 1 January 2027 rebuild. A Luxembourg reporting officer who wants the file to carry weight reads the current 07/301 text for what to assess, and reads the CSSF annual-documents page and the latest EBA guidelines for where and how it is judged. The two halves have drifted apart, and closing that gap each year is the quiet part of the job.
Last updated: July 2026
Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.