CSSF AML/CFT Standardised Data Collection – What the New AMLA Template Requires

ByOfficer

Last updated: March 2026

Your compliance team filled out the CSSF Questionnaire on Financial Crime last year. This year, you can forget everything about that format. The CSSF has replaced its annual questionnaire with a standardised template developed by the European Authority for Anti-Money Laundering (AMLA). The data points are different, the structure is different, and the purpose extends beyond Luxembourg supervisory needs to an EU-wide calibration of AML/CFT risk assessment methodology. If you filed your 2025 questionnaire on autopilot, the 2026 exercise will require a fresh approach.

The switch happened fast. AMLA announced its data collection exercise in January 2026. By 12 February, the CSSF had decided to adopt the AMLA template for all supervised entities rather than run two parallel questionnaires. By 11 March, the launch was delayed because AMLA was still revising the template after receiving heavy industry feedback. As of late March 2026, the eDesk platform remains closed for this campaign, and the final template version has not been released.

This article covers what we know, what to expect, and how to start preparing before the final template lands.

Related reading: AML Reporting in Luxembourg | AMLR – What Changes for Luxembourg Firms

Why the CSSF Switched Templates

The CSSF’s Circular Letter of 12 February 2026 explains the rationale directly. AMLA launched a significant data collection exercise covering a broad range of CSSF-supervised entities. The CSSF concluded that running its own Questionnaire on Financial Crime alongside the AMLA exercise would create a double reporting burden with no supervisory benefit. As the CSSF put it: the CSSF Questionnaire would “lose representativeness unless requesting supervised entities to complete both Questionnaires.”

The practical consequence: instead of maintaining a Luxembourg-specific data collection, the CSSF adopted the AMLA-developed templates for all supervised entities (except specialised professionals of the financial sector, who continue to fill out the CSSF’s own questionnaire). This is part of preparing for the common EU AML/CFT methodology that will underpin AMLA’s risk assessment and supervisory selection process when it becomes operational.

I think this is the right call. Maintaining two parallel questionnaires with overlapping data points would have been wasteful. But the transition cost is real: compliance teams need to learn a new template structure, map their existing data to new data points, and prepare for a format they have never seen before.

Who Is Affected

The CSSF Circular Letter of 12 February 2026 is addressed to the management board and board of directors of all:

  • Credit institutions
  • Investment firms
  • Investment fund managers (including registered AIFMs, Luxembourg branches of investment fund managers, SIAGs, FIAAGs, and investment funds that did not designate an investment fund manager)
  • Payment institutions and electronic money institutions
  • Virtual Asset Service Providers
  • Crypto Asset Service Providers
  • Issuers of tokens (asset-referenced tokens and e-money tokens under MiCAR)
  • Specialised professionals of the financial sector (separate treatment)
  • Central Securities Depositories

This covers entities incorporated under Luxembourg law and Luxembourg branches of entities with registered offices in an EU country or third country.

In practice, this is the same scope as the previous CSSF Questionnaire on Financial Crime. The change is the template, not the population.

Three Entity Categories

The CSSF Circular Letter divides the addressees into three categories based on their relationship to the AMLA exercise. Understanding which category your entity falls into determines your template, your deadline, and the level of scrutiny you will receive.

Category A: AMLA Calibration Exercise Entities

Certain supervised entities have been selected by the CSSF to participate in the AMLA “calibration exercise.” If your entity is in Category A, you were notified directly by the CSSF. Participation is mandatory.

The calibration exercise serves a specific purpose: testing and calibrating the methodology that AMLA will use at EU level for assessing ML/TF risks of individual credit and financial institutions. This is the same methodology that AMLA will eventually use to select entities for direct supervision under Article 12 of Regulation (EU) 2024/1620.

Category A entities report a defined set of quantitative and qualitative data points specified in the annexes of two draft regulatory technical standards:

  • Draft RTS on risk assessments: covering the assessment of inherent and residual risk profiles of obliged entities under Article 40(2) of Directive (EU) 2024/1640 (AMLD6)
  • Draft RTS on selection: covering the risk assessment for the purpose of selecting entities for AMLA direct supervision under Article 12(7) of Regulation (EU) 2024/1620

The originally planned deadline for Category A entities was 15 April 2026, submitted to the CSSF via the eDesk platform. However, AMLA subsequently communicated a deadline of 22 April 2026 for sampled entities. As of the 11 March delay circular, the timeline was still in flux due to the ongoing template revision. Check the latest CSSF communication (18 March 2026) for the confirmed submission date.

If you are in Category A, this is not optional. The data you report will directly inform how AMLA’s supervisory methodology works. Errors or gaps in your submission will affect the calibration outcome, and the CSSF will expect rigorous data quality.

Category B: All Other Supervised Entities

Credit and financial institutions that were not selected for the AMLA calibration exercise (Category A) are in Category B. These entities are required to report on their ML/TF risks and mitigation measures for the reporting year 2025, using the same AMLA-developed templates as Category A.

The original launch was scheduled for 2 March 2026 via eDesk. The submission deadline for Category B entities was to be communicated separately. As of the 11 March delay circular, the deadline has been explicitly deferred: the CSSF will set a new deadline once the final template is available from AMLA.

Category B entities should not interpret the delayed deadline as an invitation to wait. The CSSF attached a significantly updated draft version of the questionnaire to the 11 March circular letter, explicitly for preparation purposes. The CSSF instructed entities to start collecting data based on this draft version. The draft is not the file to fill out and submit, but it shows the structure, the data points, and the level of detail expected.

Category C: Specialised Professionals of the Financial Sector

Specialised professionals of the financial sector (specialised PFS) are excluded from the AMLA exercise. They will complete a separate CSSF-specific questionnaire. The launch for specialised PFS was originally 23 February 2026, before the general campaign was delayed.

If you are a specialised PFS, your data collection is on a separate track. The AMLA template does not apply to you. However, the 11 March delay circular did not mention specialised PFS specifically, which suggests the separate CSSF questionnaire may have proceeded on schedule or on a slightly adjusted timeline. Check the CSSF’s eDesk portal for the current status.

The AMLA Template: What We Know So Far

Data Points from the Draft RTS

The data points are specified in the annexes of the two draft RTS referenced in the CSSF circular. While the final template is still being revised, the draft RTS published by AMLA provide a clear picture of the expected data categories:

  • Entity identification data: legal form, licensing status, business model, group structure
  • Geographic exposure: countries of establishment, countries where customers are domiciled, cross-border activity indicators
  • Customer base analysis: breakdown by customer type (natural persons, legal entities, trusts), risk classifications, PEP exposure
  • Product and service risk: mapping of products and services to ML/TF risk categories
  • Delivery channel risk: online vs. face-to-face, intermediary channels
  • Transaction patterns: volume and value of transactions by type, cash transactions, cross-border transfers
  • STR data: number of suspicious transaction reports filed, internal referrals, case outcomes
  • AML/CFT governance: compliance function staffing and resources, training, independent testing
  • Risk assessment outcomes: inherent risk scores, mitigation measures, residual risk scores

The depth is significant. The AMLA template asks for quantitative data (numbers, values, volumes) and qualitative data (self-assessments, descriptions of risk management approaches). This is not a tick-box exercise. It requires the compliance function, risk management, operations, and potentially finance to coordinate their inputs.

Quantitative vs. Qualitative Data Points

The distinction matters for preparation. Quantitative data points (transaction volumes, STR counts, customer numbers by category) should be extractable from your existing systems, though the specific breakdowns requested may not match your current reporting categories. You may need to run new queries against your transaction monitoring system, KYC database, and management information system.

Qualitative data points (descriptions of your risk assessment methodology, your approach to high-risk customer segments, the design of your ongoing monitoring framework) require written responses. These need to be drafted, reviewed, and approved by the compliance function. In my experience, the qualitative sections are where teams fall behind because they underestimate the time needed for internal review and sign-off.

Why the Launch Was Delayed

The CSSF Circular Letter of 11 March 2026 (titled “Delay in the AML/CFT standardised data collection”) provides the explanation. AMLA received a “very high number of comments from the sampled industry participants” who reviewed the draft questionnaire template and interpretative guidance during consultation. AMLA is incorporating relevant feedback into an updated version.

As of 11 March, AMLA had not clarified how long the review and revision process would take. The CSSF responded by:

  • Keeping eDesk closed for the data collection campaign until the final version is available
  • Attaching a significantly updated (but still not final) version of the questionnaire to the circular letter for preparation purposes only
  • Maintaining the 15 April 2026 deadline for Category A (sampled) entities, with the caveat that changes may be communicated
  • Deferring the deadline for Category B entities, to be set once the final template is available

This delay is both a complication and an opportunity. The complication is obvious: you cannot submit what you do not have. The opportunity is that you now have time to prepare your data infrastructure, map your existing data to the draft template structure, and get your qualitative responses drafted, all before the final template drops and the clock starts.

What Changed Between the Draft Versions

The CSSF described the version attached to the 11 March circular as “significantly updated.” This suggests material changes to the data points, the structure, or the interpretative guidance compared to the initial draft. Without access to both versions side by side, the specific changes are not publicly detailed. However, the fact that AMLA received a “very high number of comments” suggests industry pushed back on issues like:

  • Data availability: certain data points may not exist in entities’ current systems
  • Proportionality: smaller entities may have argued that the template was calibrated for large cross-border banks
  • Interpretation: ambiguous data definitions leading to inconsistent reporting across entities
  • Timeline: the original 15 April deadline may have been unrealistic given the template complexity

These are exactly the issues that surface in any new EU-wide data collection. The AMLR reporting framework will eventually standardize these data points, but for now, AMLA is building the methodology from scratch and the 2026 exercise is the test run.

How This Connects to AMLA Direct Supervision

The data collection is not just a supervisory exercise. It feeds directly into AMLA’s selection methodology for deciding which entities AMLA will directly supervise starting 1 January 2028.

Under Article 12 of the AMLA Regulation (Regulation (EU) 2024/1620), AMLA selects entities for direct supervision based on two criteria: cross-border presence (operations in at least six Member States) and ML/TF risk profile (classified as high using AMLA’s methodology). The calibration exercise (Category A) is specifically designed to test and refine this methodology.

For Luxembourg entities, this has a practical implication. If your entity is in Category A, the data you submit will help calibrate the scoring model. The quality and accuracy of your data may influence where your entity lands on the risk classification scale in future selection rounds. Understating your risks might feel safer in the short term, but it creates credibility problems if AMLA later finds discrepancies during on-site assessments.

Category B entities are not immune. The CSSF will use the data from all entities to inform its own risk-based supervisory approach. A complete and accurate submission supports a straightforward supervisory relationship. Gaps or inconsistencies will attract follow-up questions.

Practical Preparation Steps

Even though the final template is not yet available, you can take several steps now that will save significant time once the eDesk portal opens:

Map Your Existing Data to the Draft Template

Download the draft questionnaire attached to the CSSF’s 11 March circular letter and map your existing data sources to each data point. For quantitative fields, identify which system holds the data (transaction monitoring, KYC/CRM, sanctions screening, core banking). For qualitative fields, identify who in your organization is the subject matter expert responsible for drafting the response.

Identify Data Gaps

Some data points in the draft template may not be available in your current systems. Common gaps include: geographic breakdown of transaction volumes by destination country, customer risk classification by category (if your system uses a different segmentation than the template), and exact STR conversion rates (internal referrals versus filed STRs).

Where gaps exist, assess whether you can extract the data with a custom query, whether you need to derive it from proxy data, or whether it genuinely does not exist. For data that does not exist, document the gap and prepare an explanation. Do not fabricate numbers.

Draft Qualitative Responses

The qualitative sections will ask you to describe your risk assessment methodology, your approach to specific risk categories, and your mitigation measures. These responses need to be accurate, proportionate to your entity’s size and complexity, and consistent with your actual practices. Start drafting now. Get the first version reviewed by the MLRO and the compliance function. The internal review cycle typically takes two to three rounds.

Coordinate Across Functions

The AMLA template covers data from across the entity: compliance, risk, operations, finance, and IT. Assign a project coordinator (typically the MLRO or deputy) to manage data collection across functions. Set internal deadlines that are at least one week ahead of the regulatory deadline to allow for quality checks and late-breaking data corrections.

Monitor CSSF Communications

The CSSF has committed to distributing the final version of the questionnaire once it becomes available from AMLA and to communicating the adjusted deadline for Category B entities. Monitor the CSSF’s eDesk portal and circular letter publications. The CSSF issued a further circular letter on 18 March 2026 providing additional updates on the data collection exercise. Review this communication for the latest timeline, template status, and any changes to submission requirements. This is a fast-moving process and each circular letter has contained material new information.

The FATF Dimension

The CSSF noted in its 12 February circular letter that an “ad-hoc questionnaire may still be requested later in the year to collect essential data points such as those required for FATF, where these are not covered by the AMLA questionnaire.” This means the AMLA exercise may not fully replace the CSSF’s data needs. If the AMLA template does not capture certain FATF-required data points, the CSSF will request them separately.

For entities, this creates a potential double submission scenario for specific FATF data points. The CSSF said it would provide detailed information at a later stage. For now, the practical takeaway is: do not assume the AMLA questionnaire is the only data collection you will face in 2026.

Frequently Asked Questions

Has my entity been selected for the AMLA calibration exercise (Category A)?

If you were selected, you were notified directly by the CSSF. If you did not receive a notification, you are in Category B (or Category C if you are a specialised PFS). There is no public list of selected entities.

Can we start filling out the questionnaire now?

Not for submission. The eDesk platform is closed for this campaign until the final template version is available. However, the CSSF explicitly instructed entities to use the draft version attached to the 11 March circular letter for preparation. Collect your data, draft your qualitative responses, and be ready to transfer them into the final template when it launches.

What is the current deadline?

For Category A entities, the CSSF originally cited 15 April 2026 while AMLA communicated 22 April 2026. Check the latest CSSF circular (18 March 2026) for the confirmed date. For Category B entities, the deadline has been deferred and will be communicated once the final template is available. Both deadlines may shift further depending on AMLA’s revision timeline.

Is this the same as the old CSSF Questionnaire on Financial Crime?

No. The 2026 exercise uses AMLA-developed templates that replace the CSSF’s annual Questionnaire on Financial Crime. The scope of entities is the same, but the data points, structure, and purpose are different. The AMLA template feeds into the EU-wide risk assessment methodology, not just CSSF supervisory needs.

Do investment fund managers need to submit?

Yes. Investment fund managers (including registered AIFMs, Luxembourg branches, SIAGs, FIAAGs, and self-managed investment funds) are explicitly listed in the CSSF circular letter. They are in scope for the AMLA questionnaire under Category B (unless individually selected for Category A).

What happens if the final template is materially different from the draft?

Entities that prepared based on the draft may need to adjust their data collection. The CSSF acknowledged this risk by calling the draft version “significantly updated, however not final.” The adjusted deadline for Category B entities is intended to give time for this adaptation. For Category A entities with the 15 April deadline, any material changes to the template would likely require AMLA to adjust the timeline.

Will there be a separate data collection for FATF purposes?

Possibly. The CSSF reserved the right to request an ad-hoc questionnaire later in 2026 for data points required by FATF that are not covered by the AMLA questionnaire. The CSSF will communicate the details if this becomes necessary.

Related Articles

Key Takeaways

  • The CSSF has replaced its annual Questionnaire on Financial Crime with AMLA-developed templates for the 2026 AML/CFT data collection, covering all supervised entities except specialised PFS
  • Three entity categories exist: (A) sampled entities in the AMLA calibration exercise, (B) all other supervised entities using the same AMLA template, and (C) specialised PFS using the CSSF’s own questionnaire
  • The launch has been delayed. eDesk remains closed. AMLA is revising the template after receiving heavy industry feedback. The final version and adjusted deadlines will be communicated by the CSSF
  • Category A entities face a deadline around mid-to-late April 2026 (CSSF cited 15 April, AMLA cited 22 April; check the latest circular for the confirmed date). Category B deadlines are deferred
  • The data feeds AMLA’s risk assessment and supervisory selection methodology. Quality and accuracy matter for how your entity is assessed, not just for compliance
  • Use the draft questionnaire attached to the CSSF’s 11 March circular letter to start preparing. Map your data sources, identify gaps, and draft qualitative responses now
  • The AMLA template requires both quantitative data (transaction volumes, STR counts, customer breakdowns) and qualitative self-assessments (risk methodology, governance, mitigation measures)
  • A separate FATF-specific data collection may follow later in 2026 if the AMLA template does not cover all required FATF data points

Sources and References

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts