CSSF AML/CFT Sanction: Enforcement Lessons From the March 2026 Fine

Last updated: June 2026

A CSSF AML/CFT sanction rarely turns on an exotic typology. It turns on the housekeeping. The administrative fine the CSSF imposed on 5 March 2026, and published on a nominative basis on 9 June 2026, is a clean example.

A Luxembourg specialised professional of the financial sector running a domiciliation business was fined EUR 56,000 for breaches that read like a list of everyday controls that slipped: suspicious activity reports filed late, due diligence skipped during a client takeover, and a name-screening queue nobody worked through.

For Luxembourg-regulated entities, the value of this decision is not the number. It is the mapping. The CSSF set out, breach by breach, which article of the AML/CFT Law and which article of CSSF Regulation No 12-02 each failing engaged. Read that way, the sanction is a control checklist you can run against your own files before an on-site inspection does it for you.

Related reading: our guide to AML reporting in Luxembourg.

What the CSSF AML/CFT sanction actually covered

The sanctioned entity is a specialised PFS authorised under Articles 25, 28-6, 28-9, 28-10, 29-1 and 29-2 of the Law of 5 April 1993 on the financial sector. The fine of EUR 56,000 represented around two percent of its total annual turnover as at 31 March 2022, adjusted for the calculation. The CSSF imposed it under Article 2-1(1) of the Law of 12 November 2004 on the fight against money laundering and terrorist financing, read with Article 8-4(1), (2) point (f) and (3) point (a) of that Law. The amount was set under Article 8-5(1), which directs the CSSF to weigh the gravity and duration of the breaches and the entity’s financial situation; two factors pulled it down, namely the limited scope of the inspection and the firm’s acknowledgement of the findings, action plan and corrective measures. The nominative publication rests on Article 8-6(1).

One date matters more than the fine date: the on-site inspection ran from March 2023 to June 2024, the breaches existed at that time, and the decision landed nearly two years later. The enforcement lesson is narrower: the CSSF assessed breaches existing at the time of the on-site inspection, while the firm’s acknowledgement, action plan and post-inspection corrective measures were relevant to the sanction assessment.

Late and incomplete suspicious activity reports

The first cluster sits under Article 5(1) point (a) of the AML/CFT Law, the duty to inform the Financial Intelligence Unit promptly and on the firm’s own initiative when there are reasonable grounds to suspect money laundering or an associated predicate offence, and to attach all relevant supporting information. The firm had detected adverse media in four cases pointing to potential corruption or drug trafficking but did not investigate far enough to confirm or discard the suspicion. The reports went to the FIU only after the CSSF asked about the files during the inspection, which made them late, and they omitted key indicators the firm itself had identified and the supporting documentation. In six further cases linked to corruption, bribery and primary tax offences, no report was filed at all. This is where AML teams can misread the obligation: adverse media that creates reasonable grounds of suspicion, and is not sufficiently investigated to exclude that suspicion, is not a research backlog. A SAR or STR that omits the indicators and supporting documents behind the suspicion does not discharge the Article 5(1) duty even when filed on time.

The client-portfolio takeover trap

On 1 February 2022 the firm took over a block of clients from another Luxembourg PFS. Two regulatory due-diligence assessments by a third-party provider had flagged major deficiencies in those clients before the takeover, yet the firm took the book without a real remediation plan. The CSSF anchored this on Article 3(1) of the AML/CFT Law, which requires customer due diligence when a firm enters a new business relationship, and stated that taking over a client portfolio counts as establishing new business relationships, so the full obligation applies to inherited clients on day one. From that root failure it traced a chain: insufficient due diligence at takeover, no enhanced due diligence for two clients despite high-risk indicators, missing source-of-funds information for two clients, and inadequate measures to exclude predicate tax-offence laundering risk for three clients. The recurring mistake is to treat inherited files as someone else’s history. A pre-acquisition review that surfaces problems is not a clean bill of health; it is a remediation list with your name on it the moment the relationship transfers.

Name screening, sanctions and PEP alert backlogs

The largest operational failing was an alert queue that was never cleared. The firm had accumulated significant delays in processing screening alerts against restrictive-measures lists, lists of politically exposed persons and adverse media. Hundreds of name-screening alerts had been handled with significant delay, and 42 alerts had not been looked at at all. The CSSF mapped this to several provisions at once. The inability to identify, without delay, persons subject to restrictive measures breaches Article 3(2) point (d) of the AML/CFT Law and Article 33(1) of CSSF Regulation No 12-02. The delay in clearing PEP alerts, and the failure to apply enhanced due diligence where due, engages Article 3-2(4) point (a) of the AML/CFT Law, Article 3(4) of the Grand-ducal Regulation of 1 February 2010 and Article 30(1) of the Regulation. Late analysis of adverse-media alerts breaches Article 39(5), and alerts closed on incorrect analysis breach Article 39(3) and (5).

The control lesson is that volume is the wrong metric. A team that reports how many alerts it generated, without reporting how old the open ones are, hides the exact risk found here, and on the sanctions limb an aging alert is not a productivity issue but a live exposure. Cross-border teams can read across to the AMLA home-host supervisory cooperation framework taking shape at EU level.

Outsourced screening and the four-eyes gap

Client data used for name screening was entered by a group entity in Switzerland, and the firm ran no regular controls on whether that outsourced input was complete and correct. The CSSF treated this as a failure under Article 37(2) of CSSF Regulation No 12-02, which requires the firm to keep the means to test and monitor a third-party delegate’s compliance under the risk-based approach. Internally, data changes for the inherited clients, held in a separate database until remediation, did not pass a four-eyes check and got no second-level review, breaching Article 42(5) on the second line of defence verifying first-line controls. The point teams get wrong is the scope of delegation: you can outsource the keystrokes, not the responsibility for whether the data behind your screening is right.

Database completeness is an AML control, not IT housekeeping

The CSSF closed on the data itself. Client records were missing or incorrect in both the firm’s own database and the inherited one, and both were judged incomplete. An incomplete customer database breaches Article 39(2) of CSSF Regulation No 12-02 and undercuts Article 4(3) of the AML/CFT Law, the duty to answer the competent authorities, which you cannot do from a database with holes in it. Missing data also feeds back into screening, because an incomplete record can cause a genuine match to go undetected, which the CSSF tied to Article 39(1) on control mechanisms that identify, without delay, persons subject to restrictive measures. It also engaged Article 47, the duty to respond promptly when the authorities ask whether the firm has a relationship with a named person. Data quality is rarely owned by compliance in practice; this decision puts it inside the AML control framework.

How supervisors surface these gaps before an inspection

None of these breaches needed an on-site visit to become visible. Under Article 42(6) and (7) of CSSF Regulation No 12-02, the compliance officer prepares an annual summary report on the AML/CFT function, and the person responsible for compliance submits it to the CSSF within five months of the financial year-end. Internal AML/CFT reporting should make those issues visible, because Article 42(5) reports cover follow-up of recommendations, problems, shortcomings and irregularities, and allow management to assess the scale of suspicions or reasonable grounds for suspicion identified. The supervisory picture is also widening through eDesk reporting, but the 2026 template split matters. CSSF stated that most covered entities use AMLA-developed templates, while specialised PFS are out of the AMLA data-collection exercise and complete the usual CSSF Questionnaire; for specialised PFS, the 2026 launch date was 23 February 2026 and the submission deadline was 3 April 2026. For the standing cycle behind that, see the CSSF AML/CFT data collection in 2026; for how the single rulebook tightens these duties, what the EU AML Regulation changes for Luxembourg; and for the same patterns abroad, the AUSTRAC enforcement actions on late reporting.

Frequently Asked Questions

What was the size of the CSSF AML/CFT sanction and what entity did it hit?

The CSSF imposed an administrative fine of EUR 56,000 on a Luxembourg specialised PFS carrying on a domiciliation business, around two percent of its total annual turnover as at 31 March 2022, adjusted for the calculation. The decision was taken on 5 March 2026 and published on 9 June 2026.

Which legal provisions did the CSSF rely on?

The fine was imposed under Article 2-1(1) of the Law of 12 November 2004, read with Article 8-4(1), (2) point (f) and (3) point (a). Article 8-5(1) governs the amount and Article 8-6(1) is the basis for nominative publication.

Why were the suspicious activity reports treated as a breach if some were filed?

Filing alone does not discharge Article 5(1) point (a). The reports went to the FIU only after the CSSF queried the files, which made them late, and they omitted key indicators and supporting documents. In six other cases no report was filed despite indicators of corruption, bribery and tax offences.

Does taking over a client portfolio trigger fresh due diligence?

Yes. The CSSF applied Article 3(1) and stated that a portfolio takeover counts as establishing new business relationships, so full customer due diligence, including enhanced due diligence and source-of-funds checks where indicators require it, applies to inherited clients.

What is the rule on processing sanctions and PEP screening alerts?

The regulation requires firms to identify persons subject to restrictive measures and act without delay, under Article 3(2) point (d) of the Law and Article 33(1) of CSSF Regulation No 12-02. Delayed PEP alerts also prevent the enhanced due diligence required under Article 3-2(4) point (a) and Article 30(1).

How does an incomplete client database become an AML breach?

An incomplete database breaches Article 39(2) and undermines Article 4(3) on answering the authorities. Missing data can also cause a real screening match to be missed, engaging Article 39(1), and it blocks a prompt response under Article 47 when the CSSF asks about a named person.

Related Articles

• AML Reporting in Luxembourg – The core AML/CFT reporting duties for Luxembourg-supervised entities, from SAR/STR filing to the FIU to ongoing monitoring.
• CSSF AML/CFT Data Collection 2026 – How the annual AML/CFT questionnaire and reporting cycle works through CSSF eDesk and who has to submit it.
• AMLR: What Changes for Luxembourg – How the EU AML Regulation single rulebook reshapes customer due diligence and reporting obligations.
• AMLA Home-Host Supervisory Cooperation RTS – The cross-border supervisory architecture being built around the new Anti-Money Laundering Authority.
• AUSTRAC Infringement Notice Penalties – A comparison point on how another supervisor penalises late reporting and weak transaction monitoring.

Key Takeaways

• The CSSF AML/CFT sanction of 5 March 2026 fined a Luxembourg specialised PFS EUR 56,000, around two percent of annual turnover, after an on-site inspection running from March 2023 to June 2024.
• An unresolved adverse-media suspicion is a reporting trigger under Article 5(1) point (a), and a SAR or STR that omits indicators and supporting documents does not discharge the duty.
• A client-portfolio takeover is a new business relationship under Article 3(1), so inherited clients need full due diligence and a real remediation plan from day one.
• Sanctions and PEP alerts must be cleared without delay; an aging or wrongly closed alert breaches Article 33(1), Article 30(1) and Article 39(3) and (5) of CSSF Regulation No 12-02.
• Outsourcing screening data entry does not move the control duty; Article 37(2) requires means to test and monitor the delegate, and the CSSF treated the absence of four-eyes controls and second-level review as a failure under Article 42(5).
• An incomplete customer database is an AML control failure, engaging Article 39(2), Article 39(1) and Article 47 of CSSF Regulation No 12-02 and Article 4(3) of the AML/CFT Law.

Sources and References

• CSSF, Administrative sanction of 5 March 2026 for non-compliance with professional obligations related to AML/CFT (published 9 June 2026): cssf.lu document page and decision PDF.
• Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (consolidated version): cssf.lu and PDF.
• CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as amended: coordinated text PDF.
• CSSF, Anti-Money Laundering and Countering the Financing of Terrorism overview (Grand-ducal Regulation of 1 February 2010 and related instruments): cssf.lu AML/CFT page.
• CSSF circular letter, AML/CFT standardised data collection exercise taking place in 2026 (12 February 2026): cssf.lu document page and circular PDF.
• CSSF circular letter, Latest update on the AML/CFT standardised data collection (18 March 2026): cssf.lu document page.

Reading the sanction as a control checklist

Take the decision apart and it is not a story about one firm. It is six controls any Luxembourg AML team can test this week: are unresolved suspicions reported and documented, are inherited clients getting fresh due diligence, is the oldest open screening alert measured and worked, is every delegated data task controlled, does the four-eyes review actually run, and is the customer database complete enough to answer the CSSF the day it asks. The fine was EUR 56,000. The cheaper version is to run that list against your own files first.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.