CSSF de-risking communique: managing ML/FT risk instead of avoiding it, what Luxembourg-regulated firms must address in their AML/CFT frameworks

ByOfficer

Last updated: June 2026

A relationship manager flags a client as awkward. The country profile is messy, the ownership chain runs through two jurisdictions, and the file would take real work to keep current. The easy answer is to exit. Close the account, decline the onboarding, and the risk number on the dashboard goes down. The CSSF communique of 16 June 2026 on de-risking practices and ML/FT risk management exists because that easy answer, repeated across a portfolio, is the wrong one. It does not reduce money laundering and terrorist financing risk. It pushes the risk somewhere a Luxembourg firm can no longer see it, and it can leave the firm exposed on a different front.

The CSSF position is short to state and hard to live by. Supervised professionals are expected to manage ML/FT risk effectively, not to avoid it by refusing or terminating whole categories of clients. De-risking, as the CSSF and the European authorities use the term, is the refusal to enter into or the decision to end a business relationship in order to sidestep risk rather than to assess and mitigate it. The communique draws a line between that and a legitimate commercial decision, and the line matters for how you document files, calibrate your risk-based approach, and answer the CSSF when it asks why a client was shown the door.

This article works through what the communique requires, where the legal basis sits in Luxembourg and EU law, and the specific places teams get the call wrong. It is written for the compliance officer and the AML reporting function who have to make these decisions defensible, file by file.

Related reading: AML reporting in Luxembourg: obligations and the supervisory framework

What the CSSF de-risking communique actually says

The core message is a distinction, not a ban. The CSSF reminds professionals that the obligation is to develop a proper understanding of their ML/FT exposure and to put in place an appropriate and effective internal framework to identify and mitigate it. Wholesale avoidance is not that framework. The communique states that professionals may not generally ban or exclude entire categories of clients except where the law expressly provides for it. A blanket rule that says “we do not bank clients from country X” or “we do not onboard any client of type Y” is, in the CSSF’s framing, de-risking rather than risk management.

The communique is equally clear that not every exit is de-risking. An institution can decide to leave a customer segment because it is unprofitable, because it no longer fits the strategy, or because servicing it well would cost more than it earns. That is a business decision, and the CSSF does not second-guess commercial appetite. The trap is dressing a compliance-driven exit as a business decision, or the reverse, refusing to make a genuine commercial choice because the file has an AML flag on it. The two motivations need to be separable in your records.

One operational detail decides most of these cases. The CSSF expects the assessment to be individual. The reference point is the EBA guidance on managing ML/FT risk when providing access to financial services, which requires institutions to look at the specific customer in front of them before they reject or terminate, not to apply a category-level shortcut. A higher inherent risk is a reason to do more work on a file, not an automatic reason to close it. Where the answer to “why did we exit this client?” is “because of the category they fall into” rather than “because of what we found when we looked at this client and could not mitigate,” the file is weak.

The Luxembourg legal basis the communique sits on

De-risking is not a new standalone rule. It is the CSSF reading existing obligations and saying how it expects them to be applied. The starting point is the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, which the CSSF framework refers to simply as “the Law.” Sitting under it is CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing (published in Mémorial A No 5 of 9 January 2013), as amended by CSSF Regulation No 20-05 of 14 August 2020, and the Grand-ducal Regulation of 1 February 2010. Together these set the risk-based approach that the de-risking communique builds on.

The risk-based approach in Luxembourg has a specific shape. Under Article 4(4) of CSSF Regulation 12-02, a professional’s risk-based approach must be based on a defined ML/TF risk appetite, approved by the Board of Directors and implemented by the authorised management, with policies, procedures and controls that are consistent with that appetite. De-risking by reflex is in tension with this. If the board has set an appetite that allows for higher-risk segments managed with enhanced controls, the front line cannot quietly close those clients to keep its own life simple. The appetite and the practice have to match.

Customer risk categorisation is where the work happens. Article 5 of CSSF Regulation 12-02 requires professionals to categorise all customers by ML/TF risk level using a consistent combination of factors covering the customer, countries and geographic areas, products and services, and delivery channels. The same article makes a point that is easy to skip past. Simplified due diligence is not a default for any group; its application must be justifiable and demonstrable to the Luxembourg AML/CFT authorities, and the assessment of risk level can never be used to derogate from enhanced due diligence where the Law, the Grand-ducal Regulation, or the regulation require it. So the two ways teams mishandle risk, over-applying simplification to a “low-risk” group and over-applying exit to a “high-risk” group, both fail the same test: neither is grounded in an individual, evidenced assessment.

For investment fund managers and other supervised entities, the same logic reaches into the annual reporting cycle. Professionals must be able to complete the CSSF questionnaire on the collection of ML/TF risk information annually and submit it within the time limits via the channel the CSSF determines. For a deeper walk-through of that return, see our guide to the CSSF AML/CFT data collection exercise. The data can inform the CSSF’s AML/CFT risk-based supervision, so unexplained onboarding refusals or exit practices should be supportable in the firm’s own records even where they are not a standalone questionnaire data point.

Why blanket exits weaken your own framework

The argument against de-risking goes beyond the harm to excluded customers. It is that it degrades the firm’s own ability to detect crime. This is not just the CSSF’s view; it is written into EU law. The recitals to the Sixth Anti-Money Laundering Directive, Directive (EU) 2024/1640, record that credit institutions might choose to terminate or restrict relationships with customers in order to avoid, rather than manage, risk, and that such de-risking practices could weaken the AML/CFT framework and the detection of suspicious transactions, because affected customers turn to less secure or unregulated channels.

Think about what happens to the suspicious activity you would otherwise have caught. A client you exit does not stop transacting. They move to a firm with weaker controls, or to an informal channel, and the transactions you might have monitored and reported now run past nobody. The firm that exited has not removed the risk from the system. It has removed its own visibility of it. For a function whose product is detection and reporting, that is the opposite of progress.

The same recital flags the supervisory consequence. Financial supervisors are expected to identify cases where an institution has refused or terminated a relationship through de-risking without a justification based on documented customer due diligence, and to alert the authorities responsible for payment account access rules. In plain terms, an undocumented exit is not a neutral act in the eyes of the new framework. It is a flagged event. The thing that makes it defensible is the file behind it.

What the EBA guidance expects instead

The CSSF leans on a body of EBA work that pre-dates the new AML package and remains the operating standard. In January 2022 the EBA published its Opinion on de-risking (EBA/Op/2022/01, 5 January 2022), which set out the scale of the problem and the conclusion that de-risking of entire categories of customers, without due consideration of individual risk profiles, is rarely justified.

The EBA then turned that into supervisory expectations. The Guidelines on policies and controls for the effective management of money laundering and terrorist financing risks when providing access to financial services (EBA/GL/2023/04, 31 March 2023) require institutions to apply ML/TF risk management to access decisions, so that a higher-risk customer is met with enhanced controls rather than refusal. These sit alongside the ML/TF Risk Factors Guidelines (EBA/GL/2021/02), which the CSSF incorporates as the Risk Factor Joint Guidelines under Article 4(1) of CSSF Regulation 12-02, and their later amendments, including the guidelines covering non-profit organisations (EBA/GL/2023/03) and the 2024 amendment to the Risk Factors Guidelines (EBA/GL/2024/01).

The practical instruction from this guidance is consistent. Before refusing or terminating, an institution assesses the individual case and asks whether the risk can be mitigated with proportionate measures. Those measures may include enhanced due diligence, adjusted monitoring, targeted product or service restrictions where permitted, and alternative documentation approaches where appropriate. Where the file shows the firm considered and rejected all reasonably available mitigants, exit is defensible. Where the file shows it skipped straight to exit, it is not.

There is a narrow but important counterpoint that the EBA guidance itself recognises. Some customers must not be onboarded or kept, and refusing them is not de-risking. Where the law requires it, where customer due diligence cannot be completed, or where a relationship presents risk the firm cannot manage even with enhanced measures, ending it is the correct call. The point is never that exits are forbidden. The point is that the reason has to be specific to the customer and recorded.

How simplified and enhanced due diligence fit the picture

De-risking is usually discussed as an exit problem, but it has a quieter twin at the low-risk end. The risk-based approach lets professionals apply simplified due diligence to genuinely lower-risk situations and requires enhanced due diligence for higher-risk ones. Both calibrations have to be earned. The European framework is explicit that simplified due diligence means a reduced, not absent, set of scrutiny measures, and that enhanced measures apply where particularly rigorous identification and verification are required. Applying SDD to a whole population because it is convenient is the inverse error of de-risking, and it fails for the same reason: it is a category decision standing in for an individual one.

The Luxembourg rule is precise on this. Under Article 5(2) of CSSF Regulation 12-02, a professional determines higher-risk situations by reference to the non-exhaustive list in Annex IV of the Law and any other relevant factors, and lower-risk situations by reference to Annex III, with the application of simplified measures having to be justifiable and demonstrable. The risk level is assessed before the customer is accepted and is updated through ongoing monitoring as the relationship changes. A static label set at onboarding and never revisited is not a risk-based approach; it is a snapshot pretending to be one.

For higher-risk clients, the existence of enhanced due diligence as a tool is what makes the no-blanket-exit rule workable. A client from a higher-risk jurisdiction, a complex ownership structure, or a politically exposed person is not, on those facts alone, a client to refuse. The framework even cautions, in the older EU text the Luxembourg regime descends from, that refusing a relationship simply because a person is a politically exposed person runs contrary to the letter and spirit of the rules. The expected response is proportionate enhanced scrutiny, documented, and reviewed.

What AMLR and AMLA change from July 2027

The CSSF communique points forward as well as back. The EU AML package replaces much of the directive-based regime with a directly applicable rulebook. Regulation (EU) 2024/1624, the AML Regulation or AMLR, was adopted on 31 May 2024 and published in the Official Journal on 19 June 2024. It entered into force on 9 July 2024 and applies from 10 July 2027, with a later date for certain football-sector rules. From that date, core customer due diligence obligations come from the regulation directly rather than from national transposition, which is part of why the CSSF is signalling its expectations now.

The AMLR keeps the de-risking concern at the centre. Where an obliged entity is unable to comply with customer due diligence requirements, the regulation directs it not to carry out the transaction or establish the relationship and, as a rule, to terminate an existing one; but the framework also recognises situations, tied to public interest goals, where termination should not be the automatic outcome, and it provides for guidelines on these de-risking situations. AMLA now leads EU-level AML/CFT rule-making, working with the EBA where the AMLR provides for joint work. Existing EBA AML/CFT guidelines remain applicable until AMLA replaces them. Article 21(4) AMLR requires AMLA and the EBA to issue joint guidelines by 10 July 2027 on measures for compliance with AML/CFT rules when implementing the requirements of Directive 2014/92/EU, including in relation to business relationships most affected by de-risking practices. Confirm the final guideline reference when those guidelines are issued.

The supervisory architecture shifts in parallel. The AML Authority, AMLA, was established by Regulation (EU) 2024/1620, and the Sixth Anti-Money Laundering Directive, Directive (EU) 2024/1640, has a transposition deadline for Member States of 10 July 2027, with earlier dates for some provisions. AMLA will take on direct supervision of selected high-risk credit institutions, financial institutions, and groups in the EU from 2028. Which Luxembourg financial-sector groups could fall into that population is a separate question we cover in our note on AMLA direct supervision and the CSSF identification process. The reason the de-risking message matters more under this regime is simple: the file you build today is the file two supervisors may read tomorrow.

The FATF backdrop and why “proportionate” is now the test

The CSSF frames de-risking against FATF standards, in particular Recommendation 10 on customer due diligence and FATF guidance on financial inclusion. The FATF position has hardened in the direction the CSSF is pushing. In February 2025 the FATF revised Recommendation 1 and its Interpretive Note, with corresponding changes to the Interpretive Notes to Recommendations 10 and 15, to better support financial inclusion through a proportionate risk-based approach. A notable change replaced the word “commensurate” with “proportionate” throughout, defined as a measure that appropriately corresponds to the level of identified risk and effectively mitigates it, and added an explicit expectation that countries allow and encourage simplified measures in genuinely lower-risk situations.

This is the same argument the CSSF is making, one layer up. Financial inclusion and the fight against financial crime are presented as mutually supportive, not opposed. Cutting off access does not serve crime prevention if it drives activity underground. The practitioner takeaway is that “proportionate” is the standard your decisions are measured against. An exit that is disproportionate to the actual, assessed risk of the individual file is exposed under FATF logic, under the EBA guidance, and under the CSSF communique alike. For one worked example of how these standards land on a specific product area, see our coverage of FATF expectations on stablecoins and unhosted wallets.

Building a de-risking position the CSSF will accept

What does compliant practice look like in the file, not the policy manual? Start with the documented individual assessment. For any refusal or termination with an AML/CFT element, the record should show the specific risk identified, the mitigation considered, why mitigation was or was not feasible, and the decision-maker. A one-line “high risk, exited” note is the kind of entry the new framework treats as a red flag rather than a control.

Separate the two decision tracks cleanly. A commercial exit and a compliance exit are different events with different evidence trails. If a segment is being left for profitability reasons, the rationale should be commercial and consistent across the segment. If a single client is being exited for AML reasons, the rationale should be specific to that client. Mixing them, exiting a whole segment and calling it commercial when the trigger was an AML flag, is exactly what supervisors are now equipped to unpick.

Align the front line with the board’s risk appetite. Because Article 4(4) of CSSF Regulation 12-02 anchors the risk-based approach in a board-approved appetite, a high rate of de-risking in segments the board has accepted is a governance inconsistency, not just an operational one. Management information on onboarding declines and exit reasons should be visible at the right level. A pattern of “too hard, declined” decisions tells you the appetite and the capacity to apply enhanced due diligence are out of step. The Luxembourg AML/CFT enforcement record shows the CSSF will act on framework weaknesses; our review of a recent CSSF AML/CFT administrative sanction illustrates the kinds of deficiency that draw attention.

Finally, treat the move to AMLR as a reason to fix this now rather than later. The substance of the obligation does not change much when the rulebook becomes directly applicable, but the audience for your decisions widens and the guidelines on de-risking will give supervisors a sharper reference. Our explainer on what the AMLR changes in Luxembourg sets out the wider shift. The de-risking communique is best read as the CSSF telling firms which habits to clean up before that regime lands.

Frequently Asked Questions

Does the CSSF communique prohibit exiting a client for AML reasons?

No. The communique distinguishes between de-risking, which is avoiding risk by refusing or terminating relationships without an individual assessment, and a legitimate exit. Where customer due diligence cannot be completed, where the law requires refusal, or where the risk cannot be managed even with enhanced due diligence, ending the relationship is appropriate. What the CSSF objects to is the blanket exit of whole categories of clients and the undocumented exit of individuals.

What is the difference between a de-risking exit and a commercial exit?

A commercial exit is a business decision: a segment is unprofitable or no longer fits the strategy, and the firm chooses to leave it. A de-risking exit is a compliance-driven decision to avoid ML/FT risk rather than manage it. The CSSF accepts commercial exits but expects them to be genuinely commercial and consistently applied. The problem case is a compliance exit presented as a commercial one, or a commercial decision blocked because a file carries an AML flag.

Which Luxembourg rules govern the risk-based approach behind this?

The Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, together with CSSF Regulation No 12-02 of 14 December 2012 (as amended by CSSF Regulation No 20-05) and the Grand-ducal Regulation of 1 February 2010. Article 4(4) of CSSF Regulation 12-02 requires a board-approved ML/TF risk appetite, and Article 5 governs customer risk categorisation and the use of simplified and enhanced due diligence.

What does the EBA expect instead of blanket de-risking?

The EBA Guidelines on the effective management of ML/TF risks when providing access to financial services (EBA/GL/2023/04, 31 March 2023) expect institutions to assess the individual customer and apply enhanced due diligence to higher-risk relationships rather than refusing them. The EBA Opinion on de-risking (EBA/Op/2022/01) concluded that exiting whole categories of customers without considering individual risk profiles is rarely justified.

How does the AMLR change the de-risking obligation from 2027?

Regulation (EU) 2024/1624 (AMLR) applies from 10 July 2027 and makes core customer due diligence obligations directly applicable across the EU. It directs obliged entities that cannot apply customer due diligence not to proceed with the relationship, while recognising public-interest situations where automatic termination is not expected, and it provides for guidelines addressing de-risking. Article 21(4) AMLR mandates joint guidelines from AMLA and the EBA by 10 July 2027 on de-risking measures in the context of Directive 2014/92/EU; confirm the final reference when those guidelines are issued.

Does this only apply to banks?

No. CSSF Regulation 12-02 applies to professionals supervised, authorised, or registered by the CSSF, including investment fund managers and other supervised entities, as well as Luxembourg branches of foreign professionals notified to the CSSF. The de-risking expectations follow the AML/CFT framework, so any obliged entity making onboarding and exit decisions is in scope, not only credit institutions.

What records should support a de-risking decision?

For any refusal or termination with an AML/CFT element, keep a record of the specific risk identified, the mitigation considered, why it was or was not feasible, and who decided. The decision should tie back to the individual customer’s risk assessment, not to the category the customer belongs to. Under the new framework, an undocumented exit is treated as a flagged event rather than a neutral one.

Related Articles

Key Takeaways

  • The CSSF communique of 16 June 2026 expects professionals to manage ML/FT risk effectively, not to avoid it by refusing or terminating whole categories of clients.
  • A blanket exclusion of a client category is de-risking; a genuinely commercial exit of an unprofitable segment is not. The two motivations must be separable in your records.
  • The decisive test is an individual, documented assessment: the specific risk, the mitigation considered, and why exit was or was not the only option.
  • The legal basis is the Law of 12 November 2004, CSSF Regulation No 12-02 (as amended by 20-05), and the Grand-ducal Regulation of 1 February 2010, with a board-approved risk appetite under Article 4(4).
  • EU law treats de-risking as a weakness in the framework: Directive (EU) 2024/1640 records that avoidance pushes risk into channels supervisors cannot see.
  • The EBA expects enhanced due diligence for higher-risk clients rather than exit, per EBA/GL/2023/04 and EBA/Op/2022/01.
  • From 10 July 2027 the AMLR (Regulation (EU) 2024/1624) makes customer due diligence directly applicable, and Article 21(4) AMLR mandates AMLA and EBA joint guidelines on de-risking measures by that date.
  • Simplified due diligence applied to a whole population is the inverse error of de-risking; in Luxembourg its use must be justifiable and demonstrable.

Sources and References

De-risking is a file problem before it is a policy problem

The CSSF communique does not ask Luxembourg firms to bank everyone. It asks them to decide each case on its facts and to keep the evidence. A clean policy that says “we manage risk, we do not avoid it” counts for nothing if the underlying files show category-level exits with one-line rationales. The work is at the level of the individual decision: the assessment, the mitigation attempted, the reason recorded. Get that right and an exit is defensible to one supervisor today and to two from 2027. Get it wrong and the convenient closure becomes the finding.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts