Luxembourg’s Financial Sector Supervisory Commission (CSSF) underscored its dedication to maintaining the integrity of the country’s financial sector by implementing rigorous supervisory measures across various risk domains, including anti-money laundering, counter financing of terrorism, credit risk and digital transformation, highlighted the regulator in its 2023 annual report, on 19 September 2024.
In its role of microprudential supervision, the CSSF maintained oversight of 47 less significant banks and credit institutions incorporated under Luxembourg law, along with 13 branches of non-EU banks and institutions. This prudential supervision encompassed the oversight of solvency, liquidity and internal governance.
For 2023, the CSSF’s supervisory priorities included various risk areas, with a particular focus on compliance, operational risks, credit risks and risks associated with climate change.
Money laundering and terrorist financing risks
The CSSF found that money laundering and terrorist financing (ML/TF) posed inherent risks to international financial centres like Luxembourg. The involvement of banks in wealth management activities with international clients particularly heightened exposure to these risks. The CSSF noted significant progress in managing these risks over recent years, demonstrated by increased staffing and system improvements aimed at combating ML/TF effectively. In 2023, the CSSF continued its preventative efforts through targeted communications and control measures, executing annual AML/CFT control plans and both off-site and on-site inspections. Consistent with prior years, the CSSF imposed administrative fines on banks that failed to comply with AML/CFT obligations.
Read also
Operational risks and digital transformation
Regarding operational risks, the CSSF stated that banks engaged in wealth and asset management, such as depositary banks and private banks, primarily focused on the custody and management of clients’ financial assets. The associated risks were predominantly operational, including ML/TF risk, IT risk, cyber risk, resilience risk (business continuity) and risks related to the use of sub-depositary institutions and outsourcing.
The CSSF noted that increasing digitalisation and the introduction of technologies like distributed ledger technology (DLT), digital payments and cryptocurrencies presented new strategic and operational challenges. In 2023, the regualtor enhanced its understanding of banks’ digital transformation initiatives and associated IT risks through monitoring cyber incidents.
Credit risk supervision
The CSSF observed that tightening financial conditions, particularly during periods of rising interest rates, typically led to a deterioration in asset quality. Throughout 2023, the CSSF closely supervised credit risk development and banks’ actions regarding credit-granting standards, monitoring outstanding debts, and ensuring adequate provisioning. The CSSF found that levels of non-performing loans and banks’ exposure to credit risk remained limited.
Climate-related risk management
Following the issuance of CSSF circular 21/773 in June 2021, which addressed the management of climate-related and environmental risks, the CSSF initiated its first dedicated supervisory activities in this area in 2023. The CSSF requested a sample of 15 banks, including less significant banks and branches of non-EU banks under its direct supervision, to conduct self-assessments of compliance with circular 21/773.
This exercise aimed to evaluate the alignment of the banking sector with the CSSF’s expectations as outlined in the circular. The CSSF provided individual recommendations to participating banks and communicated overall feedback to the banking community. In the latter half of 2023, the self-assessment was repeated with a new sample of 14 banks.
Supervisory review and evaluation
Since 2015, a common Supervisory Review and Evaluation Process (SREP) methodology had been applied to less significant institutions (LSIs), based on the European Banking Authority guidelines
and the methodology used for significant institutions (SIs) by the European Central Bank, while considering the principle of proportionality. The SREP is typically conducted annually, relying on a comprehensive range of quantitative and qualitative information sources, including prudential reporting, internal reports from banks, on-site inspection reports, the Internal Capital Adequacy Assessment Process (ICAAP), the Internal Liquidity Adequacy Assessment Process (ILAAP) and various stress tests. The SREP was proportionately applied to credit institutions, accounting for the nature, scale, and complexity of their activities and risks.
Capital requirements
For all LSIs, the average combined capital requirements under Pillar 1 (P1) and Pillar 2 (P2R), alongside capital buffers, totalled 12.92%, an increase from 12.25% in 2022. Along with interventions to ensure sufficient capital levels, the CSSF implemented several qualitative supervisory measures in 2023, focusing on strategic planning. These measures included imposing restrictions on certain activities, enhancing liquidity risk and interest rate risk management in the banking book, and strengthening internal governance frameworks and AML/CFT frameworks.
Administrative fines and sanctions
In 2023, the CSSF imposed a total of €2,436,420.50 in fines. This total included two significant penalties on banks amounting to and , as well as a fine of levied against a shareholder of a bank.
Additionally, the CSSF imposed three fines on investment firms, totalling €965,100. That included fines of and on two specialised professionals of the financial sector (PFS), along with a fine of €16,000 imposed on a support PFS.