Luxembourg is a major European banking and wealth management centre. As a recognised EU hub for fintech companies, banks, asset managers and insurance companies, Luxembourg has a highly developed financial services ecosystem. Since 2007 when the fintech pioneer PayPal received a full banking licence in Luxembourg, Luxembourg has seen a robust development over the past few years and has now become a home for over 200 fintechs. 

Impact of Global Trends 

The development of the fintech market in Luxembourg has recently been influenced by global trends, namely the COVID-19 pandemic and UK’s withdrawal from the EU (“Brexit”).  

With regard to the global health crisis caused by the COVID-19 pandemic, financial technology played a significant role in the financial sector’s immediate responses to the crisis, through eg, enabling remote working and the shift from physical cash to digital and contactless payment methods. Furthermore, the crisis has highlighted the opportunities presented for banks in areas such as cloud outsourcing. Although the pandemic seems to be slowly easing, the technological tools designed to fight the pandemic continue to be used. 

In addition, Brexit has increased the fintech activities located in Luxembourg. Following the loss of the possibility for UK-based companies to passport their activities within the EU, many operators have chosen to relocate or expand their operations in Luxembourg in order to access the European market and to benefit from the EU passport authorisation.  

Impact of Legislative Developments 

With approximately a quarter of Luxembourg's economy depending on financial services, the significance of the financial sector also results in the development of financial regulation being an important policy consideration for the Luxembourg legislator. The Luxembourg legislator’s positive take on digital development has led to recent national legislative initiatives relating to the use of digital innovations in the financial sector.  

By way of example, the Luxembourg legislator has recently passed a law allowing for the issuance of dematerialised securities using distributed ledger technologies, as further described under 12.4 Regulation of “Issuers” of Blockchain Assets. In addition, development around security tokens has also led the Luxembourg Stock Exchange to admit security tokens on its Securities Official List in 2022, which underlines its strong commitment to modernising capital markets (see 12.1 Use of Blockchain in the Financial Services Industry). 

Developments by the Luxembourg Regulator 

In line with the positioning of Luxembourg as a fintech hub, the financial sector supervisory commission (Commission de Surveillance du Secteur Financier; CSSF) has recently created an Innovation Hub in order to face the challenges of technological innovation in the financial sector (see 2.5 Regulatory Sandbox for further information). In addition, the CSSF has emphasised that it applies a principle of technology neutrality, and has recently published guidance on several different technologies related to specific areas of fintech, such as virtual assets, artificial intelligence, robo-advice and distributed ledger technologies to provide further clarity to the market. 

Upcoming Changes in EU Legislation 

As further elaborated in this chapter, many topics relating to virtual assets and recently developed financial technologies are not explicitly covered by the existing financial services regulation. Further legislative changes to clarify the regulatory framework are expected to be adopted on the EU level once the digital finance package introduced by the European Commission in 2020 is adopted. Among others, the legislative proposals include a regulation on markets in crypto-assets and a regulation on digital operational resilience. 

In addition, although virtual assets have already been covered by the most recent EU anti-money laundering directive (see 12.3 Classification of Blockchain Assets), a proposal for a new anti-money laundering (AML) directive was introduced in 2021. The aim of this directive is, among others, to align the scope of AML rules with the activities that will be covered by the proposed regulation on markets in crypto-assets and notably exchanges of one crypto-asset for another. The proposal also includes an obligation for all crypto-asset service providers involved in crypto-asset transfers to collect and make accessible data on the originators and beneficiaries of the transfers they operate. 

Fintech companies in Luxembourg cover a variety of business models, including payments, big data and AI, insurtech, cybersecurity and authentication, Fundtech, regtech, lending and blockchain. Especially in the e-payment and e-commerce sectors, Luxembourg is the home to leading industry players such as Amazon, PayPal, Airbnb and Rakuten, which are licensed and supervised by the CSSF as banks, payment service institutions, e-money institutions or virtual asset service providers, as the case may be. 

Furthermore, a significant number of fintech companies in Luxembourg provide services for the compliance and regulatory needs of the financial sector. These services range from known-your-customer obligations, data management and fraud detection to fund reporting, digital investment services and investor information tools. Luxembourg-based fintechs, such as HQLAx and FundsDLT, are also active in the development of blockchain-based market infrastructures. 

Although legacy players, such as banks and insurance companies, initially tended to be seen as rivals of fintechs, today, there is a strong collaboration with fintechs within the Luxembourg banking sector. Fintechs working with legacy players offer them a wide variety of services, including data analytics, asset management and open banking. By way of example, following EU legislative developments on payment services, several Luxembourg retail banks formed the fintech company LUXHUB in 2018, an entity which has since become a leading European open banking platform and was recently listed as a RegTech100 company. 

The regulatory regime applicable to fintech players depends on the business model and activities of the company. The following outlines the main legislation applicable to typical fintech activities provided by entities incorporated in Luxembourg, however, applicable regulations should be assessed on a case-by-case basis. 

• Payment and electronic money institutions: entities providing payment or electronic money services are subject to the Law of 10 November 2009 on payment services, as amended (the “Payment Services Law”), and accordingly are subject to authorisation by the CSSF. 
• Insurtech: entities providing insurance services are subject to the law of 7 December 2015 on the insurance sector, as amended, and accordingly are subject to authorisation by the insurance commissioner, Commissariat aux Assurances (CAA).  
• Fundtech: entities that operate as investment funds or investment fund managers may be subject to several regulations, including the Luxembourg Law of 12 July 2013 on alternative investment fund managers, the Law of 17 December 2010 on undertakings for collective investment, the Law of 13 February 2007 on specialised investment funds and the Law of 23 July 2016 on reserved alternative investment funds. Funds and fund managers are typically authorised by the CSSF.  
• Regtech: entities that provide certain services to regulated financial services entities may need to be licensed by the CSSF as a support professional of the financial sector in accordance with the Law of 5 April 1993 on the financial sector, as amended (the “Financial Sector Law”). 
• Lending/ banking activities: lending on a professional basis would typically require a banking licence in accordance with the Financial Sector Law. Most Luxembourg banks are authorised and supervised by the CSSF, and subject to several EU regulations and national legislation. 
• Alternative lending: entities that provide lending services that do not qualify as banks may fall under the scope of the Financial Sector Law, which requires an entity to be licensed as a professional performing lending operations. Alternatively, an entity may also grant loans in the context of a securitisation transaction, which is governed by the Luxembourg Law of 22 March 2004 on securitisation, as amended. 
• Blockchain: although not all blockchain-related operations would qualify as such, entities providing virtual asset services are required to register with the CSSF and are subject to the obligations laid out in the AML Law. In addition, in case the relevant assets qualify as financial instruments, rules laid out in Directive 2014/65/EU on markets in financial instruments, as amended (“MiFID II”) and related regulations would be applicable.  

Most of the aforementioned legislation is accompanied by several technical standards, regulations, circulars and guidance issued by the competent authority, which should also be taken into account. In addition, each of the activities above may be subject to, among others, anti-money laundering regulations (see 2.13 Impact of AML Rules) and data protection regulations (see 2.10 Implications of Additional, Non-financial Services Regulations).  

The compensation models that industry participants are allowed to use to charge customers vary mainly depending on the service provided by the fintech entity and the relevant customer type. Disclosure obligations relating to fees vary depending on the same factors. Typically, regulated entities, such as investment firms, are subject to certain precontractual obligations, which include the obligation to disclose costs charged by the service provider. 

As a general rule, there is no difference between the regulation of fintech companies and legacy players, as long as the services they provide fall under the scope of regulated activities. However, given the size and business model of fintech companies, certain rules applicable to legacy players would typically not apply to fintech companies. In addition, in some cases the applicable regulations depend directly on the scale of the business, for example the EU crowdfunding regulation provides certain regulatory exemptions as long as the yearly funding remains under the threshold of EUR5 million. 

There is currently no regulatory sandbox regime in Luxembourg. However, the CSSF has established an innovation hub, which aims to promote a constructive and open dialogue with the fintech industry to, among others, enable concrete realisation of financial innovation projects. The innovation hub constitutes of a single point of contact for any person who wishes to present an innovative project or to exchange views on challenges faced in relation to financial innovation in Luxembourg. 

Fintech companies may be supervised by several regulators in Luxembourg, of which the following are the most relevant. 

The CSSF 

The Financial Sector Supervisory Commission (Commission de Surveillance du Secteur Financier; CSSF) is the competent authority of the prudential supervision of credit institutions, professionals of the financial sector, alternative investment fund managers, undertakings for collective investment, authorised securitisation undertakings, regulated markets, payment institutions, electronic money institutions and other entities operating in the financial sector. In addition, the CSSF is also the competent authority to ensure that such supervised entities comply with the laws protecting financial consumers. 

The CAA 

The Insurance Commissioner (Commissariat aux Assurances; CAA) is the competent supervisory authority for the insurance sector in Luxembourg, which includes mainly insurance undertakings, reinsurance undertakings, certain pension funds, insurance professionals and insurance intermediaries. 

The CNDP 

The National Commission for Data Protection (Commission Nationale pour la Protection des Données; CNDP) is the national authority to verify the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy. The CNDP is the supervisory authority for Regulation (EU) 2016/679 on data protection (GDPR). 

European Regulators 

In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Luxembourg. Significant credit institutions incorporated in Luxembourg are directly supervised by the European Central Bank (ECB). 

Authorised financial institutions may outsource their activities subject to certain restrictions. Most importantly, strategic or core functions cannot be outsourced and the institution needs to retain the necessary expertise to efficiently monitor such services and to manage the associated risks and detailed guidance outlined in the EBA Guidelines on outsourcing and the CSSF Circulars 15/552, 17/654 and 17/656, as amended, should also be considered. The possibility to outsource a material activity remains subject to a prior authorisation from the CSSF, or, in case such activity is outsourced to an entity licensed as a support professional of the financial sector, only a notification to the CSSF is required. The rules governing the outsourcing of a material IT activity have been recently eased from authorisation to a requirement of prior notification followed by a risk-based treatment of such notifications by the CSSF. 

Due to the need to ensure the continuity of outsourced activities, certain provisions must be included in the relevant contracts. Among others, outsourcing agreements must provide for a notice of termination within a sufficient time period, and shall not include any termination clauses in case of resolution actions or reorganisation measures or a winding-up procedure applied to the financial institution. In addition, specific contractual clauses are required in case an outsourced IT activity relies on a cloud computing infrastructure. 

Laws applicable to outsourcing vary depending on whether or not the service provider is a supervised entity. By way of example, rules relating to the obligation of professional secrecy in outsourcing depend on whether the service provider is established in Luxembourg and supervised by the CSSF, the ECB or the CAA. 

The extent to which fintech providers may be deemed to be “gatekeepers” depends on the business model of the company. In general, fintech entities may be deemed liable for activities on their platform in relation to anti-money laundering obligations, in case the activities are within the scope of the AML Law. In addition, gatekeeper liability may come into question in case the fintech entity is involved in a transaction that falls under the scope of Directive (EU) 2018/822 on mandatory automatic exchange of information (DAC 6) as a reportable cross-border transaction. 

The CSSF as the supervisory authority has broad powers to impose sanctions on entities subject to its supervision. By way of example, in the context of anti-money laundering and counter terrorist financing (AML/CTF) supervision, the CSSF may issue warnings, reprimands, administrative fines or occupational prohibitions, and these sanctions are typically made public.  

With regard to administrative fines, the CSSF has recently mainly imposed fines regarding failures to comply with anti-money laundering and financial market rules. Although significant fines are rare, in 2020 the CSSF imposed a fine of EUR4.6 million on a Luxembourgish bank due to non-compliance with the applicable AML/CTF legislation. The amount of the fine is proportional to the turnover of the bank. 

In addition to imposing administrative fines, the CSSF may also report cases to the prosecutor’s office regarding investment firms which claim to be established in Luxembourg and offer investment services without authorisation. These reports have become more frequent in the recent years, and the rise in these cases can be mainly attributed to the emergence of fake websites meant to mislead investors. 

In addition to enforcement actions by the CSSF, fintech companies may be subject to enforcement actions by the CNDP for non-compliance with the applicable data-protection rules.  

Data Protection and Privacy 

The GDPR together with the Luxembourg Law of 1 August 2018 regulate the processing of personal data, and such rules apply regardless of the industry sector or whether the relevant entity is a legacy player or a newly established start-up. In addition to the general rules governing the processing of personal data, the rules relating to privacy by design and privacy by default as well as automated decision-making and profiling may be particularly relevant for fintech companies.  

Cybersecurity 

Management of risks relating to information and communication technologies is an essential part of the necessary risk management by financial institutions. The CSSF has recently implemented the guidelines adopted by the EBA on ICT and security risk management, which need to be complied with by all entities authorised under the Financial Sector Law and the Payment Services Law in order for such entities to manage their ICT and security risks. 

In addition, specific requirements apply to entities deemed as operators of essential services in accordance with Directive (EU) 2016/1148, as transposed into national legislation by the Law of 28 May 2019. Certain entities of the financial sector, such as banks, may need to take specific measures to manage the security risks, in case their services are deemed by the CSSF to be essential to the maintenance of critical economic activities, dependent on networks and information systems, and on which an incident would have a significant disruptive effect. 

Further legislative changes are expected in the sector of cybersecurity. As part of the digital finance package, the European Commission introduced a proposal for a regulation on digital operational resilience for the financial sector, whereby the Commission proposes that all entities must ensure they can withstand ICT-related disruptions and threats. In particular, fintechs will need to adhere to strict standards to prevent and limit the impact of ICT-related incidents. The proposal also provides an oversight framework on service providers (such as Big Techs) which provide cloud computing to financial institutions. 

Marketing on Social Media 

With regard to content relating to eg, investment advice or marketing of financial products published broadcasted through any social media platform, the same rules apply to such information regardless of the manner in which it is distributed. 

While the main review of the financial sector participants is conducted by the regulator, auditors are typically appointed by industry participants to review their business activities. Furthermore, certain regulated entities, eg, banks, must set up internal risk control, compliance and internal audit functions. 

In principle, there is no prohibition for regulated entities to conjunct regulated and unregulated products. In certain cases, however, the regulator must be informed by the activities provided, and it may then assess in more detail the compatibility of these services and products. By way of example, with regard to services and products relating to virtual assets, the CSSF has recently published FAQs outlining its position on the possibility of banks to open accounts in virtual assets. According to the CSSF, banks may open accounts, comparable to securities accounts, that allow customers to deposit virtual assets, while they cannot open bank accounts (eg, current accounts) in virtual assets.  

In accordance with the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, (the “AML Law”), which transposes, among others, Directive (EU) 2015/849 into national law, fintech companies that qualify as professionals under the AML Law are required to comply with several professional obligations. The AML Law applies eg, to banks, financial institutions, virtual asset service providers, payment institutions and electronic money institutions.  

In particular, these entities are required to comply with customer due diligence obligations, adequate internal management requirements and co-operation requirements with the authorities. The CSSF is required to ensure that all the persons subject to its supervision, authorisation or registration comply with the professional AML/CTF obligations and implement a risk-based approach in order to allocate appropriate resources and means to those products and customers that represent higher risks of money laundering and terrorist financing. Accordingly, the CSSF has broad sanctioning powers, as discussed under 2.9 Significant Enforcement Actions. 

While there are no regulatory requirements in Luxembourg tailored specifically at services provided by robo-advisers, providing digital or automated services is however subject to the same regulatory requirements as non-automated financial advisers. Depending on the business model of the robo-adviser, specific licences will be required in accordance with the Financial Sector Law, which implements the relevant provisions of MiFID II into national law.  

By way of example, in case automated technology is used to provide personal recommendations to a client in respect of transactions relating to financial instruments, such service provider will need to be authorised by the CSSF as an investment adviser, or, in case services provided by a robo-adviser qualify as management of portfolios in accordance with the client’s mandates on a discretionary client-by-client basis, the service provider will need to be authorised as a private portfolio manager.  

In some cases, legacy players are implementing solutions introduced by robo-advisers. The Luxembourgish bank Banque et Caisse d’Epargne de l’Etat (BCEE), was the first retail bank in Luxembourg to launch a robo-advisor service called SpeedInvestin 2017, which helps allocate the investment into certain funds. Since then, other banks, eg, Keytrade Bank Luxembourg, have also introduced investment services based on automated tools. 

The same rules apply to robo-advisers and traditional advisers, see 7.7 Issues Relating to Best Execution of Customer Trades for further details. 

With regard to regulation on online lenders, the main difference relates to whether the borrower is a consumer or not. Luxembourg legislation on lending in a professional or commercial context does not in principle separate different categories of legal entities based on eg, the size of the business or the sector in which the borrower operates. 

Loans to Consumers 

Specific mandatory rules apply to credit agreements between a consumer and a lender acting in the context of any business activity. Lenders providing consumer credit need to be licensed either by the CSSF or in accordance with the Law of 2 September 2011 relating to the establishment of certain businesses and business licences. According to the Luxembourg Consumer Code, provisions on consumer credit apply to agreements, pursuant to which the creditor grants consumer credit in the form of a deferred payment, loan or other similar financial accommodation, if, among others, the total amount of the credit is not more than EUR75,000 or less than EUR200. Specific obligations apply to the contractual relationship, which relate namely to the precontractual information, assessment of the consumer’s creditworthiness, content of the agreement, right of withdrawal and right of early repayment of the credit. In addition, similar obligations apply to mortgage credit agreements, ie, agreements where a creditor grants a credit to a borrower in view of the acquisition of a residential immovable property. 

Loans in a Professional Context 

The legal framework applicable to non-consumer loans includes fewer mandatory provisions, as general principles of contract law apply to the loan agreements. However, providing lending activities even in a professional context is in principle a regulated activity. According to the Financial Sector Law, professionals performing lending operations, ie, professionals engaging in the business of granting loans to the public for their own account, are subject to the authorisation by the CSSF. 

The underwriting process used by industry participants typically varies depending on the type of borrower and the type of credit. Specific regulatory requirements apply, namely in relation to AML/CTF obligations and consumer protection. 

Obligations Relating to AML/CTF 

All professionals operating in the financial sector typically need to comply with obligations relating to AML/CTF, as further elaborated under 2.13 Impact of AML Rules. In particular, the AML Law requires professionals to establish a customer acceptance policy adapted to their activities and to apply customer due diligence measures when establishing a business relationship. These KYC obligations include identifying the customer’s and the customer’s ultimate beneficial owner’s identities and verifying these on the basis of information obtained from reliable and independent sources. Under certain circumstances, the identification/verification of a natural person’s identity may be conducted through an online video conference. 

Specific Obligations Relating to Consumer Lending 

In case the loan is qualified as a consumer credit agreement (see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities), the lender must adhere to certain precontractual obligations. Prior to entering into a consumer credit agreement, the lender must provide the consumer with the necessary information to compare the different consumer credit proposals in order to make an informed decision, which is provided by using a standard European consumer credit information form. In addition, the lender must assess the consumer’s creditworthiness on the basis of sufficient information. For this assessment, the consumer must provide all necessary information, including current financial commitments and income. Lastly, consumer credit agreements must be drawn up on paper or other durable medium, and each party must be provided with a signed copy of the agreement. 

Loans may be funded from a variety of different sources, and depending on the source of funds, different licensing requirements apply. Only entities authorised as credit institutions may receive deposits or other receivables from the public and grant credits for its own account. Other alternative sources of funds for loans include securitisation and crowdfunding. 

Securitisation 

Luxembourg is one of the leading European centres for securitisation with a comprehensive and market-friendly legal framework. Although securitisation vehicles are exempt from the requirement to be authorised as professionals performing lending operations, authorisation by the CSSF is required if the securitisation vehicle issues financial instruments to the public on a continuous basis. 

Crowdfunding 

Loans funded through lending-based crowdfunding platforms benefit from the newly established legal framework. The EU Crowdfunding Regulation, which has been applicable since 10 November 2021, provides a harmonised EU framework for crowdfunding services provided to non-consumer project owners relating to offers for an amount of up to EUR5 million calculated over a period of 12 months per project owner. The provision of crowdfunding services is subject to a licence and prudential supervision by the CSSF. 

Syndication of online loans provided by fintech companies is currently not market practice in Luxembourg. Loan syndication is typically used to finance larger loans, in the context of financing larger-scale projects such as company takeovers, large property projects or significant investment projects. These extensive and complex financings typically involve legacy players.  

Payment processors may, in principle, either use existing payment rails or alternatively create their own payment rails. However, in the latter case specific licensing requirements apply.  

Luxembourg is part of the single euro payments area (SEPA), which aims to create a single euro payments area in which all scriptural payments are considered as domestic, ie, without any distinction between national and cross-border payments. With regard to large-value transactions, these are processed through the TARGET-2 system, which settles cross-border payments in euro in real time.  

Luxembourg investment funds can be structured as undertakings for collective investments in transferable securities (UCITS) or as alternative investment funds (AIF). Different regulation applies to UCITS and AIF. The administration of UCITS is regulated by the first part of the Luxembourg Law of 17 December 2010 on undertakings for collective investment (the “UCI Law”), while the managers of AIF (AIFM) are regulated by the Luxembourg Law of 12 July 2013 on alternative investment fund managers (the “AIF Law”), transposing the alternative investment fund managers Directive 2011/61/EU (AIFMD) into national law. 

Administrators of UCITS and AIFM are typically regulated and subject to licence by and supervision of the CSSF or other EU regulators (provided that the administration is in any case carried out from Luxembourg). Certain exemptions apply for AIFM which benefit from an exemption under the AIFMD, for example in case of smaller assets under management. 

Certain administrative services (eg, accounting, bookkeeping) can be delegated to an entity licensed as support professional of the financial sector (“support PFS”) in accordance with the Financial Sector Law. Administrative services qualifying as depositary services must be performed by a depositary bank, regulated in accordance with the Financial Sector Law. 

Any administrative activity which is performed by third parties, being administration or depositary services, has to be supervised and monitored by the board of the UCITS or AIFM, which ultimately bears responsibility for these activities. 

Depending on the administrative services provided, the agreements should describe the specific services in sufficient detail and include provisions on, among others, timing, service levels, standards, service provider’s liability and flow of information, as set out in the UCI Law, the AIFMD Law and the relevant CSSF circulars and EU delegated regulation. 

In case of licensed UCITS and AIF, draft agreements relating to administrative services need to be provided to the CSSF in advance, during the approval process. 

In accordance with MiFIR/MiFID II rules, as transposed into national law, trading venues in Luxembourg can be divided into three categories: regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). Operators of a regulated market, an MTF or an OTF are subject to the authorisation and supervision of the CSSF. Authorisation to operate an MTF and an OTF can also be granted to investment firms. Currently, the only entity authorised to operate the business of a trading venue in Luxembourg is Société de la Bourse de Luxembourg, which operates the regulated market named Bourse de Luxembourg and an MTF named Euro MTF. There are currently no OTFs based in Luxembourg. 

In general, the regulatory regime relating to trading is the same for all asset classes. However, specific rules on transparency and trading are slightly different for equity and debt instruments. In addition, specific rules apply with regard to crypto-assets as further elaborated under 12.5 Regulation of Blockchain Asset Trading Platforms. 

The emergence of cryptocurrency exchanges has not yet significantly impacted regulation. Following the implementation of the fifth anti-money laundering directive, virtual asset service providers have been required to register with the CSSF. However, further regulatory changes are expected due to the proposed EU regulation on markets in crypto-assets, as the current proposal by the European Commission includes a prudential regime relating to cryptocurrency exchanges. 

The emergence of cryptocurrency exchanges and the growth of the sector around virtual assets has also prompted the CSSF to issue FAQs on virtual assets to guide credit institutions and undertakings for collective investment on its position regarding the possibility of these entities to engage in activities involving virtual assets. By way of example, UCITS, UCIs addressing non-professional customers and pension funds are not allowed to invest directly or indirectly in virtual assets, including virtual currencies. 

Listing standards vary depending on the relevant trading venue and the type of financial instrument. In accordance with the Law of 30 May 2018, as amended, regulated markets shall have clear and transparent rules regarding the admission to trading of financial instruments. For listing on the Luxembourg regulated market, issuers must publish a prospectus prepared in accordance with the Prospectus Regulation that has been reviewed and approved by the CSSF. Alternatively, the prospectus may be approved by a competent authority of another EU member state and passported to Luxembourg. For listing on the Euro MTF in Luxembourg, the prospectus must be approved by the Luxembourg Stock Exchange. 

Following the listing and admission to trading on either trading venue, issuers must regularly disclose regulated information concerning their business and the listed security. 

In accordance with the MiFID II/MiFIR framework, the Financial Sector Law requires that investment firms and credit institutions that are authorised to execute orders on behalf of their clients must implement procedures and arrangements which provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or their own trading interests. Otherwise, comparable client orders must be executed in accordance with the time of their reception. 

There are currently no peer-to-peer trading platforms located in Luxembourg. The regulator has so far not provided specific guidance on the regulatory environment applicable to them, and whether specific rules on eg, AML and loan origination apply should be checked on a case-by-case basis. 

In accordance with the rules on best execution provided by the MiFID II framework, the Financial Sector Law requires investment firms and credit institutions to take sufficient steps when executing orders to obtain the best possible result for their clients. This includes taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. However, in case the customer has given specific instructions, the order must be executed following such specific instructions. 

The MiFID II legal framework, as transposed into Luxembourg law, in principle prohibits the possibility of any firm routing client orders to a particular trading venue or execution venue to receive any remuneration, discount or non-monetary benefit, which would infringe the requirements on conflicts of interest or inducements. In practice and as clarified by guidance issued by ESMA, payments for order flows between brokers and market makers are in general not permitted. 

Fees, commissions or non-monetary benefits from a third party may only be accepted in case such benefit is designed to enhance the quality of the relevant service to the client and does not impair the service provider’s duty to act honestly, fairly and professionally in accordance with the best interest of its clients. In addition, the benefits received must be clearly disclosed to the client before providing the relevant service. 

The basic legal framework to preserve market integrity is laid out in the Regulation (EU) No 596/2014 on market abuse (the “Market Abuse Regulation”), which is directly applicable in Luxembourg.  

The Market Abuse Regulation, together with the relating legal framework, imposes rules against market abuse which consist of unlawful behaviour in the financial markets. These rules include dealing, disclosure and recommending/inducing prohibitions on persons in possession of inside information, ongoing issuer disclosure obligations and prohibition on market manipulation. The CSSF is the competent authority in Luxembourg for the purposes of the Market Abuse Regulation and has the supervisory and investigatory powers to ensure that the provisions of the Market Abuse Regulation are applied in Luxembourg. Non-compliance may lead to administrative sanctions or criminal liability. 

The rules applicable in Luxembourg for the creation and usage of high-frequency and algorithmic trading have been implemented in the Law of 30 May 2018 on markets in financial instruments in line with MiFID II. No difference is made between different asset classes and the rules relating to algorithmic trading apply to trading of all financial instruments. 

Investment firms, credit institutions and certain other entities incorporated under Luxembourg law that engage in algorithmic trading must have effective systems and risk controls in place that ensure, among others, that the trading systems:

• are resilient and have sufficient capacity;
• are subject to appropriate trading thresholds and limits;
• prevent the sending of erroneous orders; and
• cannot be used for purposes that are contrary to the EU market abuse regulation.

In addition, such systems need to be fully tested and properly monitored, and effective business continuity arrangements need to be in place to deal with any failure of the systems. Engagement in algorithmic trading needs to be notified to the CSSF. 

Specific requirements apply in accordance with the MiFID II legal framework in case the entity engaging in algorithmic trading is pursuing a market-making strategy. An entity is considered to pursue a market making strategy when dealing on its own account, as a member or participant of a trading venue, its strategy involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market. These requirements include entering into a binding market making agreement with the trading venue and carrying out the market making continuously during a specific proportion of the trading hours.  

The applicable regulations do not distinguish between funds and dealers engaged in high-frequency or algorithmic trading. 

Programmers who develop and create trading algorithms are not directly regulated, however, the investment firm using such trading algorithms other electronic trading tools must ensure that the trading tools it uses comply with the regulatory requirements, as set out in 8.1 Creation and Usage Regulations. An investment firm that outsources or procures software or hardware used in algorithmic trading activities remains fully responsible for its legal obligations relating to algorithmic trading.  

In case a financial research platform conducts investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments, under the currently applicable MiFID II legal framework, such services are considered as ancillary services. Consequently, an entity which engages solely in investment research is not subject to the regulatory regime or subject to registration. 

The Market Abuse Regulation prohibits the dissemination of information, including rumours, which is likely to give false or misleading information on eg, the price of a financial instrument in the media, including the internet or by any other means. Any person engaging in such form of market manipulation may face administrative or criminal sanctions. 

There are no specific rules in Luxembourg directed at the conversation curation of financial research platforms. With regard to dissemination of inside information and activities qualifying as market manipulation, the provisions of the Market Abuse Regulation apply (see 9.2 Regulation of Unverified Information). 

Insurance underwriting is a licensed activity in Luxembourg, governed by the Law of 7 December 2015 on the insurance sector, as amended. Insurance contracts are subject to the regulatory requirements laid out in the Law of 27 July 1997 on the insurance contract, as amended, eg, providing certain precontractual information. 

The main types of insurance in Luxembourg are life insurances and non-life insurance, which are governed by separate legal provisions as outlined in the Law of 7 December 2015 on the insurance sector, as amended. Life insurance contracts under the Luxembourg legal framework provide an important part of Luxembourg’s wealth management offering. In addition, the Consumer Code applies to insurance contracts concluded with consumers, unless specific provisions of the Law of 27 July 1997 on the insurance contract, as amended, state otherwise. 

Regtech providers are not directly regulated in Luxembourg. However, they might fall under the scope of the existing financial services regulation depending on their activities. In case regtech companies provide services for the regulated financial services entities, a regtech entity may need to be licensed as a support professional of the financial sector (“support PFS”) in accordance with the Financial Sector Law. Relevant support PFS licences that may be required for regtech providers include authorisation to act as client communication agent, administrative agent, primary IT systems operator or secondary IT systems and communication networks operator. Regtech entities providing merely technical solutions would typically not fall under the scope of these licence requirements. 

There are no specific contractual terms dictated by regulation that financial service firms would need to impose on regtech service providers. In addition to terms following general industry practice, if the service provided falls under the scope of outsourcing, specific contractual requirements apply as further explained under 2.7 Outsourcing of Regulated Functions. 

Blockchain-based products and solutions are increasingly used among traditional players of the financial services industry in Luxembourg. By way of example, starting from January 2022, the Luxembourg Stock Exchange admits security tokens to be registered onto the Securities Official List (SOL), which marks an important step towards making distributed ledger technology (DLT) securities mainstream. However, due to the current regulatory framework applicable in the EU, security tokens cannot be admitted to trading on a regulated market or MTF. 

The CSSF has recently published a non-binding document in the form of a white paper, which aims at guiding interested professionals in the conduct of their due diligence process related to the DLT and its use in the provision of services in the financial sector. The purpose of the white paper is to ensure that risks and advantages entailed in the use of such technologies are appropriately taken into consideration, without providing a positive or negative assessment on the DLT. The white paper emphasises the main risks related to the DLT, both in terms of governance and technical risks, by proposing key questions and recommendations that should be considered by market participants when performing their risk analysis and due diligence processes. 

Further legislative developments regarding the use of blockchain may be expected once the European Commission’s ambitious digital finance package is adopted. This legislative package includes, among other proposals, a pilot regime for market infrastructures based on DLT. 

There is currently no general legal framework or single legal definition of blockchain assets. In addition, there are several related terms often used in in this context, eg, the Luxembourg regulator does not use the term "blockchain assets", but uses the term "virtual assets", while the ESMA often refers to crypto-assets. Regardless of the terminology used, not all blockchain, virtual or crypto-assets are considered a form of regulated financial instruments.  

In 2020, the Luxembourg AML Law was amended, in accordance with the fifth EU anti-money laundering directive (2018/843/EU), by introducing the obligation of virtual asset service providers to register with the CSSF and to comply with certain AML/CTF obligations. In this context, virtual assets mean a digital representation of value, including virtual currencies, that can be digitally traded, or transferred, and can be used for payment or investment purposes, however excluding virtual assets that fulfil the conditions of electronic money, as defined in the Payment Services Law, and virtual assets that fulfil the conditions of financial instruments, as defined in the Financial Sector Law. 

In addition, the CSSF has recently published FAQs on virtual assets, which provide guidance on virtual assets for undertakings for collective investments and credit institutions. With regard to the classification of virtual assets, the CSSF emphasised that although all tokens constitute a digital representation value that are provided by a technology using DLT and cryptography, the tokens come with a variety of rights. The intrinsic characteristics and functions of the token determine the risks and whether or not it is possible for a professional of the financial sector to get involved in them, and accordingly, the type of virtual assets targeted by the FAQs varies depending on the question. However, the FAQs do not provide comprehensive guidance on when virtual assets would qualify as financial instruments in accordance with the Financial Sector Law, which still remains debatable. 

The upcoming European regulation on markets in crypto-assets is expected to provide further clarity and a regulatory regime for certain virtual assets, which until now have fallen outside of the scope of existing legislation. 

In 2019, Luxembourg passed a new law which permits the use of blockchain/DLT for the holding and managing of securities accounts. This legal basis that deemed the use of DLT and blockchain technologies equivalent to other secured electronic recording mechanisms for the transmission of securities was supplemented in 2021 by allowing these technologies also to be used for the issuance of dematerialised securities. However, these securities issuance accounts relating to securities admitted to trading on a regulated market or an MTF can be held only with a settlement organisation. 

In addition, depending on the nature of the financial instrument, the issuer may be subject to:

• the Prospectus Regulation;
• the Law of 11 January 2008 on transparency requirements for issuers;
• the AML Law;
• the Market Abuse Regulation; and/or
• the MiFID II framework, among others. 

The regulation of blockchain asset trading platforms depends on the regulatory status of the blockchain assets traded on the platform. For instruments that do not qualify as financial instruments under the MiFID II framework, blockchain asset trading platforms are not currently explicitly regulated. However, in case the service of a trading platform falls under the scope of virtual asset services as defined in the AML Law, service providers who are established or provide services in Luxembourg will need to register with the CSSF and comply with AML/CTF obligations. Virtual asset services include transfer of virtual assets, exchange between virtual assets and fiat currencies, including the exchange between virtual currencies and fiat currencies and the exchange between one or more forms of virtual assets. 

In case the blockchain assets would qualify as financial instruments, the trading venues would also fall under the scope of the currently applicable MiFID II legal framework on trading venues. Pursuant to advice published in 2019, ESMA took the preliminary view that in case crypto-assets qualify as financial instruments, platforms trading these assets with a central order book and/or matching orders under other trading models would be likely to qualify as multilateral systems. Such platforms should therefore operate as regulated markets, MTFs or OTFs. However, the currently applicable EU regulatory framework requires the transfer of any such instrument to be settled through central securities depositories in accordance with Regulation (EU) No 909/2014 on central securities depositories, and accordingly DLT financial instruments cannot currently be admitted to trading on a regulated market, MTF or OTF. 

While there is no specific regulation targeting funds that invest in blockchain assets, according the recently updated ESMA Q&As on AIFMD, managers of an undertaking investing in crypto-assets may be subject to the directive, if the relevant undertaking meets the definition of an alternative investment fund (AIF). Collective investment undertakings that raise capital from a number of investors to invest in crypto-assets in accordance with a defined investment policy for the benefit of those investors, will qualify as AIF in accordance with the AIFMD. 

Although the AIFMD does not provide for a list of eligible or non-eligible assets, the CSSF has recently published FAQs on the possibility of investment funds to invest in virtual assets. Pursuant to the position of the CSSF, an AIF may invest directly (and indirectly) in virtual assets if its units are marketed only to professional investors, and a Luxembourg authorised AIFM must obtain an authorisation from the CSSF for this investment strategy. Accordingly, the CSSF has indicated that UCITS and UCIs addressing non-professional customers and pension funds are not allowed to invest, directly or indirectly, in virtual assets (as defined in the AML Law). 

In case the services provided by the fund qualify as virtual asset services in accordance with the AML Law, the fund will need to register as a virtual asset service provider. 

In accordance with the AML Law, virtual currencies, ie, digital representations of value that are not issued or guaranteed by a central bank or a public authority, which are not necessarily attached to a legally established currency and do not possess a legal status of currency or money, but are accepted by persons as a means of exchange and which can be transferred, stored and traded digitally, are also considered to be virtual assets. Therefore, the relevant AML/CTF obligations also apply to virtual currencies (see 12.3 Classification of Blockchain Assets). 

Decentralised finance (DeFi) is currently not defined in financial services regulation applicable in Luxembourg. As it may include a broad range of financial services that utilise public, distributed ledgers, the question of whether DeFi platforms would fall under the scope of existing financial services regulation would need to be assessed on a case-by-case basis based on the type of activities conducted. 

There are currently no specific provisions relating to non-fungible tokens (NFTs) and NFT platforms in Luxembourg. Unless NFTs are considered to be virtual assets or financial instruments, they would not fall under the scope of existing financial services regulations. By way of example, guidance issued by the Financial Action Task Force outlines that digital assets which are unique, rather than interchangeable, and which are used as collectibles rather than as payment or investment instruments, would generally not be considered as virtual assets.  

Nonetheless, whether or not NFTs could be used for payment or investment purposes, and thus qualify as virtual assets, should be assessed on a case-by-case basis. In case an NTF qualifies as a virtual asset under the AML Law, specific registration and AML/CTF obligations would apply as outlined in 12.3Classification of Blockchain Assets. 

The main regulation governing open banking, Directive (EU) 2015/2366 on payment services (PSD2), has been transposed into Luxembourg law by the Law of 20 July 2018 amending the Payment Services Law. The legal framework aims to open up the EU payment market to entities offering payment services based on access to the payment account, including account information services and payment initiation services. PSD2 enables customers to share their data securely via application programming interfaces with banks and third parties, allowing the customers to compare products, initiate payments and request account information. 

Although PSD 2 has significantly impacted the payment sector in the EU, it can be argued that so far open banking in Europe has not fully lived up to its expectations. Some technical issues faced by third-party providers due to PSD2 rules still require some further fine tuning to the legal framework. For example, the EBA has recently launched a consultation on the so-called 90-day rule, which requires customers to re-authenticate their accounts every 90 days, which is proposed to be extended to a 180-day minimum. 

Concerns raised by open banking include risk relating to data protection and security breaches. Both topics are highly regulated by the European Union, as the GDPR also applies in the context of open banking, and financial sector regulation, including PSD2 includes strict requirements on cybersecurity. So far, there have not been any significant enforcement actions by the competent authorities in Luxembourg relating to open banking.