3 minutes read
Digital transformation: from legacy to agility
One of the top three SSM supervisory priorities for 2024-2026 is progressing digital transformation. In that context, Luxembourg’s banking sector is accelerating its digital journey to remain competitive in a rapidly evolving financial landscape.
The push for automation is reshaping compliance, risk management, and customer service. The use of AI tools to increase the efficiency of AML/CFT controls, notably for name screening, transaction monitoring or customer identification verification is currently a hot topic and the CSSF is watching, reminding banks (amongst others) in its latest annual report that they must maintain adequate control of their AI tools, be in a position to verify their proper functioning, and be able to demonstrate that AI can improve the quality of AML/CFT controls.
Beyond control-related tools, banks must also innovate in their service offering and client processes. According to relevant reports (notably Deloitte’s report on digital maturity in retail banking) Luxembourg still ranks low in retail banking digital maturity. The challenge is not just to add digital features but to create personalized, seamless experiences for clients. Digitalization is no longer a matter of convenience but has become a necessity. Customer preferences are changing, and the competitive landscape is rapidly evolving. Institutions that fail to adapt risk losing relevance in a market increasingly shaped by fintechs and digital-only banks (with, according to the ECB, about 60 banks in the euro area identified as being “digital-only” at the end of 2024).
"Cloud adoption and generative AI are emerging as game-changers, but they also bring new governance and cybersecurity risks that banks must address proactively."
Innovation vs. cybersecurity and resilience: a delicate balancing act
With increased digitalization, banks are also facing an increased risk of cyber threats and other ICT-related risks. For instance, ransomware attacks in the financial sector have surged in recent years, making operational resilience a top priority.
In the CSSF’s words, “the banks’ increasing digitalisation and growing dependence on ICTs highlight the importance of appropriate management of ICT-related risks. Banks must reconcile the modernisation of their infrastructures with the need to ensure their security and resilience, including in the event of operational or fraudulent incidents.”
Banks should by now be familiar (and compliant) with the Digital Operational Resilience Act (DORA), which sets out strict requirements for ICT risk management, resilience testing, and third-party oversight, but should also take into account other resilience-related regulations such as NIS2, the Critical Entities Resilience Directive, and the Cyber Resilience Act (to the extent relevant to their operations) to ensure they are fully protected.
Compliance with DORA and other ICT requirements means investing in robust cybersecurity frameworks, incident reporting mechanisms, and continuous monitoring of critical service providers, but also in training staff and management to ensure they are able to navigate these new risks and act accordingly.
Banks must therefore balance the need for innovation with the requirement for security, ensuring that every technological leap and digital breakthrough is backed by strong governance and risk controls. Operational resilience must be embedded into every layer of banking operations, ensuring that banks not only meet regulatory obligations but also strengthen client trust in an era of heightened cyber risk.
The rapidly expanding crypto ecosystem
Interest in crypto-assets and blockchain-based solutions is growing among Luxembourg banks. The adoption of Luxembourg’s “blockchain laws” provides a legal framework for tokenized financial instruments, paving the way for new products and services – and banks (among other players) have taken notice.
Financial institutions are increasingly exploring opportunities in custody services, tokenization of assets, and partnerships with fintechs for instance to tap into this emerging market. The ecosystem is evolving rapidly, and Luxembourg aims to position itself as a hub for regulated digital assets. For banks, this means developing expertise, upgrading systems, and engaging with regulators to ensure safe and sustainable growth in this space. The recent entry into force of MiCAR has also led several banks to consider crypto-asset services license top-ups in order to expand their service offering.
Crypto is no longer a fringe topic but is becoming part of mainstream strategic discussions. Institutions that anticipate regulatory developments and invest in secure, compliant infrastructure will be best placed to capture opportunities in this dynamic segment.
