Former regulatory framework and the importance for robust PI/EMI governance

Internal governance is a key point of attention of the CSSF in relation to regulated entities and has been flagged as such in the CSSF annual reports of the last few years.

Notably, the 2024 annual report refers to several exchanges with management/supervisory bodies of PIs and EMIs and internal control functions relating to governance matters, including for instance the implementation of sound internal governance arrangements, decision-making processes that are well established and clearly documented, independent and efficient internal control functions, internal control frameworks ensuring the sound and effective safeguarding of the funds of payment service users and electronic money holders, a central administration in Luxembourg, outsourcing matters, and the continuous reassessment and necessary enhancement of the institutions’ human and technical means  when growing their services.

The governance framework for PIs and EMIs, however, has been so far spread out between different texts and not necessarily clear. The relevant EU legislative texts (including notably Directive (EU) 2015/2366 (PSD2) and Directive 2009/110/EC (EMD)) did not include specific governance requirements. The European Banking Authority (EBA) did not publish specific guidelines for the governance of PIs/EMIs (contrary to the relevant framework currently in place for credit institutions). At EU level, governance requirements in the payments sector mostly stem from the EBA guidelines regarding the PI authorisation conditions (EBA/GL/2017/09).

In Luxembourg, Circulars CSSF 11/510 and 11/520 made older CSSF circulars (originally applicable to credit institutions and investment firms, and later to professionals of the financial sector) applicable to PIs and EMIs, respectively. In particular, the following circulars applied to PIs and EMIs since 2011:

  • Circular IML 95/120 of 28 July 1995 on central administration, as amended;
  • Circular IML 96/126 of 11 April 1996 on administrative and accounting organisation, as amended;
  • Circular IML 98/143 of 1 April 1998 on internal control, as amended; and
  • Circular CSSF 04/155 of 27 September 2004 on the compliance function, as amended.

These circulars will be repealed for PIs and EMIs. The new Circular now introduces a coherent and comprehensive set of rules on central administration and governance for PIs/EMIs and significantly reduces regulatory fragmentation by centralising detailed provision in a single text, therefore replicating the approach taken for banks (via Circular CSSF 12/552) and investment firms (Circular CSSF 20/758).

Whereas Circular 26/906 should not come as a shock for seasoned PIs/EMIs as it largely expands on the existing governing framework, it does require market players, and especially smaller ones, to carefully assess how their internal governance is set up given the additional level of detail.

Supervisory Body and Management Body – roles, composition, and functioning

The Circular reiterates the role of the Supervisory Body (the Board of Directors in a one-tier corporate structure) and the Management Body (often referred to as the Authorised Management) functions, by setting out their respective responsibilities in detail.

It also provides clarity on the CSSF’s expectations regarding the composition, qualification and functioning of such bodies, which until now were primarily practice-based and not formalized in the regulatory framework applicable to PIs/EMIs.

The Supervisory Body (Board of Directors)

a) Key role and responsibilities

The Circular provides that the Board bears the overall responsibility for the PI/EMI and must ensure the sound and prudent management of the institution, the preservation of its continuity and the protection of its reputation. In more practical terms, the Board is responsible for approving, and regularly (at least annually) reviewing and updating (where necessary):

  • the business strategy (business model/plan);
  • its risk strategy and risk appetite;
  • a clear and consistent organisational and operational structure; and
  • the guiding principles relating to the safeguarding of client funds as required under payment legislation, IT systems and security, internal control, remuneration, professional conduct, corporate values, conflicts of interest management, escalation and sanctions procedures, equality and non-discrimination, crisis management, distribution networks, customer communications and digital marketing, the central administration in Luxembourg, business continuity and crisis management, the appointment and succession of the supervisory body, the management body, and the internal control functions, the distribution networks, and customer communication and digital marketing.

In addition, the Board must approve and monitor the implementation by the Authorised Management of internal policies and procedures established on the basis of the above strategies and guiding principles and must ensure the adequacy and efficiency of the institution’s internal control functions (risk, compliance, internal audit).

Finally, the Board must be actively involved in risk management and must ensure that the PI/EMI devotes sufficient resources to risk and compliance management.

b) Composition

The composition requirements for the Board are now more concrete under the Circular (although the key principles set out below were already expected by the CSSF under the prior regime, even if not formalised in writing). Board members must be in sufficient number and of adequate composition (in terms of individual and collective skills, knowledge, experience), so that the Supervisory Body can fully meet its responsibilities.

For this purpose, Board members are subject to a suitability assessment (on an individual basis and collectively), which includes an assessment of their personal qualities (knowledge, skills, experience, reputation) that enable them to understand the operations of the PI/EMI and exercise their mandate, as well as of their time commitment to the respective directorship (and its compatibility with other positions, mandated or possible interests) and any conflicts of interest.

The Supervisory Body cannot have among its members a majority of persons who take on an executive role within the institution. Although not an obligation, the CSSF recommends the presence of one or more independent members within the Supervisory Body.

The Circular also emphasises the need to have appropriate induction, training, and succession planning. The new text requires that members of the Supervisory Body remain qualified throughout their mandate and have access to a specific initiation on the entity as well as ongoing training programs. The proper transition of knowledge and duties from an exiting member to his/her successor must also be ensured, and any change in the composition of the Supervisory Body must be notified to the CSSF in advance and without delay.

The Circular further clarifies, in line with the provisions for other regulated entities, that the chairperson of the Supervisory Body may not take an executive role within the PI/EMI.

c) Functioning and regulatory obligations

The Board must meet on a regular basis (at least on a quarterly basis) to effectively fulfil its responsibilities. The CSSF recommends that a majority of such meetings are held at the registered office of the Luxembourg PI/EMI in the presence (on site) of a majority of its members (although exceptions may be accepted).

The work of the Board (including the agenda and minutes of the meetings, decisions and measures adopted) must be documented in writing.

d) Assistance by specialised commitees

The CSSF recommends that the Boards of larger and more complex or risky PIs and EMIs is assisted by specialised committees in various fields (e.g., audit, risk, remuneration, etc.) depending on the institution’s needs.

The permanent members of such specialised committees must be non-executive or independent Directors (to the extent possible, different ones per committee). The committees may also be assisted by external experts (e.g., the approved statutory auditor), as well as other Directors, members of other committees, the heads of the internal control functions, etc.

The Board must lay down, in writing, the missions, composition and working procedures of the specialised committees. The work of the specialised committees must also be documented in writing.

The Circular also prohibits the Board from delegating its core role and responsibilities to specialised committees.

The Management Body (Authorised Management)  

a) Key role and responsibilities

Under the Circular, it is stated that the Authorised Management is in charge of the effective, sound and prudent day-to-day management of the activities (and inherent risks) of the institution, in compliance with the strategies and guiding principles approved by the Board, which in practice entails that it must:

  • implement, through written internal policies and procedures all the strategies and guiding principles established by the Board and keep the internal control functions informed of any major issue (notably, if the sound and prudent management of the activities or management of incurred risks or safeguarding of funds are no longer ensured);
  • define an internal code of conduct (in accordance with the guiding principles on professional conduct, corporate values and conflicts of interest management set by the Board);
  • ensure that the institution has the necessary internal control mechanisms, technical infrastructures and human resources to ensure a sound and prudent management of the activities and inherent risks;
  • ensure that all communications and marketing (particularly if disseminated through digital means) of payment / e-money services are consistent with the institution’s strategy and are presented in a clear and unambiguous manner;
  • implement any corrective measures required to address weaknesses; and
  • designate one member to be in charge of compliance with the anti-money laundering and counter-terrorist financing obligations of the PI/EMI and one member to be in charge of the institution’s safeguarding arrangements for client funds.

b) Composition

The obligation to have at least two (2) Authorised Managers in charge of the day-to-day management of the PI/EMI is clearly set out in the Circular. It is also provided that Authorised Managers are also subject to a suitability assessment (on an individual basis and collectively), including notably an assessment of skills, knowledge, experience, as well as sufficient time commitment and absence of any conflicts of interest (which is already the case, in practice).

It is further clarified that the Authorised Managers must in principle be permanently on site (subject to the possibility of teleworking in compliance with the relevant Circular CSSF 21/769) and must be readily available to be contacted by the CSSF at any time.

c) Functioning and regulatory obligations

The work of the Authorised Management (including the agenda and minutes of the meetings, decisions and measures adopted) must be documented in writing.

Any decisions that may have a material impact on the institution’s risk must first be discussed with the risk control function. Advice and other opinions from the internal control functions must at all times be considered by the Authorised Management.

Task allocation among the various Authorised Managers must allow for sufficient segregation between operational / risk taking and independent control function.

At least once a year, the Authorised Management must inform the Board (in writing) of the institution’s compliance with the internal governance arrangements in place, the adequacy thereof and the state of internal control.

Internal control functions

The Circular establishes a robust framework for the internal control of PIs/EMIs. The obligation to have appropriate independent internal control functions already existed under the former regime, however, the new rules provide further detail and impose additional requirements for the functioning of internal control, in line with the CSSF’s expectations.

Under the Circular, PIs/EMIs should develop an internal control system ensuring three (3) lines of defence;

  • First line: Daily controls (e.g., regular validations, hierarchical and reciprocal controls, account reconciliation and confirmation, verification of transactions, etc.) carried out by operating staff in their respective business units in relation to the transactions they carry out.
  • Second line: Controls by the support functions (financial and accounting), as well as the compliance and risk management functions.
  • Third line: Controls by the internal audit department, a function which must be permanent and independent from the activities and functions it audits (risk-taking and risk-controlling functions are not compatible).

Each internal control function should have a separate head, who is subject to a prior suitability assessment by the CSSF and must regularly (at least annually) report to the member of the Authorised Management in charge of the relevant function, the Board and (where appropriate) any specialised (Board-delegated) committees.

Each internal control function must prepare a summary report, which shall be written in French, German, or English, approved by the Supervisory Body and submitted to the Management Body. The reports must be available to CSSF. The annual summary reports of the compliance function and the internal audit function must be submitted to the CSSF.

The Compliance and Risk Management functions may be combined into one (under a single head) subject to the principle of proportionality.

Outsourcing of the compliance and risk management functions is prohibited (only certain operational tasks may be externalised). Outsourcing of the full range of operational tasks of the internal audit function is possible, subject to certain conditions. Outsourcings remain subject to the rules set out in Circular CSSF 22/806 on outsourcing arrangements.

Other key points of attention

Additional requirements relevant to PI/EMI governance which build on the provisions of the prior regime include:

  • The requirement to have all central administration (including procedures on the proper execution of activities and client communications and administrative and accounting organization and procedures), internal governance and internal control arrangements documented in writing.
  • The requirement to establish an independent finance and accounting function, with one person in charge and directly reporting to the Authorised Management (recommended for larger and/or riskier institutions), appropriately segregated from other business-related or administrative incompatible tasks.
  • The need to ensure compliance with the ICT outsourcing regulatory framework (notably under the Regulation (EU) 2022/2554 – the EU Digital Operational Resilience Act or DORA).
  • The obligation to establish appropriate channels for whistleblowing.
  • The “Know-your-structure” obligation in relation to the organizational structure of the institution (which must ensure effective risk management and oversight of the pursued activities, particularly within more complex and higher-risk institutions or with regard to less transparent business activities).
  • The effective management of conflicts of interest and the implementation of appropriate procedures and policies in this respect.
  • The monitoring of transactions with related parties, and the obligation to submit them for approval to the Board in case of any expected material impact on the institution’s risk profile.
  • A robust new product approval process, and the prohibition for the PI/EMI to undertake any new activity unless the Authorised Management approved it and all relevant parties (including the internal control functions) have been heard.
  • The requirement to develop and implement appropriate arrangements for the safeguarding of client funds (segregation accounts, insurance, other guarantees), including processes for controlling executed transactions, processes for fund reconciliation and an obligation to verify client funds at all times.
  • Legal reporting obligations (including annual accounts, annual assessment of ICT and security risks, confirmation of annual compliance with the regulatory requirements of the Circular and summary reports of the compliance and internal audit function).

Beyond more detailed organisational requirements, the Circular further introduces new provisions, such as a prohibition for PIs and EMIs from using terminology related to services reserved for credit institutions, (such as “banking services”, “deposits”, “bank” or “neo-bank”, “bank accounts”), or for other (financial) institutions which carry out activities not covered by the PI or EMI license. This is particularly relevant for market players marketing or intending to market themselves as alternatives to traditional banks. A careful review of the text is therefore required.

Proportionality

As for other similar texts, the Circular allows the application of the principle of proportionality in order for in-scope entities to adapt their organization to the size, complexity, and risk of their activities and sets out examples of items PIs and EMIs may take into account for the purpose of applying the principle (such as the granting of credits related to payment services, the volume of payment and electronic money operations, the size of the institution in terms of turnover and balance sheet total, etc.).

Next steps for in-scope entities

The Circular shall apply as from 30 June 2026, giving PIs and EMIs 5 months to review their internal governance.

Although not materially different from what has already been implemented in practice, the Circular does provide a level of detail that may be new for smaller players in the payments and e-money space and we strongly suggest to all Luxembourg PIs/EMIs to familiarize themselves with the Circular’s provisions and perform a gap analysis of their current governance arrangements against the requirements set out under the new Circular.

In case of any deficiencies or gaps, PIs/EMIs should adopt all relevant measures to update relevant policies and procedures and upgrade their internal organization to ensure alignment with the new Circular and avoid any queries or further inspection from the CSSF due to non-compliance.

Compliance with the requirements of Circular 26/906 must be confirmed annually by a statement issued and signed by all members of the management body.

PIs/EMIs are also encouraged to actively monitor upcoming regulatory developments in the payments space. Notably, the highly anticipated new Payments Services Package (including PSD3 and PSR), although not expected to materially alter the current EU framework in relation to governance, may bring forward some additional detail (as it instructs the EBA to issue new guidelines on governance arrangements, once the package is adopted).

Please do not hesitate to reach out should your organisation require a gap analysis between the previous rules and current central administration and internal governance requirements.