The revised regime aims to establish a harmonised framework across all EU member states, ensuring the timely “fit and proper” assessment of the in-scope management members and key function holders, and introduces changes to the relevant provisions of the Luxembourg law of 5 April 1993 on the financial sector, as amended (LFS). Provisions on suitability assessments are to this date spread out in various texts, including the LFS, guidelines by the European Supervisory Authorities and CSSF circulars.

Who is in scope?

The new requirements will apply to:

  • credit institutions;
  • bank-equivalent investment firms under Article 4(1)(1) item (b) of Regulation (EU) No 575/2013, as amended; and
  • (mixed) financial holding companies (including parent financial holding companies and EU parent financial holding companies), required to seek approval under Article 21a of Directive 2013/36/EU, as amended (CRD);

(together, the In-Scope Entities)

and relate to:

  • members of their management body(ies); and
  • key function holders, comprising persons with significant influence over the direction of the relevant institution but who are not members of the management body, and in any case the heads of internal control functions and the chief financial officer.

Current suitability assessment requirements in Luxembourg

Under the LFS, In-Scope entities must ensure that members of their management bodies meet “fit and proper” standards prior to appointment, as assessed by the CSSF. This includes verifying good reputation and professional competence through criminal record checks, CVs, and declarations of honour.

The specific aspects for such process are mainly described under soft law provisions of the Joint ESMA and EBA Guidelines on the assessment of the suitability of the members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU, as amended (the Guidelines) and Circular CSSF 12/552 on central administration, internal governance and risk management, as amended (Circular 12/552).

These texts require In-Scope Entities to assess both individual and collective suitability, evaluating integrity, independence, experience, and time commitment separately for each member, as well as ensuring the management body’s overall composition reflects the required expertise and availability. This requirement applies in relation to both members of the authorised management and the supervisory body of the In-Scope Entity (where applicable).

The CSSF’s relevant prudential procedure further distinguishes requirements for institutions directly supervised by the ECB (significant) and those under CSSF oversight (non-significant).

For more information on the suitability assessments performed by the CSSF within the context of acquisitions of qualifying holdings in Luxembourg In-Scope Entities, please refer to our most recent Banking Regulation Guide available here. Banking Regulation in Luxembourg:
what you need to know


Key function holders are subject to similar suitability assessments, guided by the same Guidelines and national discretion. For example, Circular 12/552 imposes specific requirements for heads of internal control functions in particular, mandating high professional knowledge, skills and experience in the field of banking and financial activities. Similarly, CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as amended sets out relevant professional experience and knowledge expectation for AML/CTF-related key functions, such as the compliance officer in charge of the control of compliance with the professional obligations (RC) and the person responsible for compliance with the professional obligations (RR).

The new CRD VI regime

Requirement for a prior suitability assessment for members of management bodies

CRD VI introduces a specific timeframe for the submission of the suitability application in relation to a new member of the management of certain types of financial institutions (including, notably, large EU parent institutions, large subsidiaries, (EU) parent (mixed) financial holding companies with large institutions in their group, etc.) to the competent supervisory authority, which should not take place later than thirty (30) working days before the relevant appointment.

According to the Bill, this 30-day timeframe will be imposed under the LFS on all Luxembourg credit institutions.

CRD VI also includes a more detailed overview of the content of the suitability application file for credit institutions, which should include:

  • a suitability questionnaire and a CV;
  • the internal suitability assessment (unless the ex post assessment applies);
  • criminal record extracts;
  • any other documents that are specific under national law and/or listed by the competent supervisory authority; and
  • an indication of the date of appointment and the date on which the relevant individual will effectively assume their duties.

The revised LFS provisions under the Bill expressly refer to the CSSF suitability assessment questionnaire that should also be part of the suitability application file. 

Exceptionally, CRD VI provides a new possibility for an ex-post assessment of the members of the management body, where:

  • the In-Scope Entity intends to replace the majority of such members at the same time by newly appointed members; and
  • the outgoing members would have to assess the suitability of the soon to be appointed members.

The Bill provides for a revision of the LFS to foresee this new possibility.

The Bill, in line with CRD VI, also provides that where members of management fail to fulfil their suitability criteria at all times, the CSSF may prevent them from being part of, or remove them from, the management body. Alternatively, the CSSF may require the credit institutions concerned to take the additional measures necessary to ensure that such members are, or become, suitable for the position concerned.

Finally, the Bill introduces extended modifications to the current LFS provisions regarding the suitability assessment of management body members, which in principle reflect under “hard” law practices already applicable under the Guidelines.

Extension of the suitability criteria for members of the management bodies

CRD VI incorporates new environmental, social and governance (ESG) and information and communication technology (ICT) factors into the suitability requirements for members of the management bodies of the In-Scope Entities, and notably:

  • the collective assessment the management body’s knowledge, skills and experience should take into account all risks associated with the In-Scope Entity’s activities and the impacts such activities create in the short, medium and long term, considering also ESG factors; and
  • the training of members of management body must include training on ESG risks and impacts and ICT risks.

Finally, CRD VI no longer allows the chair of the management body in its supervisory function to also act as the chief executive officer of the In-Scope Entity.

The proposed revisions of the LFS under the Bill reflect the above new requirements.

Individual statements of roles and duties

CRD VI imposes a new obligation on In-Scope Entities to draw up, maintain, regularly update and submit to the competent supervisory authorities (upon request) individual statements delineating the roles, duties, reporting lines and lines of responsibility for:

  • members of their management bodies;
  • senior management; and
  • key function holders.

No further guidance is currently available at EU level nor under the revised LFS provisions (as such are proposed under the Bill) with respect to the format of the above statements.  

New governance requirements for the heads of internal control functions and other key function holders

CRD VI replicates the suitability assessment provisions of the Guidelines in relation to key function holders under hard law. New LFS provisions are introduced in this respect under the Bill, rendering the relevant process more similar to the one for management body members.

In addition, CRD VI introduces the requirement for the heads of the internal control functions (risk management, compliance, internal audit) of the In-Scope Entities to be:

  • independent senior managers, with distinct responsibility for internal control;
  • with direct and independent access to the management body of the In-Scope Entity acting in its supervisory function.

The above requirements are already provided for under Circular 12/552 and no further material changes have been introduced in this respect under the LFS in accordance with the Bill.

Combination of internal audit with other business lines / internal control functions is not permitted.

Next steps for In-Scope Entities

Upon transposition of the Bill on CRD VI in Luxembourg, the new suitability assessment provisions will introduce several changes to the existing framework.

Further Regulatory Technical Standards and Guidelines are expected to be issued by ESAs, in this respect, specifying (among others) the minimum content of the suitability application documentation for management body members and key function holders (draft Guidelines already published and under public consultation). Local guidance at Luxembourg level may also be developed.

In any case, In-Scope Entities are already encouraged to update their internal policies and succession procedures to reflect the above suitability assessment criteria and governance arrangements. Additionally, In-Scope Entities should consider their internal ogranisation and start preparing their individual statements for their management and key function holders.