Sign in Sign up
CSSF ·

CSSF clarifies that ML/FT risk level alone does not justify blanket refusal of client categories

Supervised Luxembourg entities cannot refuse client categories on ML/FT risk level alone and must evidence risk-based, not blanket, decisioning

Governance Financial Services
Save
Change
On 16 June 2026 Luxembourg's Commission de Surveillance du Secteur Financier (CSSF) clarified that supervised entities must manage rather than avoid ML/FT risk, may not generally exclude entire client categories except where law expressly permits, and that CSSF-imposed de-risking applies only in exceptional cases where risk is no longer manageable — restating obligations under existing law and EBA guidelines.
Why it matters
A higher ML/FT risk level does not by itself justify refusing or terminating a business relationship, and blanket exclusion of client categories is confined to cases expressly authorised by law (the 2004 AML Law, CSSF Regulation 12-02) or where the CSSF has ordered de-risking because risk is unmanageable. A profitability-driven exit from a client category is a strategic business decision distinct from CSSF-imposed de-risking. Where a client cannot provide standard documentation, alternative proportionate measures may be applied under the EBA guidelines and CSSF circulars; client cooperation on source of funds remains required.
Implications
  • Onboarding and AML/CFT teams at supervised Luxembourg credit institutions must be able to evidence a risk-based assessment behind any refusal or termination of a business relationship — a refusal resting on the client's risk category alone, rather than expressly authorised by law, is inconsistent with the CSSF's stated supervisory expectation.
  • AML/CFT teams must apply alternative, proportionate measures for clients who present higher-risk characteristics or cannot provide standard documentation, in line with EBA/GL/2023/03 and Circular CSSF 23/842, rather than declining the relationship outright on those grounds.
Who is affected
  • Onboarding and AML/CFT compliance teams at CSSF-supervised credit institutions
  • AML/CFT risk-management teams at CSSF-supervised financial sector professionals
What to watch
  • July 2027: under Article 21(4) of EU AMLR 2024/1624, the EBA and AMLA must issue joint guidelines on measures to ensure AML/CFT compliance for business relationships most affected by de-risking practices.
View on CSSF
Clarify with AI

Grounded in this brief. 10 free questions left this month.

Start with a decision question — or ask your own below

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Start your trial to clarify this brief

You asked:

Clarify is part of Pro. Start a 14-day trial for full access to every brief, unlimited Clarify questions, and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month after trial. No credit card required. Cancel anytime.

Start 14-day trial Sign in