The Financial Technology Law Review: Luxembourg


Luxembourg is a reference jurisdiction for the financial services industry and has always been keen to evolve and implement new innovative technologies in the day-to-day business framework. It should be highlighted that Luxembourg recently passed a new amendment to the law of 6 April 2013 relating to dematerialised securities to allow for the issuance of dematerialised securities on distributed ledger technology such as blockchain.

The LHoFT Foundation, Luxembourg for Finance, Luxinnovation, Digital Luxembourg and ABBL Fintech map constitute useful sources of information.

Luxembourg provides for an attractive IP and tax regime that allows companies to benefit from a tax exemption of 80 per cent on certain types of eligible income streams, and for other incentives such as investment tax credits and government grants for innovative start-ups.

Regarding corporate tax, Luxembourg-resident companies are subject to corporate income tax (CIT) at a rate of 17 per cent on the basis of their worldwide income. However, companies whose taxable income does not exceed €175,000 are subject to a lower CIT rate of 15 per cent. A contribution to the unemployment fund (7 per cent of the CIT charge) and municipal business tax (6.75 per cent in Luxembourg city) (i.e., the aggregate corporate tax rate) amounts to 24.94 per cent. Luxembourg resident companies are also subject to an annual net wealth tax at a rate of 0.5 per cent on the basis of their total net assets (subject to certain exemptions).

Luxembourg has a prominent financial services industry and a unique opportunity to strategically leverage financial investment and services that could facilitate and accelerate the transition to a digitally interconnected economy through enhancing fintech and entrepreneurship. In that respect, Luxembourg Digital Tech Fund has contributed by investing in tech start-ups and supporting cybersecurity, fintech, big data and digital health. In addition, a good example would be Bitstamp, a Luxembourg-based Bitcoin exchange company that has been granted a payment institution licence by the Luxembourg financial supervisory authority (CSSF) and is acting as a payment institution. However, although Luxembourg widely promotes innovation and embraces fintech, and is at the top of the list of fintech-friendly jurisdictions, there are further steps to be taken to ensure a long-lasting implantation of such highly innovative companies.


i Licensing and marketing

In Luxembourg, fintech companies are subject to the following main regulations:

  1. the Luxembourg Law of 10 November 2009 on payment services, as amended (the 2009 Law);
  2. the Luxembourg Law of 5 April 1993 on the financial sector, as amended (the 1993 Law);
  3. CSSF-related regulations and circulars, provided that their activities fall within the scope of the above-mentioned laws;
  4. the Luxembourg Law of 3 May 2018 on markets in financial instruments, implementing Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments;
  5. the Luxembourg Law of 7 December 2015 on the insurance sector, as amended (the 2015 Law);
  6. the Luxembourg Consumer Code (the Consumer Code); and
  7. the Luxembourg Law of 14 August 2000 on electronic commerce (the E-Commerce Law), as amended.

There is no specific 'fintech licence' in Luxembourg. However, activities performed by fintechs may be subject to licensing requirements pursuant to the 2009 Law, the 1993 Law or the 2015 Law.

In addition, because activities performed by fintechs can be qualified as 'economic activities', they may be subject to the prior granting of a business licence.

Fintechs that would like to establish themselves in Luxembourg to carry out an activity of the financial sector (e.g., the issuing of means of payments in the form of virtual or other currencies, the provision of payment services using virtual or other currencies, or the creation of a market (platform) to trade virtual or other currencies) must define their business purpose and their activity in a sufficiently concrete and precise manner to allow the CSSF to determine for which status they need to receive the ministerial authorisation.2

Insurtechs and reinsurtechs that would like to establish themselves in Luxembourg to carry out an activity of the insurance or reinsurance sectors must submit their project to the Luxembourg Supervisor of the Insurance Sector (CAA).

The business licence is issued to businesses (professionals operating under their own name, or companies) within three months, which may be extended by an additional month in certain cases, but only provided that:

  1. the applicant fulfils the legal conditions for the relevant qualification (if one is required) and professional integrity for the activity concerned; and
  2. the business has a fixed physical establishment in Luxembourg (no 'letterbox companies').

The business licence is required for any person that wishes to engage in the following professional activities as a self-employed person or as a company:

  1. commercial activity (trade, HORECA (hotel, restaurant and catering sector), transports, industry, etc.);
  2. craft activity (food, fashion, construction, mechanical engineering, audiovisual, entertainment, art, etc.); or
  3. certain liberal professions that are mainly intellectual in nature.

Undertakings that carry out an activity of the financial sector must obtain an authorisation from the Minister of Finance and are subject to the prudential supervision of the CSSF.

The activity of direct insurance or reinsurance is subject to prior authorisation from the minister with responsibility for the insurance sector through the CAA.

With respect to the business licence, it is granted by the General Directorate for Small and Medium-Sized Enterprises.


In Luxembourg, digital financial advisory services, in the same manner as traditional financial advice services, are subject to the usual regulatory requirements of the CSSF as opposed to specific robo-advice regulatory requirements. The type of licensing required by a robo-adviser to perform its activities thus depends on the operating model chosen including the services provided, the contractual arrangements and the structure of the platform. Robo-advisers need to obtain an authorisation as:

  1. investment advisers: these are regulated in the same way as traditional, non-automated financial advisers that limit themselves to advisory services and do not intervene in the implementation of the advice provided by them (Article 24 of the 1993 Law);
  2. private portfolio managers: whenever robo-advisers use technology to manage portfolios as per client's mandates on a discretionary basis (Article 24-3 of the 1993 Law);
  3. brokers in financial instruments: when their servicing consists of the role of an intermediary by either encouraging parties to be brought together with a view to the conclusion of a transaction, or in passing on their clients' purchase or sale orders without holding the investments of the clients (Article 24-1 of the 1993 Law); and
  4. commission agents: in cases where robo-advisers execute orders on behalf of clients and in relation to one or more financial instruments (Article 24-2 of the 1993 Law).

To obtain a licence, a formal application needs to be submitted to the CSSF. The format of the application varies with the nature of the robo-advice activity envisaged.

Fintechs offering robo-advisers should regularly monitor the effectiveness and appropriateness (in line with MiFID II3 requirements) of the advice provided to avoid mis-selling. Precautionary mechanisms should be in place to be able to suspend the provision of advice should errors or bias be detected.4

Asset management company

Authorisation to act as a management company is subject to the requirements as set out in the Law of 17 December 2010 relating to undertakings for collective investment (the 2010 Law).

There are special rules on credit information services (e.g., pre-contractual information, information to be mentioned in the credit agreements, right of cancellation) to comply with those that are detailed in the Consumer Code.

2009 Law

Luxembourg payment institutions and electronic money institutions that intend to provide payment services in another Member State, either through the establishment of a branch, through the use of agents or by exercising their freedom to provide services, are subject to certain information obligations towards the CSSF.

1993 Law

Only Professionals of the Financial Sector (PFSs) belonging in the category of 'investment firms' (such as investment advisers, brokers in financial instruments, commission agents and private portfolio managers) can hold a European Union passport (the EU Passport).5

On the contrary, specialised PFSs (such as professionals providing company incorporation and management services, professionals performing lending operations and corporate domiciliation agents) and support PFSs (such as client communication agents, primary IT systems operators of the financial sector, secondary IT systems and communication networks operators of the financial sector) may not benefit from the EU Passport. As a consequence, specialised PFSs and support PFSs would need to obtain an authorisation from the competent authority of each Member State in which they intend to operate.

The EU Passport covers:

  1. the investment services listed in Section A of Annex II of the 1993 Law (such as dealing on own account, portfolio management and investment advice); and
  2. where appropriate, one or more of the ancillary services listed in Section C of Annex II of the 1993 Law (such as safekeeping and administration of financial instruments for the account of clients, granting credits or loans to an investor to allow him or her to carry out a transaction in one or more financial instruments, or foreign exchange services where these are connected to the provision of investment services).

ii Cross-border issues

2009 Law

EU payment institutions and electronic money institutions

Payment institutions and electronic money institutions for which the home Member State is a Member State other than Luxembourg, may provide payment services or electronic money services in Luxembourg, either through the establishment of a branch or through the engagement of an agent or the provision of services, provided that their activities are covered by their authorisation.

Third-country payment institutions and electronic money institutions

Payment institutions incorporated in third countries wishing to establish a branch in Luxembourg are subject to the same authorisation rules as payment institutions for which Luxembourg is the home Member State. Compliance by the foreign institution with the required conditions for authorisation shall be assessed (i.e., professional standing and experience of the persons responsible for the branch, central administration in Luxembourg and adequate administrative infrastructure in Luxembourg).

1993 Law

EU credit institutions, investment firms and financial institutions

Provided that their activities are covered by their authorisation, EU-based credit institutions, investment firms and financial institutions may exercise their activities in Luxembourg by the way of:

  1. the provision of services;
  2. through the establishment of a branch; or
  3. through the use of a tied agent.

The tied agent is assimilated to the Luxembourg branch and is subject to the provisions of the 1993 Law applicable to Luxembourg branches of EU credit institutions and investment firms.6

EU-based financial institutions may also benefit from the EU Passport provided that they meet certain requirements (such as the financial institution being the subsidiary of a credit institution or the jointly owned subsidiary of several credit institutions).7

Third-country credit institutions and third-country PFS other than investment firms

The exercise of their activities in Luxembourg by third-country credit institutions (for their banking activities) and PFSs other than investment firms' requires them to (1) establish a branch or, (2) if these third-country firms are not established in Luxembourg but occasionally and temporarily come to Luxembourg to, among other things, collect deposits and other repayable funds from the public and to provide any other service under the 1993 Law, hold an authorisation from the Minister responsible for the CSSF. Obtaining the authorisation in Luxembourg is subject to the condition that these third-country firms are subject to equivalent authorisation and supervisory rules as those of the 1993 Law in their home country.8 These authorisation and supervisory rules notably include the requirement to have an authorisation granted by a public authority, specific reputation requirements for the directors, an appropriate internal administrative organisation (compliance with organisational requirements, existence of human and technical resources, establishment of internal systems, resources and procedures), the existence of rules of conduct, as well as requirements relating to capital and own funds and the membership of a deposit-guarantee scheme.9

There is no distinction provided in the 2009 Law or in the 1993 Law between the different types of fintech services or products that may be offered from abroad into Luxembourg without a physical presence in Luxembourg.

Regarding whether services or products are actively marketed or if the client solicits the service or product, this is only relevant if a third-country firm intends to provide investment services (e.g., investment advice or portfolio management) in Luxembourg. In such case, the 1993 Law distinguishes two situations depending on the clients targeted and whether the provision of the investment service is exclusively initiated by the client, as detailed below.10

First, when targeting eligible counterparties or professional clients, equivalence and cooperation must be taken into account. In the absence of an equivalence decision of the European Commission taken in accordance with Article 47(1) of the Markets in Financial Instruments Regulation,11 the third-country firm may also provide investment services in Luxembourg to eligible counterparties and professional clients, provided that the following conditions are fulfilled:

  1. it is permitted within its jurisdiction to provide investment services and engage in investment activities that it wishes to offer to Luxembourg;
  2. it is subject to supervision and authorisation requirements that the CSSF considers equivalent to those of the 1993 Law; and
  3. cooperation between the CSSF and the supervisory authority of this firm is ensured.

Second, when targeting retail clients or clients who may be treated as professionals on request, obligation to establish a branch must be taken into account. If the third-country firm intends to provide in Luxembourg investment services to retail clients or clients who may be treated as professionals on request within the meaning of Annex III, Section B of the 1993 Law, it must establish a branch and is subject to the same authorisation procedureas the Luxembourg credit institutions and investment firms. The decision taken on an application for approval shall be notified to the undertaking applicant within six months of the submission of a complete application, failing which the absence decision is equivalent to the notification of a refusal decision.

Foreign but EU-based entities

Pursuant to both the 2009 Law and the 1993 Law, EU-based entities (payment institution or electronic money institutions, credit institutions, investment firms or financial institutions) do not need to obtain a local licence if they provide cross-border services and products and benefit from the EU Passport to the extent these services are all passportable.

iii Provision of services at the exclusive initiative of the client

A third-country firm will not need any authorisation in Luxembourg in the case of reverse solicitation.

Where a client established or situated in the EU exclusively initiates the provision of investment services by a third-country firm, the requirement for authorisation will not apply to the provision of the investment services by the third-country firm. An initiative by such clients shall, nevertheless, not entitle the third-country firm to market new categories of investment products or investment services to those clients.

Digital identity and onboarding

Regarding digital identity in Luxembourg, the electronic ID (eID) card is a card with an electronic chip that contains digital data and two electronic certificates that allow the holder to authenticate themselves or to sign online documents in various web applications. The eID is issued by the state (i.e., the Government IT Centre (CTIE) – eID applications service). A card reader and a specific application on the user's computer are needed for use of eID. The reader can be purchased at the CTIE, as well as in certain municipalities. The required software application (middleware) can be downloaded for free on the LuxTrust website.12

After the application (middleware) has been installed and the eID is detected by the card reader, a PIN request (secret code) will pop up on the screen. The PIN code must be entered for the first time. After that, the PIN code must be entered at each authentication request from applications being used, or whenever it is needed to sign a document electronically.

The eID is available to Luxembourg nationals only, and not to non-nationals. Non-nationals can, however, use other forms of e-signing techniques (Token, Smartcard, etc.).

LuxTrust allows the identification of customers not residing in Luxembourg through a notary and a certificate (apostille) in accordance with international regulations in this area, subject to the production of certain documents (i.e., a copy of the identity card or passport of the person concerned, duly authenticated by a notary).

They can be used by any person of legal age who has requested the activation of the certificates at the time of application for their eID, or by minors of at least 15 years of age for whom the activation of the certificate was requested by either a parent with parental authority or by their legal guardian.

Under certain conditions, the CSSF allows (licensed) financial service providers to identify or verify the identity of their customers through video identification (i.e., the performance of the identification or verification of the identity of the customer by a professional of the financial sector under the supervision of the CSSF (the Professional) through an online videoconference).13

Professionals use this process to support and execute certain tasks for the purpose of fulfilling their customer identification and verification of identity obligations as required by the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the 2004 Law).

The Professional has the following possibilities:

  1. they perform the video identification process themselves using a tool developed internally;
  2. they perform the video identification process themselves using an external tool acquired from an external provider; or
  3. they delegate the identification process to an external provider using their own tool.

The video identification needs to be performed by a specifically trained employee, either of the Professional or, if applicable of the external provider.

The video identification or verification of the identity of a customer that is not actually performed by a specifically trained natural person, but where the customer is in contact only with a robot, or where the customer simply uploads (a video with) identity documents online, does not qualify as 'video identification' owing to the absence of a live video chat or real-time interaction between the aforementioned trained natural person and the customer.

Digital markets, payment services and funding

The following laws and regulations apply to collective investment schemes:

  1. the Luxembourg Law of 17 December 2010 relating to undertakings for collective investment, as amended;
  2. the Luxembourg Law of 13 February 2007 relating to specialised investment funds as amended;
  3. the Luxembourg Law of 15 June 2004 relating to the investment company in risk capital as amended;
  4. the Luxembourg Law of 12 July 2013 on alternative investment fund managers, as amended;
  5. the Luxembourg Law of 23 July 2016 on reserved alternative investment funds;
  6. Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse; and
  7. Regulation (EU) 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter (OTC) derivatives, central counterparties and trade repositories.

Crowdfunding is not subject to any specific legal framework or licence but may be regulated, depending on the platform, structure or services provided.

There is, however, an EU crowdfunding legal framework since October 2020. On 10 November 2020, the Regulation on European Crowdfunding Service Providers for business (the Crowdfunding Regulation)14 entered into force. After a transition period of 12 months, the rules will enter into application on 10 November 2021, applying directly across the EU.

The regulation lays down uniform rules across the EU for the provision of investment-based and lending-based crowdfunding services related to business financing. It allows platforms to apply for an EU passport based on a single set of rules, which makes it easier for them to offer their services across the EU with a single authorisation.

The new rules are expected to increase the availability of this innovative form of finance, which will help companies seeking alternatives to bank financing. Investors on crowdfunding platforms, meanwhile, will benefit from an aligned and enhanced investor protection framework, based on:

  1. clear rules on information disclosures for project owners and crowdfunding platforms;
  2. rules on governance and risk management for crowdfunding platforms; and
  3. strong and harmonised supervisory powers for national authorities overseeing the functioning of crowdfunding platforms.

Crowdlending is also not specifically covered under Luxembourg law.

Whether crowdlending is permitted or subject to a licence depends on how it is structured. If the platform or fintech collects the funds before lending them to borrowers, a licence may be required.

Peer-to-peer lending between individuals is also not specifically regulated. The role of the platform would then need to be assessed on a case-by-case basis. If it endorses the role of a credit broker that is not linked to a specific credit institution, there is no particular regulation other than the potential need to obtain a business licence.

With regard to consumer lending regulations, the Consumer Code applies.

The legal restrictions on peer-to-peer lending depend on, among other things, the terms of the loans.

For restrictions on trading such loans or financings on a secondary market, see the above text regarding lending professionals' activities.

i Forms of debt securitisation

In specific circumstances, the structures in which the securitisation undertaking itself expressly grants loans instead of acquiring them on the secondary market may be regarded as securitisation, provided that the securitisation undertaking does not allocate the funds raised from the public to a credit activity on own account, and that the documentation relating to the issue either clearly defines the assets on which the service and the repayment of the loans granted by the securitisation undertaking will depend, or clearly describes (1) the borrower or borrowers; or (2) the criteria according to which the borrowers will be selected, so that the investors are adequately informed of the risks, including the credit risks and the profitability of their investment at the time securities are issued. In both cases, information on the characteristics of the loans granted must be included in the issue documents.15 The CSSF will assess compliance with these conditions on a case-by-case basis. Moreover, the participants are responsible for ensuring that any other applicable legal provisions are complied with.

ii Impact of the Alternative Investment Fund Managers Law16

Pursuant to the CSSF FAQ on Securitisation, according to the clarifications provided by the European Central Bank in its 'Guidance note on the definitions of 'financial vehicle corporation' and 'securitisation' under the European Central Bank (ECB) Regulation ECB/2008/30', point 4.1, page 3, a securitisation vehicle issuing 'collateralised loan obligations' would meet the definition of the ECB Regulation, so that these vehicles do not qualify as alternative investment funds.17

According to the same Guidance note (points 4.1 and 4.3, pages 3 and 4), securitisation undertakings whose core business is the securitisation of loans that they grant themselves (securitisation undertakings acting as 'first lender') do not meet the definition of the ECB Regulation, and thus cannot benefit from the exclusion. The same applies to securitisation undertakings that issue structured products that primarily offer a synthetic exposure to assets other than loans (non-credit-related assets) and where the credit risk transfer is only ancillary.

Payment services require a licence (see Section II.i.2009 Law).

Pursuant to the Payment Services Directive (PSD) II 'principle of non-discriminatory access to payment systems', credit institutions are required to open up access to account data to third parties at the request of customers and to support both account information and payment initiation services provided by the third-party payment service providers (TPPs).

Cryptocurrencies, initial coin offerings (ICO) and security tokens

On 14 February 2019,18 a new law was passed by the Luxembourg lawmakers aiming to facilitate the use of distributed ledger technology in financial services. In particular, the law's main goals were to provide more legal certainty and transparency to the financial market participants, and to allow the use of blockchain technology for the transfer of securities.

There is in Luxembourg no specific framework around cryptocurrencies as such. Nevertheless, both the government and the CSSF are keen to meet with any business intending to operate with cryptocurrencies to discuss any specific project. There are several working groups at the government and CSSF's level continuously working on potential new legislation or circulars to cater for the new crypto products and players entering the market.

Luxembourg law does not provide for a clear statutory definition of 'securities', making it difficult to qualify tokens. The term 'securities' is viewed as quite general conceptually, and it entails the notions of both 'valeur mobilière' and of 'instrument financier' ('transferable security' and 'financial instrument', respectively). Depending on the token characteristics, it may or may not qualify as a security.

Based on Luxembourg legal literature, the term 'security' constitutes an application of the materialised rights deriving from a legal act with regard to an issuer and corresponding to specific legal elements that distinguish themselves as being fungible while being allowed to be circulated on the capital markets.19 Thus, the concept of security approaches more the notion of transferable security, a position that has been also supported by the Luxembourg courts. In general, owing to the broad interpretation of both notions of 'financial instrument' and 'transferable security' under Luxembourg law, tokens could fall to any of those categories if they are fungible and transferable, and produce cash flow rights or rights to proceeds and returns.

i Circulation of securities

The Law of 1 March 2019 on the circulation of securities extends the scope of the Law of 1 August 2001 on the circulation of securities to allow account holders to book and transfer securities through secure electronic recording devices, including distributed electronic registers or databases such as blockchain.

ii Issuance of securities

The law of 22 January 2021 amending the 1993 Law and the law of 6 April 2013 relating to dematerialised securities (the 2013 Law) explicitly recognises the possibility to use distributed ledger technology (DLT) for the purpose of issuing dematerialised securities (the DLT Law).

The main purpose of the DLT Law is to modernise the 2013 Law by expressly recognising the ability to use secured electronic recording mechanisms, including distributed electronic registers or databases, for the purpose of issuing dematerialised securities.

Definition of an 'issuance account'

Both the issue of dematerialised securities and the conversion of securities issued into dematerialised securities are exclusively and compulsorily carried out by registration of securities in an issuance account held with a liquidation institution or a custodian of central account. The DLT Law aims at defining 'the issuance account' while stating that this account can be held and the registrations of titles can be performed there within or through secured electronic recording devices.

Investment firms and credit institutions to act as central account keeper for unlisted debt securities

In addition, the DLT Law aims at broadening the scope of the 2013 Law by granting the option to investment firms and credit institutions, as defined in 1993 Law, to act as central account keeper for unlisted debt securities. Enlargement of access to the activity of central account keeper aims to enable said entities keeping central accounts for unlisted debt securities in accordance with provisions of the 2013 Law, and thus provide a wider range of services in the field of dematerialised securities, and issuers to use a number of the most important players in shaping the issuance of unlisted debt securities.

The Council of State was, however, of the opinion that the authors of the DLT Law are not following the logic behind the blockchain technology. One of the greatest advantages of the blockchain is that it eliminates the use of certain intermediaries, the function of monitoring and certifying a transaction that they provide being taken over by the elements composing the blockchain, which is likely to reduce transaction costs. The Council of State presumes that the authors of the DLT Law made a deliberate choice by limiting the scope of the DLT Law by not touching, in particular, on the role played by the central account holders in the process of issuing different types of securities.

iii AML

Money laundering rules always apply to cryptocurrencies and tokens. The 5th Anti-Money Laundering Directive (AMLD 5)20 also adds 'providers engaged in exchange services between virtual currencies and fiat currencies' and 'custodian wallet providers' as obliged entities.

In relation to regulated entities in Luxembourg, money laundering rules apply to natural or legal persons trading in goods (only to the extent that payments are made or received in cash in an amount of €10,000 or more, whether the transaction is executed in a single operation or in several operations that appear to be linked). Under these terms, they would fall within the scope of the 2004 Law.

iv Tax

In July 2018, the tax authorities issued a circular clarifying that they treat cryptocurrencies as an asset and not as a currency.21 The same should, in principle, apply to tokens purchased by a Luxembourg taxpayer. This means that the disposal of cryptocurrencies or tokens (including when used as means of payment) may in certain circumstances give rise to capital gains taxation. These assets will also form part of the net wealth tax base. As regards tokens issued by Luxembourg issuers, their features will be analysed to determine whether the tokens should qualify as debt or equity for Luxembourg tax purposes.

v Consumer protection

Under Luxembourg law, tokens may be offered to local residents from abroad. However, for such a legal action to be approved, it needs to be subject to Luxembourg consumer protection laws as well as money laundering law restrictions, as the case may be. In addition, if tokens were to be considered as securities, additional requirements would apply.

Other new business models

Under Luxembourg law, there are not any specific restrictions regarding the use of self-executing contracts. The following elements need to be met in respect of any contract:

  1. the consent of the party who binds himself or herself;
  2. his or her ability to sign the contract;
  3. a specific purpose or object for contracting; and
  4. a lawful cause.

Arbitration could be agreed upon in a contract (including a self-executing contract) between parties. However, consumers have the right to go to court and any clause prohibiting consumers from going to court would be considered as abusive under the Consumer Code and would be disapplied.

As far as mediation is concerned, a law of 24 February 2012 amended the Luxembourg Code of Civil Procedure to introduce mediation in civil and commercial matters. Any dispute in civil or commercial matters (with certain limited exceptions) may be settled via mediation, which can either be agreed between the parties or ordered by a court. Any contract may include a clause whereby the parties agree to use mediation to settle a dispute. Finally, the CSSF is competent for receiving complaints from customers of the entities subject to its supervision, and to act as an intermediary to seek an out-of-court resolution of these complaints.

Subject to specific legal requirements, a fully automated investment process is permitted.

Regarding third-party websites comparing products or providing information about financial products subject to regulation, data protection or competition rules, there is no particular law or regulation in Luxembourg governing comparison websites, and there is no particular definition of this activity. The specific activity of such a website would have to be considered on a case-by-case basis.

If the activity of the website goes beyond the mere comparison of products and disclosure of information and actually provides advice to potential clients, or puts potential clients in contact with credit institutions or professionals of the financial sector and allows them to purchase financial products or services, a licence may be required under the 1993 Law.

Generally speaking, where such a website is addressed to consumers, requirements of the Consumer Code may have to be complied with. In particular, unfair commercial practices, including in particular deceptive commercial practices (e.g., presenting false information) or aggressive commercial practices are prohibited. Assuming the comparison service is offered in exchange for remuneration, it may fall within the scope of the E-Commerce Law, and specific information requirements may apply. Finally, under the law of 23 December 2016 on, among other things, misleading and comparative advertisement, as amended, misleading advertisement is prohibited.

As far as competition is concerned, the law of 23 October 2011 on competition, as amended:

  1. imposes the free determination of the price of goods, products and services based on free competition;
  2. prohibits agreements between undertakings, decisions by associations of undertakings and concerted practices that prevent, restrict or distort competition and in particular, for instance, those which directly or indirectly fix purchase or selling prices; and
  3. prohibits abuses of dominant position, but does not include specific provisions for this activity.

Finally, to the extent the website offers a service to data subjects in the European Union and processes their data (e.g., by collecting data), Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) would have to be complied with.

Additionally, the law of 13 June 2017 on payment accounts (implementing directive 2014/92/EU) is articulated around three pillars:

  1. access to basic payment accounts;
  2. bank account switching; and
  3. transparency and comparability of payment account fees.

Intellectual property and data protection

Upon their creation, such business models and related software are automatically protected by copyright.

The company may develop a trademark under which it wishes to sell this product and register such trademark with the European Union Intellectual Property Office.

Once the software is developed, the fintech may also use i-DEPOT operated by the Benelux Office for Intellectual Property (BOIP), as it is a reliable means of proving the existence of an idea at a specific date, before other intellectual property rights, such as trademarks, are acquired.

The fintech will deposit the source code of the program with the BOIP, which keeps the iDEPOT for a period of five to 10 years. However, the iDEPOT does not give rise to an intellectual property right.

Patent protection is not available under the Luxembourg law on patents of 20 July 1992, as amended – software is excluded from patent protection.

Regarding intellectual property rights, unless the provisions of the employment contract are more favourable to the employee, the employer is normally the owner of the developed software or business model. In addition, in principle, no compensation is due.

i Data protection rules

When processing personal data, fintech companies must comply with:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); and
  2. the Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementing the GDPR.

Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services with the explicit consent of the payment service user.

ii Secrecy rules

2009 Law

The members of the administrative, management and supervisory bodies, directors, employees and the other persons working for payment institutions and electronic money institutions must maintain secrecy of the information entrusted to them in the context of their professional activity. The disclosure of any such information is punishable by the sanctions laid down in Article 458 of the Luxembourg Criminal Code.

There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards entities in charge of the provision of outsourced services.

1993 Law

Natural and legal persons, subject to prudential supervision of the CSSF pursuant to the 1993 Law or established in Luxembourg and subject to the supervision of the ECB or a foreign supervisory authority for the exercise of an activity referred to in the 1993 Law, as well as members of the management body, the directors, the employees and the other persons who work for these natural and legal persons shall maintain secrecy of the information entrusted to them in the context of their professional activity or their mandate. Disclosure of such information shall be punishable by the penalties laid down in Article 458 of the Criminal Code.

There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards Luxembourg-based persons subject to the supervision of the CSSF, the ECB or the CAA, and who are subject to a secret obligation that is criminally sanctioned when the information disclosed to these persons is provided within a service contract.

There are special rules regarding profiling, which are detailed in the GDPR. They mainly concern the following data subject's rights:

  1. the right of being informed of the existence of profiling and the consequences of such profiling;
  2. the right to object to the processing of his or her personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing; and
  3. the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her that is based solely on automated processing and that produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.

Year in review

The most relevant developments in the regulation and legal treatment affecting fintechs in Luxembourg are as follows.


The Law of 20 July 2018 implementing PSD II22 and amending the 2009 Law, which offers equivalent operating conditions to exiting (credit institutions) and new players (TPPs) and submits them to transparency and information requirements.

ii Circulation of securities

Please refer to 'circulation of securities' in Section V.

iii Issuance of securities

Please refer to 'issuance of securities' in Section V.

iv Anti-Money Laundering Directive IV

Implementation of the Anti-Money Laundering Directive IV23 includes:

  1. the Law of 13 February 2018, transposing the provisions on the professional obligations and the powers of the supervisory authorities as regards the fight against money laundering and terrorist financing and amending the 2004 Law;
  2. the Law of 13 January 2019, establishing a register of beneficial owners; and
  3. the Law of 10 July 2020 creating a register of fiducies and trusts.

v The Anti-Money Laundering Directive V (AMLD V)

One of the purposes of the AMLD V is to tackle the anonymity of virtual currencies, which may be subject to potential misuse for criminal purposes.

That is why the AMLD V now includes 'providers engaged in exchange services between virtual currencies'24 as well as 'custodian wallet providers'25 in the list of supervised entities subject to AMLD IV requirements.

The Law of 25 March 2020 establishing a central electronic data retrieval system related to International Bank Account Number (IBAN) accounts and safe deposit boxes implements AMLD V inserting a Section 3 on 'Specific provisions applicable to virtual asset service providers (VASPs)' in the 2004 Law.

VASPs are now required to be registered with the CSSF and to comply with the AML professional obligations.


'Virtual asset service provider' means any person who provides, on behalf of a client or on his or her behalf, one or more of the following services:

  1. exchange between virtual assets and fiat currencies, including the exchange between virtual currencies and fiat currencies;
  2. exchange between one or more forms of virtual assets;
  3. transfer of virtual assets;
  4. safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including custodian wallet services; and
  5. participation in and provision of financial services related to an issuer's offer or sale of virtual assets.26

The definition of virtual asset service provider covers both legal and natural persons.

Virtual asset service providers established or providing services in Luxembourg must register in the register of virtual asset service providers established by the CSSF.

Registration requirements

The registration shall be subject to the condition that the persons who perform a management function within the virtual asset service providers and their beneficial owners provide the CSSF with the necessary information to justify their professional standing ('fit & proper').

Professional standing shall be assessed on the basis of criminal records and of any evidence demonstrating that the virtual asset service providers are of good repute and offer every guarantee of irreproachable business conduct. At least two persons must be responsible for the management of the virtual asset service provider and be entitled to effectively determine the policy of the business. These persons shall possess adequate professional experience.

Any change regarding the virtual asset service providers, their beneficial owners or the persons responsible for the management of the virtual asset service provider must be notified to the CSSF and approved by the CSSF beforehand. The CSSF shall oppose to the envisaged change if these persons do not have the adequate professional standing and, where applicable, the adequate professional experience.

The law of 25 February 202127 has amended the 2004 Law with the following purposes:

  1. specifying the information that must accompany any request for registration as a virtual asset service provider with the CSSF according to the intrinsic nature of the professional; thus, with a view to facilitating the reading of Article 7-1 of the 2004 law, a distinction was added in the context of the registration request between the information required from a requesting natural person and the information required from a requesting legal person; and
  2. clarifying the procedures for assessing the professional integrity and adequate professional experience of natural persons exercising the activity of provider of virtual asset services.

vi The eIDAS Regulation

The aims of the eIDAS Regulation28 are:

  1. to provide a legal framework for secure cross-border electronic transactions; and
  2. to create an internal market for electronic trust services.

The law of 17 July 2020 amending the E-Commerce Law, which entered into force on 1 August 2020 implements the eIDAS Regulation with respect to:

  1. definitions (electronic signature, qualified electronic signature, certified electronic signature, trust service providers, etc.);
  2. designation of the Luxembourg supervisory body and its powers (ILNAS: The Luxembourg Institute of Standardisation, Accreditation, Safety and Quality of Products and Services);
  3. administrative sanctions (administrative fines ranging from €250 to €15,000 may be imposed within the trust service provider's supervision (e.g., refusal to provide information to the ILNAS, obstacle to the exercise of the ILNAS supervision power, failure to comply with identification methods and minimum requirements, failure to transmit to the ILNAS the compliance assessment report) and when a natural or legal person uses the title of qualified trust service provider without being authorised to do so); and
  4. criminal sanctions:
    • fines ranging from €251 up to €25,000 (e.g., for those who offer qualified trust services without being registered on the trust lists);
    • fines ranging from €251 up to €25,000 with a term of imprisonment from eight days to six months or only one of these sentences (e.g., for any qualified trust service provider who has not complied with the prior information obligation, for any qualified trust service provider who has not complied with the requirements regarding the transfer of qualified certificates); and
    • fines ranging from €251 up to €500,000 with a term of imprisonment from eight days to five years or one of these sentences only (e.g., for any person who has not complied with the professional secrecy; for anyone who has not complied with the security incident reporting requirements).

vii EU Commission digital finance package

On 24 September 2020, the EU Commission adopted a digital finance package, including a digital finance strategy and the following proposals.

Legislative proposals on cryptoassets to draw on the possibilities offered by crypto-assets, while mitigating risks for investors and financial stability

  1. The Proposal for a Regulation of the European Parliament and of the Council on Markets in Cryptoassets and amending Directive (EU) 2019/1937; and
  2. the Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on distributed ledger technology.

The EU Commission differentiates between those cryptoassets already governed by EU legislation, and other cryptoassets. The former will remain subject to existing legislation but the EU Commission proposes a pilot regime for market infrastructures that wish to try to trade and settle transactions in financial instruments in crypto-asset form. This should enable market participants and regulators to gain experience with the use of DLTs exchanges that would trade or record shares or bonds on the digital ledger.

For previously unregulated cryptoassets, including 'stablecoins', the EU Commission proposes a bespoke regime. The proposed regulation sets strict requirements for issuers of cryptoassets in Europe and crypto-asset service providers wishing to apply for an authorisation to provide their services in the single market. Safeguards include capital requirements, custody of assets, a mandatory complaint holder procedure available to investors, and rights of the investor against the issuer. Issuers of significant asset-backed cryptoassets would be subject to more stringent capital requirements, liquidity management and interoperability requirements.

Legislative proposal for an EU regulatory framework on digital operational resilience – prevent and mitigate cyber threats

  1. The Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014; and
  2. the Proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341.

The ever-increasing dependency of the financial sector on software and digital processes means that information communication technologies (ICT) risks are inherent in finance. The EU Commission therefore proposes that all firms ensure they can withstand all types of ICT-related disruptions and threats. Banks, stock exchanges, clearing houses, as well as fintechs, will have to respect strict standards to prevent and limit the impact of ICT-related incidents. The EU Commission also sets an oversight framework on service providers (such as Big Techs) that provide cloud computing to financial institutions.

Outlook and conclusions

We expect Luxembourg to continue to attract fintechs and allow them to take advantage of Luxembourg's highly developed financial ecosystem, and the presence of leading industry players in e-commerce and e-payments, such as PayPal, Amazon and Rakuten or the first EU-licensed crypto-firm, Bitstamp. Luxembourg has also boosted its attractiveness to fintechs by providing a cloud-friendly framework and having the highest density of TIER4 data centres in Europe.

It is to be expected that after the legislator's recognition of blockchain technology, the next legislative moves will concern tokenisation (whether based on European positions or not) and the structures issuing or using tokens.


1 Anne-Marie Nicolas is a partner, Álvaro Garrido Mesa is a senior associate and Sandy Brumberg is a professional support lawyer at Loyens & Loeff Luxembourg Sàrl.

2 2015 CSSF Annual Report, p.81.

3 MiFID II refers to Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.

4 Artificial Intelligence, CSSF White Paper, Opportunities, Risks and recommendations for the financial sector, December 2018. This document intends to provide some basic knowledge about artificial intelligence (AI) and describes the different types of AI and some practical use cases for the financial sector. Furthermore, the study covers the analysis of the main risks associated with AI technology and provides some key recommendations to take into account when implementing AI inside a business process.

5 CSSF Questions and Answers on how to obtain authorisation as PFS, as updated on 24 October 2018, Item 24 Which PFS can hold a 'European passport' and which services fall under this regime?, p.11.

6 Article 30(2) of the 1993 Law.

7 Article 31 of the 1993 Law.

8 Article 32(5) of the 1993 Law.

9 CSSF Circular 11/515, 4. b. Authorisation procedure and prerequisites, page 6.

10 Article 32(1) of the 1993 Law.

11 Regulation (EU) No. 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No. 648/2012.

12 LuxTrust is a public limited company that provides IT services, created and supported by state, institutional and private partners. Its mission is to guarantee the digital identity and security of the electronic data of companies and citizens. LuxTrust implements and integrates innovative, multi-application and customised solutions to secure the exchanges, online transactions, identity and electronic data of its customers. LuxTrust solutions provide everyone with a guarantee of being able to perform their online transactions in complete safety, to authenticate themselves in the most secure possible way to avoid identity theft. They guarantee the integrity of the data exchanged. They allow for signing electronic documents and even banking transactions.

13 CSSF Frequently asked questions on AML/CTF and IT requirements for specific customer on-boarding/know-your-customer methods, version of 8 March 2018.

14 Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937.

15 CSSF FAQ on Securitisation, What are the various possible forms of debt securitisation? p. 7.

16 AIFM Law means the Luxembourg law of 12 July 2013 on alternative investment fund managers.

17 CSSF FAQ on Securitisation, 19. What is the impact of the law of 12 July 2013 on alternative investment fund managers (the AIFM Law) on the securitisation undertakings within the meaning of the 2004 Law? p. 14.

18 Law of 1 March 2019 amending the law of 1 August 2001 on the circulation of securities, as amended.

19 See, Y Prussen, 'Le régime des titres et instruments fongibles', Droit bancaire et financier, ALJB, 2004, pp.1287–1318; S Conin, J Schaffner, 'Les titres et instruments financiers innommés : aspects juridiques et fiscaux', Droit bancaire et financier, ALJB, 2004, pp.1411–1465; M Brouillet-Mc Sorley, L-C Van Burik, 'Le cadre juridique des systèmes de règlement des opérations sur titres en droit luxembourgeois', Droit bancaire et financier, ALJB, 2004, pp.1377–1409; P Mousel, F Fayot, 'La circulation des titres', Droit bancaire et financier, ALJB, 2004, pp.1319–1376.

20 AMLD V means Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.

21 Circular of the Tax Authorities' Director LIR No. 14/5–99/3–99 bis/3 on 'Virtual currencies' of 26 July 2018.

22 PSD II: Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.

23 AMLD IV means Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

24 'Virtual currencies' means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.

25 'Custodian wallet provider' means an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.

26 Article 1 (20 quarter) of the 2004 Law.

27 The Law of 25 February 2021 amending: (1) (the 2004 Law); (2) the amended law of 20 April 1977 relating to gambling and betting relating to sports events (the Gambling Law); (3) the 2010 Law; (4) the law of 25 March 2020 establishing a central electronic data retrieval system concerning IBAN accounts and safes; and (5) the law of 10 July 2020 creating a register of fiducies and trusts.

28 eIDAS Regulation means Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

Get unlimited access to all The Law Reviews content