Key takeways from ABBL/CSSF conference on Circular 26/906: what the new governance framework means for payment and e-money institutions

At a joint ABBL/CSSF workshop, members explored the practical implications of Circular 26/906 for payment and e-money institutions. The discussion highlighted a clear shift: governance is no longer just a compliance requirement, but a strategic foundation for trust, sound growth and operational resilience.

A timely discussion for Luxembourg’s payments sector

Bringing together ABBL members and the CSSF, the recent ABBL/CSSF workshop on Circular 26/906 provided a timely and practical discussion on central administration, internal governance and risk management for Payment Institutions (PIs) and Electronic Money Institutions (EMIs).

Opened by Sandrine Roux, Secretary General and Member of the Management Board at ABBL, and Galina Miroshnichenko, Senior Advisor, Payments & Digital at ABBL, the session highlighted both the increasing importance of the PI and EMI sector in Luxembourg and the need for a clear, pragmatic understanding of the regulator’s expectations. The ABBL speakers also underlined the association’s broader role as a platform for dialogue, expertise and advocacy across the financial sector, including a dedicated forum for PIs and EMIs created in 2025.

The workshop then welcomed Suzanne Weber, Deputy Head of Department, and Karen O’Sullivan, Head of Department, Innovation, Payments, Market Infrastructures and Governance at the CSSF, who presented the main requirements of the new circular and clarified the supervisory approach behind it.

Central administration in Luxembourg: substance must be demonstrable

A major theme of the workshop was the concept of central administration in Luxembourg, which remains a cornerstone of the supervisory framework.

The CSSF reiterated that central administration is not a theoretical notion. Institutions must be able to demonstrate that both their decision-making centre and their administrative centre are genuinely located in Luxembourg.

For the decision-making centre, this means that the running of the institution, including day-to-day operational management and the functioning of the management and supervisory bodies, must be anchored locally. While video meetings and written resolutions are part of modern business life, they cannot replace real substance where strategic governance is concerned.

For the administrative centre, the emphasis is on the institution’s ability to operate effectively from Luxembourg through an adequate local administrative, accounting, IT and organisational structure. Outsourcing remains possible, but cannot result in an “empty shell” model. Institutions must retain sufficient local capacity, control and understanding of the systems and processes on which they rely.

This point resonated strongly throughout the discussion. In today’s environment, the message is clear: substance matters, and it must be visible in governance arrangements, documentation and operational reality.

Governance as a strategic enabler

Another strong takeaway from the workshop was the way governance should be understood by institutions themselves.

The CSSF presentation made clear that internal governance is not about producing documents for their own sake. It is about ensuring sound and prudent management, clear accountability, proper oversight and the capacity to make informed, consistent decisions over time.

The interaction between the supervisory body and the management body was a central focus. The supervisory body is responsible for setting the institution’s strategic direction and governance framework, while the management body is responsible for implementing that framework on a day-to-day basis. This requires not only clear roles, but also regular reporting, review and challenge.

Participants were reminded that governance frameworks must include a range of guiding principles and strategies beyond the usual business and risk strategy. These include, for example, principles relating to safeguarding, central administration, conflicts of interest, organisational structure, succession planning, and communication and marketing.

This is where governance becomes a real competitive advantage. In a fast-moving sector, institutions that are clear on responsibilities, well documented, and capable of making decisions within a robust framework are also better placed to scale sustainably.

Proportionality does not reduce responsibility

The concept of proportionality received particular attention during the workshop, as it is often one of the most discussed aspects of governance requirements for PIs and EMIs.

The CSSF clarified that proportionality is not a way to dilute expectations. Rather, it is a way to adapt governance arrangements to the nature, scale and complexity of the institution. Smaller or less complex players may not need the same structures as larger or more sophisticated ones, but all institutions are expected to understand their risks, document their framework and ensure effective oversight.

This distinction is important. Proportionality does not mean simplification for its own sake. It means relevance, without compromising on accountability.

That logic also applies to the composition and functioning of governance bodies. The CSSF reiterated expectations around individual and collective fitness, sufficient staffing, continuity, documentation of meetings and succession planning. Minimum numbers alone are not enough. Institutions must assess whether their governance bodies are truly adequate for their business model and risk profile.

Internal control functions and the three lines of defence

The workshop also gave significant attention to internal control functions, notably compliance, risk control and internal audit.

Here too, the CSSF stressed continuity with established governance principles, while clarifying certain expectations. Internal control functions must be permanent, properly staffed and able to operate with sufficient independence, including independence of mind.

One important clarification concerned the three lines of defence model, which is now explicitly reflected in the framework. The CSSF also underlined that the heads of internal control functions should be appointed by the management body, with appropriate involvement at supervisory level.

Particular emphasis was placed on the compliance function. Given the growing breadth and complexity of applicable rules, the CSSF made clear that compliance should be treated as a fully dedicated function, except in duly justified and specifically validated circumstances.

On the risk side, the discussion highlighted an important distinction: even where an institution does not have an independent risk control function because of proportionality, it must still have a proper risk management framework. Understanding, assessing, managing and documenting risk is a requirement for all.

Safeguarding of funds as a core governance priority

If one topic stood out as especially important, it was safeguarding of funds.

The CSSF devoted particular attention to this area, reflecting its central importance for customer protection and for confidence in the payments ecosystem. The slide presentation explicitly underlined that safeguarding is about customer protection and trust in PI/EMI activities.

The workshop made clear that safeguarding cannot be treated as a narrow operational issue. It must be embedded in the institution’s governance and internal control framework.

Several operational expectations were emphasised.

Institutions must be able to identify clearly and continuously which funds are to be safeguarded. They must maintain reliable internal control arrangements, ensure appropriate management information reaches both the management and supervisory bodies, and establish effective reconciliation procedures. The importance of daily reconciliation was stressed repeatedly, especially in light of the speed and volume of payment flows. The CSSF also encouraged the use of appropriate IT-based tools to support these controls.

Another important point concerned accountability. One member of the management body should have clear responsibility for the oversight and monitoring of the internal control processes linked to safeguarding. Access to safeguarding accounts and related accounting entries must remain under strict local control.

For institutions using insurance, investment solutions or more complex safeguarding arrangements, the message was equally clear: contractual arrangements, investment policies and related controls must be robust, explicit and fully aligned with regulatory requirements.

Organisational structure, conflicts of interest and innovation governance

Beyond core governance and safeguarding requirements, the CSSF also addressed several other important dimensions of internal control.

Institutions are expected to understand and justify their organisational structure, including the use of branches, agents and other distribution models, and to monitor the risks that stem from that structure on an ongoing basis.

Similarly, the management of conflicts of interest must be properly documented and operationalised. The existence of conflicts is not, in itself, exceptional. What matters is the institution’s ability to identify them, escalate them, record them and mitigate them effectively, including at the level of management and supervisory bodies where relevant.

The circular also introduces clearer expectations around new product approval processes. In a sector shaped by innovation and rapid business development, institutions must have a documented framework to assess whether they are able to understand, monitor and control the risks linked to new products, services, systems, markets or customer segments before these are launched.

A strong guiding principle for customer communication and marketing is necessary to ensure full transparency by clearly outlining in client-facing documentation which services are provided by the PIs/EMIs, distinguishing them from those of banks, and explicitly describing any limitations when providing specific credit facilities to avoid confusion and set accurate expectations.

Innovation is welcome, but it must be matched by the ability to govern it responsibly.

ABBL’s role in supporting the ecosystem

The discussions also highlighted the continued importance of collective engagement across the Luxembourg ecosystem.

For ABBL, the workshop reflected a broader mission: to serve not only as a representative voice, but also as a forum for discussion, knowledge sharing and practical coordination between institutions, advisers and authorities.

This is particularly relevant in the payments space, where the sector is evolving rapidly and where institutions face a combination of regulatory, operational and technological challenges. ABBL’s dedicated forum for PIs and EMIs, together with its broader payments-related working groups, provides a structured environment for members to exchange on implementation questions, emerging priorities and advocacy needs.

The workshop itself illustrated the value of this approach. By bringing together PIs, EMIs, consultants, legal advisers and the CSSF in the same room, it created the conditions for a more focused and constructive discussion, grounded in both supervisory expectations and practical realities.