Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Luxembourg
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
Capital Markets | Strategic outlook on 2024 insights, recent developments and 2025 horizons
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Circular CSSF 26/906 compiles corporate governance rules applicable to payment and electronic money institutions

23 Jan 2026 Luxembourg 3 min read

On 20 January 2026, the Commission de Surveillance du Secteur Financier (CSSF) released Circular CSSF 26/906 on central administration, internal governance and risk management of payment institutions and electronic money institutions, including account information service providers (the “Entities”).

Circular CSSF 26/906 compiles the corporate governance rules applicable to the Entities, with a view to strengthening their sound and prudent management in the context of significant growth driven by multiple factors and characterised by increased transaction volumes and values. In fact, according to the amended law of 10 November 2009 on payment services, the Entities are required to have in place robust internal governance arrangements, effective processes to identify, manage, monitor and report risks as well as adequate internal control mechanisms.

Circular CSSF 26/906 sets out rules on central administration, internal governance and risk arrangements of the Entities, including i.a.

  • responsibilities, composition, qualification, organisation and functioning of the supervisory and the management bodies,
  • the administrative, accounting and IT organisation, bearing in mind, however, that Circular CSSF 26/906 does not cover the information and communication technology (ICT) risk management, the notification of major incidents, remuneration or outsourcing, which are each covered by separate circulars,
  • internal controls encompassing (i) operational controls, (ii) responsibilities, characteristics and organisation of the compliance function, (iii) the risk control and (iv) the internal audit function,
  • specific requirements on (i) the organisational structure, (ii) the management of conflicts of interest and (iii) the new product approval process,
  • safeguarding requirements of funds, notably through (i) segregation accounts or (ii) insurance or other type of guarantees,
  • legal reporting regarding (i) the annual assessment of the ICT and security risks, (ii) the annual attestation of compliance with the requirements of Circular CSSF 26/906 issued and signed by all members of the management body, and (iii) summary reports from the compliance and internal audit functions.

Circulars IML 95/120 on central administration, IML 96/126 on administrative and accounting organisation, IML 98/143 on internal control and CSSF 04/155 on the compliance function are repealed for the Entities. Circular CSSF 11/510 on circulars applicable to payment institutions as regards central administration and infrastructure and Circular CSSF 11/520 on circulars applicable to electronic money institutions as regards central administration and infrastructure will be amended.

The CSSF requires the Entities to align their central administration, internal governance and risk management framework with the provision of Circular CSSF 26/906 before 30 June 2026.

Should you have any questions on the above, please do not hesitate to contact one of our experts of the regulatory team.

More insights
Regulatory

Explore more

Publication Luxembourg

WEBINAR REPLAY | New EU rules on the provision of banking services

02 Feb 2026 1 min read
Expert Guide International

International arbitration law and rules in Luxembourg

19 min read
Event Luxembourg

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.