De-Risking Practices: Manage ML/FT Risk Without Blanket Exclusions

ByBertrand Mariaux Updated on

De-risking practices according to the CSSF do not validate blanket (i.e., automatic and category-wide, without an individual assessment of the specific customer or relationship) onboarding refusals. In its communication of 16 June 2026, the Commission de Surveillance du Secteur Financier (“CSSF”) states that money laundering and terrorist financing (“ML/FT”) risks must be managed effectively. They must not be avoided mechanically.

The must-know point is simple: a higher ML/FT risk does not, by itself, justify excluding an entire category of clients, products or services. A general exclusion is acceptable only where applicable law or regulation expressly requires it, including the amended Law of 12 November 2004 on the fight against money laundering and terrorist financing or CSSF Regulation No 12-02 of 14 December 2012.

Three key points.

  • (i) Luxembourg banks must assess the customer risk profile on a case-by-case basis. Higher risk requires enhanced controls, not automatic refusal.
  • (ii) the CSSF distinguishes rare supervisory de-risking from a commercial exit strategy. A profitability-driven withdrawal is a business-model decision. It is not the same as non-compliance with rules on ML/FT risk management.
  • (iii) fund-sector actors subject to ML/FT risk-management obligations should read the same message as an evidencing requirement. The acceptance, refusal or exit decision must be documented, proportionate and consistent with Circular CSSF 23/842 on ML/FT risk factors.

Practical implication: the file should show the information requested, the alternative measures considered, the residual-risk assessment and the precise reason for the decision.

Watch next: Article 21(4) of Regulation (EU) 2024/1624 of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing requires joint guidelines from the Anti-Money Laundering Authority and the European Banking Authority by 10 July 2027 on business relationships most affected by de-risking practices.

Connect with Bertrand Mariaux on LinkedIn. You can listen to the related podcast on ApplePodcast, Spotify, YouTube, or wherever you get your podcasts.

References:

CSSF, De-risking Practices and ML/FT Risk Management, 16 June 2026 (https://www.cssf.lu/en/2026/06/de-risking-practices-and-ml-ft-risk-management/)

Legilux, amended Law of 12 November 2004 on the fight against money laundering and terrorist financing (https://legilux.public.lu/eli/etat/leg/loi/2004/11/12/n1/consolide/20250210)

CSSF, CSSF Regulation No 12-02 of 14 December 2012 (https://www.cssf.lu/en/Document/cssf-regulation-n12-02-2/)

CSSF, Circular CSSF 23/842 (https://www.cssf.lu/en/Document/circular-cssf-23-842/)

EUR-Lex, Regulation (EU) 2024/1624 of 31 May 2024 (https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng)

Bertrand Mariaux is a certified Avocat à la Cour (admitted lawyer in Luxembourg, Liste I and Paris), holding an LL.B and LL.M (Hons).
He is an experienced lawyer with extensive expertise in investment funds, regulatory compliance, corporate & criminal law. Bertrand regularly contributes to legal publications and speaks at industry events, with a particular focus on financial regulation and corporate governance.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *