CSSF Circular 26/906: How EMI / PI Governance Changed in 2026

On 20 January 2026 the CSSF published Circular 26/906¹^[1] on central administration, internal governance and risk management applicable to payment institutions (PI) and electronic money institutions (EMI). The Circular is the most consequential governance instrument the CSSF has issued for the payments sector in a decade — it deliberately aligns Luxembourg-authorised PI and EMI governance to bank-equivalent standards, importing the architecture of CSSF Circular 12/552 (the banking governance circular) into the payments perimeter.

The Circular applies from 30 June 2026. That deadline is the binding date — every PI, EMI and account information service provider authorised in Luxembourg must demonstrate compliance from that date forward, with an annual statement signed by every member of the management body confirming adherence. The supervisory cycle that lands after 30 June is the first cycle in which the Circular is enforceable, and the CSSF has signalled it will be inspected for, not aspired to.

The May 2026 inspection cycle has already produced the first signal. An unnamed Luxembourg-authorised EMI received an administrative fine for AML programme deficiencies — deficiencies that map directly onto the AML-depth requirements the new Circular codifies. This article codifies what we call the CSSF Circular 26/906 governance pivot: the four governance areas where the CSSF aligned Luxembourg PI / EMI governance to bank-equivalent standards, what each area now demands, and what an authorised firm should ship before its next supervisory cycle.

For most of the last decade, Luxembourg-authorised PIs and EMIs operated under a governance regime materially lighter than the one applied to credit institutions. The framework rested on the Law of 10 November 2009 (the EMD2/PSD2 transposition), Circular CSSF 12/552 applied to credit institutions only, and a patchwork of CSSF FAQs and on-site inspection findings. The result was a structural asymmetry: an EMI safeguarding hundreds of millions of customer funds was governed under a thinner rulebook than a bank holding equivalent deposits.

Circular 26/906 closes that gap. It is a single, consolidated governance and risk-management framework that the CSSF has explicitly modelled on the bank-equivalent regime. The asymmetry is gone — and so is the assumption that EMI / PI governance can be a lighter-touch derivative of bank governance.

Five structural shifts run through the Circular:

• Substance bar lifted — the central administration, registered office, decision-making centre and administrative centre must be physically located in Luxembourg. Members of the management body are expected to be permanently on site.

• Board ownership over governance — quarterly minimum board cadence, majority of meetings on site at the registered office, and an annual signed compliance statement from every member of the management body.

• Internal-audit function elevated — independent, resourced, with a direct reporting line to the supervisory body and an audit plan calibrated to risk, not to revenue.

• ICAAP-equivalent capital adequacy — a forward-looking internal capital adequacy assessment that demonstrates the firm holds capital commensurate with the risks it actually carries, not merely the EMD2 €350,000 floor.

• AML programme depth — bank-grade AML governance, not the operational compliance overlay that has historically been tolerated at smaller payments firms.

The Circular is, in effect, the moment Luxembourg payments supervision stopped being a junior cousin to banking supervision and became its near-equivalent.

The strategic context matters. The CSSF has watched the Luxembourg EMI / PI population grow rapidly through the MiCA, PSD2 and EMD2 cycle, and has watched the supervisory exposure grow with it. A handful of Luxembourg-authorised EMIs now safeguard customer-fund balances comparable to mid-tier credit institutions, run customer bases spread across more than a dozen EEA states, and depend on cross-border outsourcing chains that touch DORA, AMLR and Travel Rule perimeters simultaneously. The pre-2026 governance rulebook was not built for that scale. Circular 26/906 is the supervisor's structural answer.

The Circular also sits adjacent to the EBA's broader push to harmonise governance expectations across the EEA payments sector. Where Lithuania and Ireland have moved earlier through supervisory practice rather than instrument-level codification, Luxembourg has now produced the codified version. Practitioners should expect other EEA NCAs to converge on the same substance over the next 18–24 months, even where the codification path differs.

Four areas carry the regulatory weight of the Circular. They are the areas where a Luxembourg-authorised PI or EMI is now expected to demonstrate bank-equivalent substance, not payments-grade approximation. Read each as a standing inspection question.

Under the Circular the supervisory body — the board, the management body, and (where required) the executive committee — must be composed of individuals whose collective profile matches the firm's risk profile. Independence, diversity, sectoral expertise, and time commitment all become tested elements rather than declarative ones. The board must meet on a quarterly minimum cadence, and the CSSF expects a majority of meetings to be held on site in Luxembourg with a majority of members physically present.

The practical consequence is structural. A board that meets once or twice a year by video link, dominated by group-affiliated directors with no on-the-ground Luxembourg presence, is no longer compatible with the Circular. Many EMIs that historically used Luxembourg as a regulatory address rather than an operational seat will need genuine board-level relocation, additional independent directors, and a rebuilt meeting cadence.

The internal-audit function changes shape. Under the historic regime, internal audit at smaller EMIs was often a contracted service that produced a thin annual report. The Circular requires a function that is organisationally independent of the operational lines it reviews, adequately resourced relative to the firm's risk surface, directly accessible to the supervisory body without management filtering, and operating off a risk-based audit plan approved by the supervisory body annually.

The substance bar maps onto the bank standard: a structurally independent audit charter, an audit universe that covers every material activity at a defined frequency, escalation routes to the supervisory body, and follow-through on findings. Outsourced internal audit remains permissible — but the contracting firm and the outsourced provider both bear responsibility, and the contract must satisfy Circular CSSF 22/806 outsourcing requirements as amended.

This is the area that most surprises EMI / PI founders. The historic capital question for an EMI was binary: meet the €350,000 EMD2 minimum plus the 2% of average outstanding e-money own-funds requirement, and the prudential question is closed. The Circular reframes this. It introduces an ICAAP-equivalent capital adequacy assessment — a forward-looking, internal, board-approved demonstration that the firm holds capital commensurate with the risks it actually carries.

The reference is explicitly the Internal Capital Adequacy Assessment Process applied to credit institutions — adapted for the EMI / PI risk profile but no longer a regulatory minimum bolted on at year-end. The assessment must be refreshed at least annually, stress-tested, owned by the management body, and capable of supporting CSSF challenge during inspection. Firms that have run for years on the EMD2 floor will, in many cases, find the ICAAP-equivalent calculation pushes the prudential capital expectation above the EMD2 floor.

The AML programme is the area where the CSSF has shown its hand fastest. The May 2026 first inspection cycle — the first under the new Circular — produced an administrative fine on an unnamed Luxembourg-authorised EMI for AML programme deficiencies, recorded on the CSSF sanctions register². The Circular requires AML governance at bank-equivalent depth: a board-approved AML risk appetite, an MLRO with direct supervisory-body access, transaction-monitoring rules calibrated to the firm's actual customer profile, and an AML audit cycle integrated into the internal-audit plan.

Operational AML — KYC vendor selection, sanctions screening configuration, alert-handling SLAs — sits beneath the governance overlay, not in place of it. A firm that has invested heavily in tooling but lightly in board-level AML ownership is now structurally exposed.

The administrative fine issued in May 2026 against an unnamed Luxembourg-authorised EMI is the most important data point for any practitioner reading the Circular today. It is not a transition-period warning. The CSSF has explicitly used the first inspection cycle landing under Circular 26/906 to demonstrate that the new framework is enforceable, and that the AML programme depth area is the first to be tested.

Three lessons follow:

• AML deficiencies are the leading-edge inspection finding. Where a firm's posture is weakest at the AML governance layer, the CSSF will land first.

• Transition tolerance is shorter than expected. The Circular formally applies from 30 June 2026, but the May enforcement action signals the supervisor is willing to act on pre-existing deficiencies that the Circular has now codified.

• Public sanctions register exposure is now real. A CSSF fine appears on the public sanctions register and travels through correspondent-banking diligence within weeks. The reputational cost compounds the supervisory cost.

The remediation work splits across the four governance areas. None of it can be left to the inspection itself — the Circular is constructed around demonstrable, documented, ex-ante compliance. The list below is the practitioner's pre-inspection checklist.

• Refresh the board skills matrix against the firm's actual risk profile; identify gaps in independence, payments-sector expertise, AML expertise, and IT / DORA expertise.

• Move to a quarterly board cadence with documented agenda and minute templates that show substantive risk-management discussion, not procedural sign-off.

• Document the on-site presence of management body members in Luxembourg; if presence is genuinely thin, plan and execute relocation before 30 June 2026.

• Draft and adopt the annual board-signed compliance statement template now, so that the first cycle is procedurally ready.

• Formalise the internal-audit charter, the reporting line to the supervisory body, and the audit universe.

• Build a risk-based annual audit plan covering safeguarding, AML, IT / DORA, outsourcing, capital adequacy, and conduct.

• Where internal audit is outsourced, refresh the contract against Circular CSSF 22/806 (as amended by 25/883) and document the supervisory-body-level oversight of the provider.

• Build the firm's first ICAAP-equivalent assessment: identify material risks, quantify them, run forward-looking and stress scenarios, document the methodology.

• Reconcile the ICAAP-equivalent capital number against the EMD2 floor and the 2%-of-outstanding-e-money method; budget for the higher of the three.

• Have the supervisory body formally approve the assessment annually; minute the discussion.

• Refresh the firm-wide AML risk assessment against the actual customer base, geographies, and product mix.

• Adopt a board-approved AML risk appetite statement; align transaction-monitoring rule thresholds to it.

• Run a structured AML audit using a third-party reviewer; cover governance, KYC, transaction monitoring, screening, SAR, training, and outsourcing.

• Confirm the MLRO has documented direct access to the supervisory body and that escalation routes are functioning.

Many firms hold Luxembourg authorisation alongside other EEA EMI / PI licences — a Lithuanian EMI plus a Luxembourg EMI, or a German PI plus a Luxembourg PI. Both EMD2³ and PSD2⁴ are minimum-harmonisation directives, leaving member states wide latitude on governance. The Circular widens the gap between Luxembourg and lighter-touch EEA jurisdictions — and that gap is structural, not transitional.

For multi-licensed groups, three implications follow.

• Group governance cannot collapse to the lightest-touch jurisdiction. Luxembourg's substance bar pulls the floor up. A group operating model that runs Luxembourg as a thin passporting shell will fail the on-site presence test.

• Internal-audit and ICAAP-equivalent functions need Luxembourg-specific outputs. Group-level audit reports and group ICAAP files are not sufficient — the CSSF expects entity-level evidence.

• The Luxembourg licence becomes the binding constraint on the group's payments-sector governance design. Where a group has built around lighter EEA standards, the Luxembourg subsidiary will require a meaningful upward step — and the cost of running it will rise materially.

Some groups will conclude the Luxembourg licence is no longer worth the post-Circular cost envelope. Others will conclude that Luxembourg's bank-equivalent governance signal is precisely what their institutional client base wants. Both are defensible — what is not defensible is running a Luxembourg licence at the pre-Circular substance level after 30 June 2026.

The Circular was published on 20 January 2026 and applies from 30 June 2026. Every Luxembourg-authorised PI, EMI and account information service provider must demonstrate compliance from that date forward, with an annual statement signed by every member of the management body. The May 2026 enforcement signal indicates that the supervisor will not extend the transition window in practice.

Yes, with proportionality. Account information service providers are treated as payment institutions for the purposes of the Circular, and the principle of proportionality applies — but the four governance areas remain the inspection lens. A small AISP cannot opt out of the framework; it can only calibrate the depth of each component to its risk profile, and that calibration is itself a documentable decision.

DORA imposes a parallel ICT and operational resilience layer. Circular 26/906 sits across DORA — the supervisory body's accountability for ICT risk, the integration of ICT in the internal-audit plan, and the inclusion of ICT-driven scenarios in the ICAAP-equivalent assessment all flow from the Circular. Firms running DORA implementation independently of governance refresh are duplicating work and missing the integration point the CSSF expects to see.

Outsourcing remains permitted, but the firm retains full accountability and the contract must satisfy CSSF Circular 22/806 (as amended by 25/883). The firm's audit committee or supervisory body must demonstrate ongoing oversight of the provider, the audit plan must be approved at firm level, and the provider's findings must reach the supervisory body without management filtering. Thin annual outsourced reports will not survive an inspection under the new framework.

Start with AML programme depth — that is where the May 2026 enforcement signal landed and where the supervisor is currently most active. Run board composition and internal audit in parallel; both have shorter cycles and produce visible artefacts the supervisor can inspect quickly. Sequence the ICAAP-equivalent assessment last only if the firm's capital position is comfortably above the EMD2 floor; otherwise, run it in parallel with AML.

• EMI Safeguarding Architecture — the customer-fund safeguarding design that interlocks with the Circular's capital-adequacy area.

• AML Compliance Retainer for CASPs — the ongoing AML governance support model that translates directly to the Circular's AML programme depth area.

• AML Audit for a Crypto Firm — the third-party AML audit methodology that satisfies the internal-audit and AML governance expectations.

• Bank Diligence File for a Regulated Crypto Firm — the document set the firm should hold ready for both supervisory inspection and correspondent-banking diligence.

• Compliance Advisory — our service: Circular 26/906 readiness review, governance gap remediation, AML programme uplift.

CSSF Circular 26/906 is the moment Luxembourg payments supervision became the near-equivalent of banking supervision. The four governance areas — board composition, internal audit, ICAAP-equivalent capital, AML programme depth — are now the standing inspection lens, and the May 2026 enforcement signal shows the supervisor is willing to act immediately. Firms that ship the remediation work before the next supervisory cycle preserve their licence and their correspondent-banking relationships; firms that wait will find that the public sanctions register travels through diligence faster than the remediation plan can be built.