The Luxembourg Registration Duties, Estates and VAT Authority has issued a significant regulatory update through Circular 792 quater to refine the standards for customer identification and identity verification. This directive applies to all professionals under the agency’s supervision, mandating stricter adherence to the modified Law of 12 November 2004 concerning the fight against money laundering and terrorist financing. The update specifically addresses the evolving landscape of digital finance and the necessity for clear, verifiable documentation for both natural persons and legal structures. By modernizing these requirements, the Grand Duchy aims to strengthen its financial defense mechanisms and ensure that all supervised entities maintain a high level of transparency. Professionals are now required to prove the effectiveness of their verification methods, shifting the burden of compliance evidence directly onto the service providers.
Table of Contents
Enhanced Customer Due Diligence Protocols
The updated circular establishes a rigorous framework for identifying natural persons, requiring professionals to collect and verify data through reliable and independent sources. Every individual client must be identified using official government documents, which primarily include valid identity cards or passports. These documents must contain a clear photograph, the client’s signature, and remain within their expiration period to be considered valid for compliance purposes. The regulator emphasizes that the identification process is not a mere formality but a foundational pillar of financial security that prevents the infiltration of illicit actors into the legal economy. To ensure total clarity during audits, the professional must ensure that all provided identification is intelligible and decipherable. In cases where foreign documents are utilized, the professional must be prepared to provide a formal translation into English or one of the official languages of Luxembourg within two weeks if requested by the supervisory authority. This specific requirement eliminates the potential for linguistic ambiguity to hide fraudulent activities or mismatched identities during regulatory reviews.
The transition toward these Enhanced Customer Due Diligence Protocols signifies a move away from passive document collection toward active verification. Professionals must now assess whether the documents provided truly represent the individual based on a risk-based approach that considers the geographical and personal background of the client. If a client is onboarded remotely, the professional is encouraged to utilize electronic identification means or trust services as outlined in European Union Regulation 910/2014. These digital tools must be recognized or approved by national authorities to ensure they provide a level of security equivalent to physical, face-to-face verification. The directive makes it clear that while technology facilitates the process, it does not absolve the professional of their ultimate responsibility to ensure the accuracy of the data. Every piece of information gathered must be cross-referenced against independent databases or official sources to confirm its legitimacy before a business relationship is officially established.
Specific Requirements for Corporate and Legal Entities
When dealing with legal persons or complex legal constructions, the identification requirements become significantly more granular to prevent the use of shell companies. Professionals are mandated to gather comprehensive details, including the official name, legal form, and the registered office address of the entity. Furthermore, if the principal place of business differs from the registered office, both addresses must be recorded to provide a complete picture of the entity’s physical presence. The identification process must also extend to the legal representatives, directors, and any individuals who have the power to legally bind the company in business transactions. This ensures that the human elements behind the corporate veil are fully identified and vetted according to the same standards applied to natural persons. The circular also requires the collection of the most recent coordinated articles of association and an up-to-date excerpt from the commercial register to verify the legal standing of the client.
A critical component of this updated regulation is the mandatory requirement for an organizational chart that illustrates the ownership and control structure of the client. This chart must be detailed enough to allow the professional to identify the ultimate beneficial owners who exercise significant influence or control over the legal person. By requiring this visualization of ownership, the Luxembourg authorities aim to increase transparency and make it more difficult for individuals to hide their financial interests behind layers of corporate subsidiaries. All collected documents, whether in paper or electronic format, must be stored securely and remain accessible for inspection by the relevant authorities. The professional is tasked with ensuring that this information is not only collected at the start of the relationship but is also subjected to continuous monitoring. If the corporate structure changes or new directors are appointed, the professional must update their files immediately to reflect these developments, maintaining an accurate and current risk profile for every corporate client.
Integration of Digital Standards and Risk Management
The 2026 update acknowledges the rapid advancement of financial technology by formalizing the use of secure, electronic, or remote identification processes. These modern methods are acceptable provided they are regulated and accepted by the national authorities, ensuring that the convenience of digital onboarding does not come at the cost of security. Professionals must integrate these digital standards into their internal risk management frameworks, ensuring that the level of vigilance applied is always proportionate to the identified risks. The circular clarifies that verification is a distinct process from authentication, with the latter being a more formal procedure usually reserved for cases requiring enhanced vigilance. This distinction is vital for professionals to understand when designing their internal controls and deciding which technology providers to partner with for identity verification services.
The burden of proof regarding the adequacy of identity verification rests entirely on the professional, who must be able to justify the methods used based on their prior risk analysis. This means that if a digital verification tool fails to detect a sophisticated forgery, the professional must demonstrate that they exercised due diligence and followed all regulatory guidelines. The use of trust services and electronic signatures adds a layer of non-repudiation to the onboarding process, making it harder for clients to claim their identity was stolen or misused. As the financial sector moves toward a more interconnected and digital future, these regulations provide a necessary anchor, ensuring that the same high standards of transparency apply across all channels. Professionals are encouraged to stay informed about technological updates and regulatory shifts to ensure their systems remain compliant with both national and European standards.
Ensuring Systemic Integrity Through Ongoing Monitoring
The final pillar of the updated circular is the requirement for continuous vigilance throughout the life of the business relationship. Identification and verification are not one-time events but are part of a broader cycle of risk management that must be performed as long as the account remains active. Professionals are required to regularly review the information they hold on their clients to ensure it remains relevant and accurate in light of new information or changes in the client’s behavior. This ongoing monitoring allows for the detection of unusual patterns that may indicate a change in the client’s risk profile or potential involvement in illicit activities. The frequency and depth of these reviews are determined by the risk-based approach, with higher-risk clients requiring more frequent and intensive scrutiny.
This proactive stance by the Luxembourg authorities ensures that the financial system remains resilient against the evolving tactics of financial criminals. By mandating a consistent and thorough approach to identity verification, the regulator protects the reputation of the Grand Duchy as a secure and transparent financial hub. The circular emphasizes that compliance is not just about following a checklist but about understanding the underlying risks and taking appropriate measures to mitigate them. As professionals implement these new requirements, they contribute to a culture of integrity that benefits the entire financial ecosystem. The integration of these rules into daily operations requires clear internal policies, regular staff training, and robust technical systems that can handle the complexities of modern identity verification.
Key Points
- Professionals must perform identity verification for all physical and legal persons prior to establishing a business relationship.
- Physical persons must present valid government documents with a photo and signature, with translations provided upon request.
- Legal entities must provide detailed ownership charts and identify all directors and individuals with binding power.
- All identification and verification processes must be documented and justified through a documented risk-based approach.
Related Links
- Registration Duties Estates and VAT Authority Financial Crime Portal
- Official Portal of the Grand Duchy of Luxembourg for AML CFT Laws
- FATF International Standards on Combating Money Laundering
- European Commission Rules on eIDAS and Trust Services
- Luxembourg Financial Sector Supervisory Commission AML Guidelines
Other FinCrime Central Articles About Luxembourg
- CSSF, the Luxembourg Regulator, Fines Rakuten Europe Bank for AML Failures
- KPMG and Finologee Alliance Targets Money Laundering in Luxembourg
- Luxembourg Banks Choose LuxHub as VoP Provider for Secure Credit Transfers
Source: LUX GOV (PDF)
Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.
Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.
