Virtual Asset Service Providers In Luxembourg: State of Play

VASPs In Luxembourg: Recap

VASPs were introduced into the Luxembourg legal framework on 25 March 2020 via the adoption of two distinct laws:

• The ‘First 2020 Law’ amending, amongst others, the law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the AML Law).
• The ‘Second 2020 Law’ (together with the First 2020 Law, the ‘2020 Laws’) establishing a central electronic data retrieval system related to IBAN accounts and safe-deposit boxes.

The First 2020 Law introduced the concepts of ‘virtual currency’, ‘virtual asset’ (VA), ‘virtual asset service provider’, ‘safekeeping or administration service provider’, and ‘custodian wallet service’ into the AML Law, whereas the Second 2020 Law introduced a new registration requirement for VASPs.

The adoption of the 2020 Laws followed the adoption of Directive (EU) 2018/843^[1] (AMLD 5). AMLD 5 amended Directive (EU) 2015/849^[2] (AMLD 4) and introduced certain provisions related to virtual asset services, including:

• A definition of ‘virtual currencies’.
• Two new ‘obliged entities’ (ie entities subject to AML/CFT regulation), being the ‘providers engaged in exchange services between virtual currencies and fiat currencies’ [3], and custodian wallet providers [4].
• A requirement for these new obliged entities to be registered in their Member States.

Whereas certain EU Member States transposed the Directive ‘as is’, ie only subjected providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers to AML/CFT obligations, Luxembourg went beyond the requirements of the Directive and used the transposition to introduce provisions matching the Financial Action Task Force (FATF) requirements stemming from the amendment to FATF’s Recommendation 15 in October 2018.[5] and the FATF’s updated guidance for a risk-based approach relating to VAs and VASPs, published on 28 October 2021.[6]

Luxembourg did not reflect the concepts used in AMLD 5, but instead introduced the concept of ‘virtual asset service provider’ which is defined (in alignment with the FATF) as “any person which provides, on behalf of or for its customer, one or more of the following services:

• The exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies.
• The exchange between one or more forms of virtual assets.
• The transfer of virtual assets.
• The safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service.
• The participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset.”

One of the consequences of this approach is that the Luxembourg legal framework captures more market players than the Directive, and for instance, covers VA-to-VA exchanges, whereas the framework of other EU Member States does not.

Requirements Applicable To VASPs

VASPs are not currently subject to a licencing or authorisation obligation in the traditional sense, unless they are also subject to a different regulatory framework due to their activities (such as banks for example). They are instead subject to a registration requirement set out in AML/CFT legislation. [7] Registration should be obtained prior to providing VA services in Luxembourg.

VASPs must register with the Luxembourg Commission de Surveillance du Secteur Financier (CSSF). To do so, they must submit a registration request to the CSSF. Prior to the submission, the CSSF typically expects a preliminary meeting during which the prospective VASP presents its planned activities, in order to allow both the CSSF and the VASP to raise preliminary questions or concerns.

The submission consists of an application accompanied by relevant supporting documentation, including corporate documents, information on the management of the VASP and other key persons, information about the planned activities, and information about the VASP’s AML/CFT framework, IT systems, and any outsourcing arrangements. The submission is made electronically.

As the current registration obligation is mainly AML/CFT-driven, the applicants’ AML/CFT framework constitutes the core element assessed by the authorities. VASPs are ‘professionals’ within the meaning of AML/CFT legislation [8] (‘obliged entities’ according to the terminology of EU AML/CFT directives), and must therefore comply with AML/CFT-related professional obligations. They must:

• Perform a ML/TF risk assessment.
• Perform customer due diligence (CDD).
• Monitor transactions.
• Keep appropriate records.
• Cooperate with the competent authorities, notably the CSSF and the Financial Intelligence Unit (Cellule de renseignement financier).
• Ensure appropriate internal organisation, governance, and training for staff.

VASPs must also comply with governance requirements. At least two persons must be in charge of the VASP’s management, and those persons must have appropriate professional standing and experience. The submission of specific documents (including criminal records) is required. It is unclear how the CSSF would assess these requirements in relation to foreign entities, assuming foreign legislation does not require similar governance requirements.

The initial registration procedure is free, but VASPs providing services in Luxembourg and registered with the CSSF must pay an annual fee of EUR 15,000 (regardless of the type of VA service they provide).[9] Since the registration is mandatory, VASPs intending to provide services in Luxembourg must take this fee into account in their budget.

Entities regulated under other legal frameworks (eg banks, payment institutions, etc) may also offer virtual asset services, but should then register as VASPs in addition to their existing licence.

Foreign VASPs Captured By The Luxembourg Framework

In addition to VASPs established in Luxembourg, the AML Law requires registration for VASPs providing services in Luxembourg.^[10] Foreign entities can therefore be caught by the Luxembourg registration requirement if they provide services in Luxembourg. This applies to both EU and third-country entities as the current framework does not foresee an EU passporting regime.

The CSSF has, in the past, contacted foreign entities to ask them whether they fall within the scope of the VASP registration requirements and inform them about said requirements, in order to ensure compliance. Such contact can be initiated simply because the website of a given entity that would qualify as a VASP in Luxembourg – for instance, a crypto trading platform – is or was accessible from Luxembourg. Foreign entities contacted by the CSSF are typically required to take a position and either register with the CSSF or endeavour to no longer provide or offer virtual asset services in Luxembourg.

In August 2023, the CSSF published a Q&A on VASPs [11] in which it clarified the criteria it would consider to determine whether an entity provides VA services in Luxembourg. The CSSF assesses for instance whether the VASP:

• Has an active commercial approach/strategy to offer VA services to the Luxembourg market (by having, eg a dedicated section on its website for supporting Luxembourg customers, physically visiting prospects/customers, or organising or participating in events to establish a relationship with Luxembourg prospects and/or customers).
• Offers the VA services on a durable and continuous basis.
• Has a distribution network in Luxembourg and relies on intermediaries to seek customers.
• Has contact details in Luxembourg (eg dedicated phone lines).
• Has a presence in Luxembourg via an office.
• Has staff/representatives located in Luxembourg.
• Has part of its technological infrastructure (notably its servers) located in Luxembourg.[12]

Current VASPs In Luxembourg

As of the date of this publication, there are only 12 registered VASPs in Luxembourg. Eight of those are entities established in Luxembourg, whereas four are foreign entities (from France, Switzerland, and Ireland) providing services in Luxembourg. It is interesting to note that out of the eight Luxembourg VASPs, two are authorised as banks, two are authorised as payment institutions, and one is authorised as an electronic money institution. Only three entities are ‘pure’ VASPs, without any other regulated status. Most of the limited number of Luxembourg VASPs were therefore already heavily regulated and subject to strict AML/CFT obligations, and only three entities that were otherwise non-regulated have been registered as VASPs since the introduction of the registration requirement in March 2020 (the last one having been registered on 26 January 2024).

The limited number of VASPs may be due to several factors.

First, relevant entities may have done some jurisdiction-shopping given the fragmentation of the current framework between EU Member States and selected countries with a (perceived) more favourable framework for their activities. As a larger number of VA services is captured by the Luxembourg rules, market players may have chosen to set up shop in countries where they are not (yet) subject to AML/CFT or other regulatory requirements (this could be the case for VA-to-VA platforms for instance). Different authorisation or registration requirements, such as different levels of fees or approval timelines, may have played a role as well. In Luxembourg there is for example no legally defined assessment timeline for the CSSF to review registration files, meaning that the VASP registration process can be lengthy compared to jurisdictions where regulators are subject to a specific timeline to conduct their assessment.

Second, Luxembourg’s willingness to ensure market players are fully AML/CFT-compliant, especially considering the FATF visit to Luxembourg which took place in 2023, may have played a role as well. The CSSF would have been particularly careful in the review of applicants’ files to ensure strict compliance with applicable rules, and root out players lacking the willingness or operational maturity to comply.

Finally, market players may have considered the upcoming entry into force of Regulation (EU) 2023/1114 (MiCAR)[13], meaning relevant entities may have been reluctant to engage in the VASP authorisation process knowing that a more complex and comprehensive process would follow under MiCAR.

The Adoption Of MiCAR

The current VASP regime in Luxembourg (and its equivalents in other EU jurisdictions) will be replaced by the new regime introduced by MiCAR, which will apply as from 30 December 2024.

Under MiCAR, the concepts of ‘providers engaged in exchange services between virtual currencies and fiat currencies’ and ‘custodian wallet providers’ introduced by AMLD 5 will be replaced by a new single concept of ‘crypto-asset service providers’ (CASPs). CASPs are defined as “persons whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis.”

The list of ‘crytpo-asset services’ is more detailed than the FATF list [14], and includes:

• The custody and administration of crypto-assets on behalf of third parties.
• The operation of a trading platform for crypto-assets.
• The exchange of crypto-assets for fiat currency that is legal tender.
• The exchange of crypto-assets for other crypto-assets.
• The execution of orders for crypto-assets on behalf of third parties.
• The placing of crypto-assets.
• The reception and transmission of orders for crypto-assets on behalf of third parties.
• The provision of advice on crypto-assets.

As this list will be harmonised across the EU, the current divide between EU Member States having transposed only the concepts of AMLD 5 and those – like Luxembourg – having taken a more conservative approach will disappear.

The registration requirement introduced by AMLD 5 will also be replaced as CASPs will be subject to an authorisation requirement, similar to the licencing process existing for other regulated entities.^[15] The authorisation and prudential requirements applicable to CASPs will be substantial; VASPs currently registered in Luxembourg, as well as prospective VASPs, should already prepare for the new regime.

On 20 July 2021, the Commission published a new AML/CFT Package, which includes amongst others (i) a proposal for a new AML/CFT regulation; (ii) a proposal for a 6^th AML/CFT Directive; and (iii) a proposal for a revised regulation on transfers of funds^[16] (which has in the meantime been adopted as Regulation (EU) 2023/1113[17]). CASPs will be ‘obliged entities’ under the new AML/CFT framework. Beyond the general overhaul of AML/CFT rules, the new AML/CFT Package will affect the operating model of certain CASPs. For instance, the anonymous functioning of certain platforms will be addressed by prohibiting CASPs from keeping anonymous accounts or anonymous crypto-asset wallets; owners and beneficiaries of such accounts and crypto-asset wallets will have to be subject to CDD measures before such accounts or wallets can be used.^[18]

Finally, it is interesting to note that MiCAR does not foresee a third-country regime, meaning that the provision of crypto-asset services in the EU by third-country providers is not currently envisaged, and that third-country providers or groups would need to establish a presence in the EU. A reverse solicitation regime, inspired by MiFID II[19], is however included in the Regulation.[20]

Transitional Period For VASPs

Article 143 of MiCAR states that CASPs that provided their services in accordance with applicable law before 30 December 2024 may continue to do so until 1 July 2026 or until they are granted or refused an authorisation, whichever is sooner. This means that VASPs registered in Luxembourg under the current provisions of the AML Law may in theory continue to provide their services until 1 July 2026, and should apply for a CASP authorisation in the meantime.

Note however that MiCAR gives Member States the option not to apply the transitional regime for CASPs or to reduce its duration if they consider that their national regulatory framework applicable before 30 December 2024 is less strict than MiCAR – which for Luxembourg is indeed the case.

Existing VASPs or entities currently seeking registration as a VASP should therefore already anticipate and prepare their application file for a CASP ‘conversion’, bearing in mind that authorisation as CASP requires the submission of an extensive application file that goes far beyond what is required for a VASP under the current regime. The information and documents to be provided for this purpose are yet to be defined through the adoption of RTS under MiCAR.

1 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.

2 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended.

3 This concept was not further defined in AMLD 5.

4 Defined as entities which provide services to safeguard private cryptographic keys on behalf of customers, to hold, store and transfer virtual currencies.

5 FATF (2012-2023), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, FATF, Paris, France, p. 17.

6 FATF (2021), Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, FATF, Paris, p. 22-24, para. 47-54.

7 Art. 7-1 AML Law.

8 Art. 2(1)(16) AML Law.

9 Grand-ducal Regulation of 23 December 2022 relating to the fees to be levied by the Commission de Surveillance du Secteur Financier, Article 1, paragraph XXVI.

10 Luxembourg law of 12 November 2004, op. cit., Art. 7-1(1).

11 CSSF, Frequently asked questions – Virtual Asset Service Providers, August 2023.

12 CSSF, op. cit., Question 3.

13 Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, as amended.

14 FATF (2021), op. cit., p. 22-24, para. 47-54.

15 MiCAR, Art. 59 et seq.

16 https://ec.europa.eu/commission/presscorner/detail/en/IP_21_3690

17 Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849.

18 Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, COM/2021/420/final, Art. 58(1).

19 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments, as amended.

20 MiCAR, Art. 61.

Adrien Pierre
Adrien specialises in the laws and regulations applicable to the financial services industry as well as prudential supervision requirements. He advises clients (including existing financial sector entities and persons intending to provide regulated financial services) on licensing, registration, and authorisation requests, general regulatory compliance, AML/CFT rules, and M&A transactions involving regulated entities.