A Practical Checklist for Compliance Officers

As the regulatory landscape continues to evolve, the annual review required under CSSF Circular 18/698 remains a cornerstone of the compliance function for all investment firms, UCIs, and other professionals of the financial sector (PSFs) in Luxembourg. Yet, for many compliance officers, navigating this process can feel like a maze - especially when balancing operational responsibilities with strategic oversight.

Here's a practical checklist to guide your annual review and help ensure that your compliance framework remains both robust and adaptive.

Governance and role clarity

• Confirm that responsibilities and reporting lines of the Compliance Function are documented and up to date.

• Review and update the mandate of the Compliance Officer (“Responsable du Contrôle de la Conformité”).

• Ensure that the independence and effectiveness of the Compliance Function are preserved and clearly demonstrated.

Review of internal policies and procedures

• Reassess key policies (e.g. AML/KYC, Market Abuse, Conflicts of Interest, MiFID) for relevance and completeness.

• Ensure procedures reflect recent regulatory updates and any changes to the business model.

• Cross-check alignment with other functions (e.g. Risk, Internal Audit, Legal).

Risk-based monitoring activities

• Document all compliance controls carried out during the year.

• Identify any gaps or weaknesses, along with the corresponding remediation actions.

• Assess the adequacy of risk scoring methodologies applied to clients and services.

Reporting and escalation

• Confirm that internal reporting to senior management and the Board occurred in a timely and comprehensive manner.

• Ensure all regulatory filings and notifications were submitted correctly and on time.

• Record any incidents, breaches, or alerts, including how they were resolved.

Staff training and awareness

• Review attendance records and the content of compliance training delivered.

• Identify the needs for refreshers or thematic training.

• Confirm that outsourced staff and third-party service providers received adequate compliance orientation.

Follow-up on CSSF communications and circulars

• Verify that all CSSF circulars, newsletters, and FAQs from the past year have been reviewed and assessed for impact.

• Implement or schedule any necessary updates to internal policies or procedures.

Action plan for the coming year

• Draught a compliance monitoring plan for the upcoming year, using insights from this review.

• Prioritize high-risk areas and upcoming regulatory developments (e.g. DORA, CSRD, AML package).

• Set SMART objectives and define measurable KPIs for the Compliance Function.

How can Osmia Consulting help you ?

At Osmia Consulting, we work closely with compliance professionals to ensure these obligations are not only met, but transformed into value-added processes.

The annual review is not just a regulatory formality - it’s a strategic opportunity to strengthen your compliance culture, anticipate regulatory risks, and demonstrate governance maturity.

Supporting effective governance at every level

At Osmia Consulting, we understand that strong governance is the cornerstone of a resilient and compliant organization. Beyond regulatory expectations, it’s about building trust, ensuring transparency, and enabling sound decision-making at the highest level.

We offer tailored governance support services designed to assist financial institutions and professionals in Luxembourg in running their boards efficiently and effectively.

Our governance services include:

• Board organization and structuring
  We design and implement governance frameworks that not only meet regulatory standards but drive best practice across your organization.

• Preparation and coordination of board meetings
  From scheduling to agenda setting, we orchestrate board meetings that are timely, sharply focused, and result-driven.

• Creation of board packs
  Clear, complete, and compliant – we deliver clear, concise, and actionable board packs that empower directors to make confident decisions.

• Minute taking and drafting of board meeting minutes
  We produce precise, audit-ready minutes that reflect both regulatory compliance and strong governance.

• Support for committees (Audit, Risk, Remuneration, etc.)
  We uphold the same level of excellence and compliance in all committee-related documentation and processes.

• Action log follow-up
  Once actions are decided, we maintain a detailed action log to ensure proper follow-up on all actions suggested by the board.

How can Osmia Consulting help you ?

We combine deep regulatory expertise with hands-on experience. We work closely with our clients to tailor solutions that are practical and fully aligned with CSSF expectations.

Partner with Osmia to elevate your governance so your board can focus on what matters most: steering the organization toward long-term success.

Contact us to find out how we can support your governance needs.

Ensure your compliance with DORA – The Digital Operational Resilience Act

Dora: what is it?
The Digital Operational Resilience Act (DORA) introduces a harmonized framework to enhance the cyber resilience of financial institutions across the EU. It establishes stringent requirements to mitigate ICT risks and ensure operational continuity. From 17 January 2025, financial institutions must comply with strict obligations covering ICT risk management, incident reporting, resilience testing, and third-party risk oversight.

Is your firm prepared?
DORA establishes mandatory requirements for banks, investment firms, asset managers, and other financial entities to enhance their digital resilience and mitigate systemic risks. Achieving compliance demands a structured approach, including risk governance, continuous monitoring and a robust incident response strategy.

What do you need to perform?
DORA requires the implementation of a tailored compliance framework:

• DORA readiness assessment - identify compliance gaps and define a compliance roadmap

• ICT Risk Management implementation - develop robust policies and frameworks to mitigate cyber threats

• Incident Response & Reporting support - Ensure full compliance with DORA’s strict incident reporting rules

• Third-Party Risk Management - Continuously assess and monitor ICT service providers to mitigate outsourcing risks

• Resilience Testing & Training - Conduct scenario-based resilience testing and train staff to handle cyber threats effectively

How can Osmia Consulting help you ?

At Osmia Consulting, we specialise in regulatory compliance and operational resilience. Our experts provide strategic guidance to help you navigate DORA complexities and implement a tailored, effective compliance framework.

Avoid the Risk of Non-Compliance!

Non-compliance with DORA can lead to hefty financial penalties and reputational damage.
Osmia Consulting helps ensure your firm is resilient, secure and fully compliant.

Contact us today to discuss how we can assist with your DORA compliance journey.

Act Now : The DORA compliance log must be submitted to the CSSF by April 2025 - make sure your firm is prepared!

Is your Firm Prepared ?

Regulatory scrutiny in Luxembourg continues to intensify, and financial institutions must stay proactive to meet the requirements of CSSF Circular 18/698. Failing to do so can result in significant consequences, including sanctions, reputational damage, and operational disruptions. But how confident are you that your firm is ready ?

Here are some of the most common pitfalls that financial institutions encounter

• Incomplete or outdated compliance frameworks - Are your policies regularly reviewed and aligned with the latest regulatory expectations ?

• Insufficient or disorganized documentation - Can you provide clear, consistent, and readily accessible records to regulators when requested ?

• Weak conflict of interest management - Do you have robust controls in place to identify, assess, and mitigate risks effectively ?

• Inadequate compliance monitoring - Are you tracking obligations systematically, or are you still relying on inefficient manual processes ?

Ensuring compliance isn't just about ticking boxes - it's about safeguarding your firm's reputation and operational resilience.

How can Osmia Consulting help you ?

• Compliance Framework Assessment: Identify gaps and align processes with CSSF Circular 18/698.

• Internal Audits & Reviews: Stay audit-ready with independent compliance checks.

• Tailored Training Programs: Equip your teams with the latest compliance best practices.

Stay ahead of regulatory challenges

Partner with Osmia Consulting to build a Resilient Compliance Framework that protects your company. Contact us today to learn more about how we can support your compliance needs and help you stay confidently ahead of regulatory requirements.

Key Role of « RC » in the Luxembourg Compliance Framework

What is an RC ?
In the Luxembourg compliance framework, "RC" stands for "Responsable du Contrôle” de la conformité en matière de lutte contre le blanchiment d’argent which can be translated as "Person Responsible for Control" of compliance as regard to anti-money laundering.

The RC plays a key role in the Luxembourg compliance framework and is often required in regulated entities such as financial institutions, investment funds, and service providers under the supervision of the Commission de Surveillance du Secteur Financier (CSSF) or other regulatory bodies.

The RC’s main responsibilities are to oversee the entity's compliance with Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) laws and regulations in the financial sector, and to ensure that robust controls are in place.

The RC also has specific reporting duties to regulators, the board of directors, and management board, serving as the primary contact for regulators, especially for AML/CFT-related matters.

When and why might one require an RC
Entities under the supervision of the CSSF or other regulatory authorities, such as the CAA (Commissariat aux Assurances) or the AED (Administration de l’Enregistrement, des Domaines et de la TVA), must appoint an RC.

These entities typically include :

• Investment Funds (UCITS and AIFs including RAIFs)

• Management Companies (ManCos) and Alternative Investment Fund Managers (AIFM)

• Banks and Credit Institutions

• Electronic Money Institutions (EMIs) and Payment Institutions (PIs)

• Professionals of the Financial Sector (PSFs):

• Insurance and Reinsurance Undertakings

• And some Special Purpose Vehicles (SPVs) such as Securitization vehicles in specific cases.

• Unregulated structures, such as holding companies (SOPARFIs), do not generally require an RC unless their activities fall under AML/CFT obligations.

What are the primary distinctions and relationship between the role of RC and other risk/compliance positions ?

RR (Responsable du Respect des obligations professionnelles en matière de lutte contre le blanchiment - person Responsible for Respect/compliance) 
The RC is responsible for implementing a robust compliance framework as regards to Anti-Money Laundering and Counter-Terrorism Financing (AML-CTF), while the RR ensures that the entity complies with laws, regulations, and professional standards on the same topics. In other words, the RR's role is to implement preventive measures and to ensure employee compliance with regulatory obligations, while the RC focuses on oversight and control.

The RC and RR roles are distinct but complementary. They work together to ensure regulatory compliance through a holistic structure.

CCO (Chief Compliance Officer)
The Compliance Officer is a broader, non-specific role responsible for an organization's overall compliance framework across multiple regulatory domains. In smaller organizations, the RC and the Compliance Officer roles might be held by the same person. In larger organizations, the RC is typically a distinct role within the compliance function.

The CCO conducts monitoring activities, ensures that employees follow compliance policies, and prepares reports. In doing so, the CCO supports both the RC and the RR by managing day-to-day compliance tasks.

Internal Audit
Often referred to as the “third line of defence”, internal audit provides an independent and critical evaluation of the compliance framework and risk management processes in place, distinct from the RC and RR and other internal control functions.

Board of directors/managers
The board bears the ultimate responsibility for ensuring that the organization complies with all regulatory and legal requirements.

Who can be RC ?
Contrary to the RR, which can be a committee (such as the board itself), the RC must be an individual. An RC must possess the following qualities:

✓ Relevant experience and understanding, particularly in the areas of compliance and financial sector.
✓ Independence and authority to execute their duties effectively.
✓ Sufficient time and resources to fulfil their responsibilities.

The appointment of an RC in the financial sector typically requires the CSSF’s approval.

Given that only entities with complex activities require a full-time RC, most RC roles are usually part-time. Outsourcing to external experts is therefore a viable option, as it provides access to the necessary expertise and experience without the need of permanent recruitment.

How can Osmia Consulting help you ?

With extensive experience in Luxembourg’s regulatory landscape, Osmia Consulting offers a diverse pool of candidates who can act as your company’s RCs, ensuring efficient and expert management of your compliance requirements

Ensuring adherence to anti-money laundering and counter-terrorism financing regulations, commonly referred to as AML/FT, is a critical aspect of your day-to-day responsibilities.

Sanctions for regulatory or legal infractions include warnings, public statements, suspension or revocation of your authorization, as well as fines.

Who is impacted ?
✓ Financial professionals subject to CSSF supervision, such as Management Companies, AIFM, credit institutions, SIF, UCITS, SICAR, payments institutions, central administrators ...
✓ Financial professionals subject to AED supervision such as RAIF
✓ Insurance undertakings licensed or authorized to exercise their activities in Luxembourg as well as the professionals of the insurance sector
✓ Family offices
✓ Other professionals (mainly accountants, real estate agents, notaries, lawyers)

What are the main obligations ?
✓ Perform an AML risk assessment
✓ Perform a country risk assessment
✓ Carry out customer due diligences (on investors and counterparties)
✓ Implement policies and procedures
✓ Report suspicious activities
✓ Receive regular training

How can Osmia Consulting assist you ?

• Assess your AML-KYC risk by conducting a gap analysis

• Train your teams on AML-KYC topics

• Stay informed about any new regulatory and legal developments

• Keep your policies and procedures up-to-date

• Organize your due diligences in an efficient way

• RC – RR – find your MLRO or responsible officer

Luxembourg National Identification Number

As of 12 November 2024, all natural persons who are already or will be registered in the Luxembourg Trade and Companies Register (RCS) must provide their Luxembourg National Identification number (LNIN). If they do not have a LNIN, they must obtain one.

The LNIN, also known as the 'matricule number' or the 'CNS number', is a unique identifier for natural persons. It is automatically assigned to Luxembourg residents and Luxembourg workers.

Who is impacted by this ?
All natural persons registered with the RCS, in any capacity
Shareholders, Partners, Directors, Managers, representatives and auditors.

What are the obligations of natural persons who do not have a LNIN yet ?
Fill in a specific filing form on the RCS portal by communicating:
First names; Last name; Date, place and country of birth; Gender; Nationality; Private home address (number, street, postal code, locality, country); Supporting documents such as ID documents and proof of private address, everything translated into English or one of the national languages.

What are the obligations of natural persons in possession of a LNIN ?
Fill in a specific filing form on the RCS portal for this purpose, allowing the communication of the LNIN.

What is the impact of non-compliance ?
Inability to finalize filing procedures with the RCS, no matter if it relates to a natural persons or not (e.g. filing of annual accounts).

How Osmia Consulting can help you ?

• Conduct a gap analysis to evaluate your impact

• Fill in the required forms

• Keep your LNIN request up-to-date