In Luxembourg’s financial and corporate landscape, delegation has become the norm: portfolio management, distribution, central administration … Almost everything can be delegated - everything - except responsibility.

The CSSF keeps repeating it: the delegation does not remove your duty to supervise. Yet, in practice, supervision is still too often the exception. At Osmia Consulting, we help stakeholders turn this regulatory obligation into a true governance asset, strengthening one of the most critical pillars of long-term success.

What the CSSF Really Expects

• Due diligence
  A thorough preliminary review of delegates, including initial due diligence, assessment of specific risks, and approval by the relevant governing bodies.

• Contracts
  A clear contractual framework defining access rights, reporting commitments, and transparencyobligations.

• Monitoring
  A documented monitoring system, including the analysis of periodic reports, formalized meetings, and systematic follow-up on corrective actions.

Common Weaknesses

• Passive or absence of monitoring
  Receiving a report is not supervision. The report must be reviewed, questioned, and followed by concrete action.

• Vague roles and responsibilities
  Who supervises what? The Board, the RR, the RC? Too many structures lack a clear allocation of responsibilities.

• Lack of concrete evidence
  The CSSF is not only interested in what is done, but in what can be demonstrated and documented.

How to Strengthen Supervision

• Formalize monitoring committees, with agendas, minutes, and clear action plans.

• Define key indicators - such as KPIs, incidents, and contractual compliance - tailored to each type of delegation.

• Act proactively: don’t wait for the annual report to respond. Implement alerts, hold quarterly meetings, and conduct targeted site visits when necessary.

Supervision is not about ticking boxes. It requires an active, critical, and ongoing approach.
Osmia Consulting helps its clients shift from a model of blind trust to one of enlightened, proportionate, and demonstrable supervision.

How can Osmia Consulting help you?

We combine deep regulatory expertise with hands-on experience.
Working in close partnership with our clients, we tailor practical, effective solutions that are fully aligned with CSSF expectations - and that work in practice, not just on paper.

Partner with Osmia Consulting to elevate your governance so your board can focus on what matters most: steering the organization toward long-term success. Contact us to find out how we can support your governance needs.

Promises, Limits, and Best Practices

"Automation" is everywhere in every compliance agenda in 2025. And for good reason: regulatory complexity has reach a level where manual management is no longer viable.

However, with so many “miracle” tools and poorly adapted solutions on the market, it can be difficult to identify what truly fits your needs. At Osmia Consulting, we believe automation should empower and enhance your control framework, never replace your professional expertise.

The Promises of Automation
Automation brings genuine benefits, including:

• Greater efficiency in compliance controls

• Fewer human errors and more reliable audit trails

• Enhanced traceability and auditability

• Reduced long-term operating costs

• Improved resource allocation - freeing teams from repetitive tasks to focus on higher value added activities

The Limits of Automation

However, automation is not a cure-all, it:

• Requires significant initial and ongoing investment

• Demands strong change management and buy-in from your teams

• Necessitates ongoing adaptation of processes and documentation

• Carries the risk of excessive reliance on technology, sometimes at the expense of regulatory understanding

Best Practices Observed Among Our Clients

• Begin with a thorough assessment of existing processes before automating: what are the real pain points?

• Choose modular, scalable tools, that are appropriate for the organization’s size and regulatory obligations.

• Involve control functions early in the configuration process, to avoid building unnecessary bureaucracy.

• Support change management with clear updated procedures and targeted team training.

How can Osmia Consulting help you ?

With extensive experience in Luxembourg’s regulatory landscape, we offer deep compliance expertise, ensuring efficient and expert management of your compliance requirements. By working together with IT specialists, we enable our customers to take their compliance controls to the next level through automation.

Automation is not an end in itself. When thoughtfully implemented, it allows control functions to become strategic again-focusing on analysis rather than just data gathering. That’s the approach Osmia Consulting promotes, with simple, practical solutions that are truly adopted by teams.

Depuis qu’elle a été appliquée, la Circulaire CSSF 18/698 est devenue une référence incontournable dans la gestion des sociétés de gestion d’actifs au Grand-Duché du Luxembourg.

Pourtant, en 2025, certains problèmes récurrents persistent. En tant que société de conseil travaillant sur le terrain, Osmia Consulting identifie régulièrement les mêmes lacunes, qui pourraient souvent être évitées.

1. Confusion des fonctions de contrôle
Les rôles de MLRO, RR et RC sont parfois mal compris ou mal attribués. Une même personne peut cumuler plusieurs fonctions, mais cela suppose une rigueur dans la formalisation des responsabilités, la disponibilité et la compétence. Trop de structures ignorent encore les seuils d’incompatibilité prévus par la réglementation.

2. Documentation de gouvernance insuffisante
Les politiques existent, mais leur mise à jour est négligée. Plus préoccupant encore : certaines ne sont pas pleinement approuvées par le Conseil d’administration ou ne reflètent pas fidèlement l’activité réelle. La CSSF sanctionne désormais ces manquements, même en l’absence de mauvaise foi, conformément à ses exigences en matière de gouvernance.

3. Supervision insuffisante des délégataires
La supervision des fonctions déléguées (notamment en matière de gestion ou de distribution) est souvent réduite à une formalité administrative. Or, une délégation ne dispense jamais de la responsabilité légale et réglementaire. L'absence de rapports formels ou de KPI clairement définis constitue un indicateur de risque majeur qui doit être traité en conséquence.

4. Revues de conformité trop génériques
Une revue annuelle fondée sur un modèle générique ne permet pas de répondre aux exigences d’une approche véritablement fondée sur les risques. La CSSF attend une analyse ciblée, proportionnée à l'activité réelle de la société et intégrant ses risques inhérents.

5. Manque de déclenchement d’une revue externe en temps opportun
Le recours à une revue externe du dispositif de contrôle n’est pas toujours considéré avec le sérieux requis, même lorsque les circonstances l’imposent. Pourtant, cet exercice constitue un levier essentiel pour renforcer la crédibilité et la robustesse de l’organisation.

Comment Osmia Consulting peut-elle vous aider ?

Forte d'une vaste expérience dans le paysage réglementaire luxembourgeois, Osmia Consulting met à votre disposition un vivier diversifié de professionnels qui peuvent agir en tant que RC, administrateur indépendant ou consultant de votre entreprise, garantissant ainsi une gestion experte et efficace de vos obligations de conformité.

Faites de la conformité un levier de professionnalisation plutôt qu’un simple exercice défensif.
Osmia Consulting accompagne ses clients dans cette démarche, en mettant l’accent sur la proportionnalité, la traçabilité et l’efficacité.

Three trends to watch

As we approach mid-2025, EU financial regulation is entering a new phase : more integrated, more digital, and more demanding. At Osmia Consulting, we’re keeping a close eye on the shifts that will shape the compliance landscape for years to come.

Here are three regulatory trends we believe will have the biggest impact on Luxembourg’s financial sector:

1. Digital Operational Resilience Act (DORA) : From Framework to Enforcement
DORA is no longer a theoretical framework : it is now an operational reality. Firms must now demonstrate not only cyber resilience but also robust ICT third-party risk management.

Regulatory scrutiny will move from paper policies to real, tested digital resilience.

2. ESG: From Voluntary to Verified
With the Corporate Sustainability Reporting Directive (CSRD) and European Sustainability Reporting Standards (ESRS) taking hold, ESG is shifting from aspirational to accountable. Firms will require robust internal control frameworks, validated data, and clearly traceable audit trails to meet regulatory expectations.

3. Supervisory convergence in the EU
The European Supervisory Authorities (ESAs) are increasingly harmonizing supervision across Member States. For Luxembourg firms, this means local compliance must now align with a more coordinated EU-wide standard. National specificities still matter, but pan-European consistency has become the new benchmark.

What are the implications for compliance officers, legal teams, and executive management?

Greater cross-functional collaboration. Increased automation. A more strategic approach to compliance.
At Osmia, we believe that anticipating these trends - rather than merely reacting to them - is essential to achieving sustainable compliance and effective risk management.

How can Osmia Consulting Help you ?

With extensive experience in Luxembourg’s regulatory landscape, Osmia Consulting offers advice and support, ensuring efficiency and expert handling of your compliance requirements.

We’d be delighted to discuss how your firm can turn regulatory change into a competitive advantage.

A Practical Checklist for Compliance Officers

As the regulatory landscape continues to evolve, the annual review required under CSSF Circular 18/698 remains a cornerstone of the compliance function for all investment firms, UCIs, and other professionals of the financial sector (PSFs) in Luxembourg. Yet, for many compliance officers, navigating this process can feel like a maze - especially when balancing operational responsibilities with strategic oversight.

Here's a practical checklist to guide your annual review and help ensure that your compliance framework remains both robust and adaptive.

Governance and role clarity

• Confirm that responsibilities and reporting lines of the Compliance Function are documented and up to date.

• Review and update the mandate of the Compliance Officer (“Responsable du Contrôle de la Conformité”).

• Ensure that the independence and effectiveness of the Compliance Function are preserved and clearly demonstrated.

Review of internal policies and procedures

• Reassess key policies (e.g. AML/KYC, Market Abuse, Conflicts of Interest, MiFID) for relevance and completeness.

• Ensure procedures reflect recent regulatory updates and any changes to the business model.

• Cross-check alignment with other functions (e.g. Risk, Internal Audit, Legal).

Risk-based monitoring activities

• Document all compliance controls carried out during the year.

• Identify any gaps or weaknesses, along with the corresponding remediation actions.

• Assess the adequacy of risk scoring methodologies applied to clients and services.

Reporting and escalation

• Confirm that internal reporting to senior management and the Board occurred in a timely and comprehensive manner.

• Ensure all regulatory filings and notifications were submitted correctly and on time.

• Record any incidents, breaches, or alerts, including how they were resolved.

Staff training and awareness

• Review attendance records and the content of compliance training delivered.

• Identify the needs for refreshers or thematic training.

• Confirm that outsourced staff and third-party service providers received adequate compliance orientation.

Follow-up on CSSF communications and circulars

• Verify that all CSSF circulars, newsletters, and FAQs from the past year have been reviewed and assessed for impact.

• Implement or schedule any necessary updates to internal policies or procedures.

Action plan for the coming year

• Draught a compliance monitoring plan for the upcoming year, using insights from this review.

• Prioritize high-risk areas and upcoming regulatory developments (e.g. DORA, CSRD, AML package).

• Set SMART objectives and define measurable KPIs for the Compliance Function.

How can Osmia Consulting help you ?

At Osmia Consulting, we work closely with compliance professionals to ensure these obligations are not only met, but transformed into value-added processes.

The annual review is not just a regulatory formality - it’s a strategic opportunity to strengthen your compliance culture, anticipate regulatory risks, and demonstrate governance maturity.

Supporting effective governance at every level

At Osmia Consulting, we understand that strong governance is the cornerstone of a resilient and compliant organization. Beyond regulatory expectations, it’s about building trust, ensuring transparency, and enabling sound decision-making at the highest level.

We offer tailored governance support services designed to assist financial institutions and professionals in Luxembourg in running their boards efficiently and effectively.

Our governance services include:

• Board organization and structuring
  We design and implement governance frameworks that not only meet regulatory standards but drive best practice across your organization.

• Preparation and coordination of board meetings
  From scheduling to agenda setting, we orchestrate board meetings that are timely, sharply focused, and result-driven.

• Creation of board packs
  Clear, complete, and compliant – we deliver clear, concise, and actionable board packs that empower directors to make confident decisions.

• Minute taking and drafting of board meeting minutes
  We produce precise, audit-ready minutes that reflect both regulatory compliance and strong governance.

• Support for committees (Audit, Risk, Remuneration, etc.)
  We uphold the same level of excellence and compliance in all committee-related documentation and processes.

• Action log follow-up
  Once actions are decided, we maintain a detailed action log to ensure proper follow-up on all actions suggested by the board.

How can Osmia Consulting help you ?

We combine deep regulatory expertise with hands-on experience. We work closely with our clients to tailor solutions that are practical and fully aligned with CSSF expectations.

Partner with Osmia to elevate your governance so your board can focus on what matters most: steering the organization toward long-term success.

Contact us to find out how we can support your governance needs.

Ensure your compliance with DORA – The Digital Operational Resilience Act

Dora: what is it?
The Digital Operational Resilience Act (DORA) introduces a harmonized framework to enhance the cyber resilience of financial institutions across the EU. It establishes stringent requirements to mitigate ICT risks and ensure operational continuity. From 17 January 2025, financial institutions must comply with strict obligations covering ICT risk management, incident reporting, resilience testing, and third-party risk oversight.

Is your firm prepared?
DORA establishes mandatory requirements for banks, investment firms, asset managers, and other financial entities to enhance their digital resilience and mitigate systemic risks. Achieving compliance demands a structured approach, including risk governance, continuous monitoring and a robust incident response strategy.

What do you need to perform?
DORA requires the implementation of a tailored compliance framework:

• DORA readiness assessment - identify compliance gaps and define a compliance roadmap

• ICT Risk Management implementation - develop robust policies and frameworks to mitigate cyber threats

• Incident Response & Reporting support - Ensure full compliance with DORA’s strict incident reporting rules

• Third-Party Risk Management - Continuously assess and monitor ICT service providers to mitigate outsourcing risks

• Resilience Testing & Training - Conduct scenario-based resilience testing and train staff to handle cyber threats effectively

How can Osmia Consulting help you ?

At Osmia Consulting, we specialise in regulatory compliance and operational resilience. Our experts provide strategic guidance to help you navigate DORA complexities and implement a tailored, effective compliance framework.

Avoid the Risk of Non-Compliance!

Non-compliance with DORA can lead to hefty financial penalties and reputational damage.
Osmia Consulting helps ensure your firm is resilient, secure and fully compliant.

Contact us today to discuss how we can assist with your DORA compliance journey.

Act Now : The DORA compliance log must be submitted to the CSSF by April 2025 - make sure your firm is prepared!

Is your Firm Prepared ?

Regulatory scrutiny in Luxembourg continues to intensify, and financial institutions must stay proactive to meet the requirements of CSSF Circular 18/698. Failing to do so can result in significant consequences, including sanctions, reputational damage, and operational disruptions. But how confident are you that your firm is ready ?

Here are some of the most common pitfalls that financial institutions encounter

• Incomplete or outdated compliance frameworks - Are your policies regularly reviewed and aligned with the latest regulatory expectations ?

• Insufficient or disorganized documentation - Can you provide clear, consistent, and readily accessible records to regulators when requested ?

• Weak conflict of interest management - Do you have robust controls in place to identify, assess, and mitigate risks effectively ?

• Inadequate compliance monitoring - Are you tracking obligations systematically, or are you still relying on inefficient manual processes ?

Ensuring compliance isn't just about ticking boxes - it's about safeguarding your firm's reputation and operational resilience.

How can Osmia Consulting help you ?

• Compliance Framework Assessment: Identify gaps and align processes with CSSF Circular 18/698.

• Internal Audits & Reviews: Stay audit-ready with independent compliance checks.

• Tailored Training Programs: Equip your teams with the latest compliance best practices.

Stay ahead of regulatory challenges

Partner with Osmia Consulting to build a Resilient Compliance Framework that protects your company. Contact us today to learn more about how we can support your compliance needs and help you stay confidently ahead of regulatory requirements.

Key Role of « RC » in the Luxembourg Compliance Framework

What is an RC ?
In the Luxembourg compliance framework, "RC" stands for "Responsable du Contrôle” de la conformité en matière de lutte contre le blanchiment d’argent which can be translated as "Person Responsible for Control" of compliance as regard to anti-money laundering.

The RC plays a key role in the Luxembourg compliance framework and is often required in regulated entities such as financial institutions, investment funds, and service providers under the supervision of the Commission de Surveillance du Secteur Financier (CSSF) or other regulatory bodies.

The RC’s main responsibilities are to oversee the entity's compliance with Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) laws and regulations in the financial sector, and to ensure that robust controls are in place.

The RC also has specific reporting duties to regulators, the board of directors, and management board, serving as the primary contact for regulators, especially for AML/CFT-related matters.

When and why might one require an RC
Entities under the supervision of the CSSF or other regulatory authorities, such as the CAA (Commissariat aux Assurances) or the AED (Administration de l’Enregistrement, des Domaines et de la TVA), must appoint an RC.

These entities typically include :

• Investment Funds (UCITS and AIFs including RAIFs)

• Management Companies (ManCos) and Alternative Investment Fund Managers (AIFM)

• Banks and Credit Institutions

• Electronic Money Institutions (EMIs) and Payment Institutions (PIs)

• Professionals of the Financial Sector (PSFs):

• Insurance and Reinsurance Undertakings

• And some Special Purpose Vehicles (SPVs) such as Securitization vehicles in specific cases.

• Unregulated structures, such as holding companies (SOPARFIs), do not generally require an RC unless their activities fall under AML/CFT obligations.

What are the primary distinctions and relationship between the role of RC and other risk/compliance positions ?

RR (Responsable du Respect des obligations professionnelles en matière de lutte contre le blanchiment - person Responsible for Respect/compliance) 
The RC is responsible for implementing a robust compliance framework as regards to Anti-Money Laundering and Counter-Terrorism Financing (AML-CTF), while the RR ensures that the entity complies with laws, regulations, and professional standards on the same topics. In other words, the RR's role is to implement preventive measures and to ensure employee compliance with regulatory obligations, while the RC focuses on oversight and control.

The RC and RR roles are distinct but complementary. They work together to ensure regulatory compliance through a holistic structure.

CCO (Chief Compliance Officer)
The Compliance Officer is a broader, non-specific role responsible for an organization's overall compliance framework across multiple regulatory domains. In smaller organizations, the RC and the Compliance Officer roles might be held by the same person. In larger organizations, the RC is typically a distinct role within the compliance function.

The CCO conducts monitoring activities, ensures that employees follow compliance policies, and prepares reports. In doing so, the CCO supports both the RC and the RR by managing day-to-day compliance tasks.

Internal Audit
Often referred to as the “third line of defence”, internal audit provides an independent and critical evaluation of the compliance framework and risk management processes in place, distinct from the RC and RR and other internal control functions.

Board of directors/managers
The board bears the ultimate responsibility for ensuring that the organization complies with all regulatory and legal requirements.

Who can be RC ?
Contrary to the RR, which can be a committee (such as the board itself), the RC must be an individual. An RC must possess the following qualities:

✓ Relevant experience and understanding, particularly in the areas of compliance and financial sector.
✓ Independence and authority to execute their duties effectively.
✓ Sufficient time and resources to fulfil their responsibilities.

The appointment of an RC in the financial sector typically requires the CSSF’s approval.

Given that only entities with complex activities require a full-time RC, most RC roles are usually part-time. Outsourcing to external experts is therefore a viable option, as it provides access to the necessary expertise and experience without the need of permanent recruitment.

How can Osmia Consulting help you ?

With extensive experience in Luxembourg’s regulatory landscape, Osmia Consulting offers a diverse pool of candidates who can act as your company’s RCs, ensuring efficient and expert management of your compliance requirements

Ensuring adherence to anti-money laundering and counter-terrorism financing regulations, commonly referred to as AML/FT, is a critical aspect of your day-to-day responsibilities.

Sanctions for regulatory or legal infractions include warnings, public statements, suspension or revocation of your authorization, as well as fines.

Who is impacted ?
✓ Financial professionals subject to CSSF supervision, such as Management Companies, AIFM, credit institutions, SIF, UCITS, SICAR, payments institutions, central administrators ...
✓ Financial professionals subject to AED supervision such as RAIF
✓ Insurance undertakings licensed or authorized to exercise their activities in Luxembourg as well as the professionals of the insurance sector
✓ Family offices
✓ Other professionals (mainly accountants, real estate agents, notaries, lawyers)

What are the main obligations ?
✓ Perform an AML risk assessment
✓ Perform a country risk assessment
✓ Carry out customer due diligences (on investors and counterparties)
✓ Implement policies and procedures
✓ Report suspicious activities
✓ Receive regular training

How can Osmia Consulting assist you ?

• Assess your AML-KYC risk by conducting a gap analysis

• Train your teams on AML-KYC topics

• Stay informed about any new regulatory and legal developments

• Keep your policies and procedures up-to-date

• Organize your due diligences in an efficient way

• RC – RR – find your MLRO or responsible officer

Luxembourg National Identification Number

As of 12 November 2024, all natural persons who are already or will be registered in the Luxembourg Trade and Companies Register (RCS) must provide their Luxembourg National Identification number (LNIN). If they do not have a LNIN, they must obtain one.

The LNIN, also known as the 'matricule number' or the 'CNS number', is a unique identifier for natural persons. It is automatically assigned to Luxembourg residents and Luxembourg workers.

Who is impacted by this ?
All natural persons registered with the RCS, in any capacity
Shareholders, Partners, Directors, Managers, representatives and auditors.

What are the obligations of natural persons who do not have a LNIN yet ?
Fill in a specific filing form on the RCS portal by communicating:
First names; Last name; Date, place and country of birth; Gender; Nationality; Private home address (number, street, postal code, locality, country); Supporting documents such as ID documents and proof of private address, everything translated into English or one of the national languages.

What are the obligations of natural persons in possession of a LNIN ?
Fill in a specific filing form on the RCS portal for this purpose, allowing the communication of the LNIN.

What is the impact of non-compliance ?
Inability to finalize filing procedures with the RCS, no matter if it relates to a natural persons or not (e.g. filing of annual accounts).

How Osmia Consulting can help you ?

• Conduct a gap analysis to evaluate your impact

• Fill in the required forms

• Keep your LNIN request up-to-date