Latest CSSF guidance on virtual assets

On 4 January 2022, as described in the initial guidance on virtual assets communiqué of 29 November 2021, the Commission de Surveillance du Secteur Financier (the CSSF) published its second FAQ on virtual assets.¹

To deal with the continuing development of virtual assets, the CSSF has published a guidance package consisting of the November 2021 communication² and two FAQs. This FAQ in particular addresses the questions raised by credit institutions.

In Luxembourg, the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the AML Law), defines virtual assets as “a digital representation of value, including a virtual currency, that can be digitally traded, or transferred, and can be used for payment or investment purpose”.

The scope of activities

In its guidance, the CSSF has affirmed that credit institutions are allowed to invest in virtual assets, contrary to UCITs³, UCIs⁴ marketed to non-professional customers and pension funds.

The CSSF cautions that investing in a virtual asset comes with certain risks that make credit institutions subject to, inter alia, assessments of the virtual asset’s classification (tangible or intangible), the accounting approach applied and its risk-weight under the European Capital Requirements Regulation (CRR)⁵.

The CSSF has specified that credit institutions cannot open their own bank accounts in virtual assets but are entitled to open accounts for their customers to deposit their virtual assets on the condition that such accounts are segregated from the credit institutions’ own assets.

According to the CSSF, a credit institution intending to provide virtual asset services under Article 1(20c) of the AML Law will be considered a virtual asset service provider (VASP) and will need to submit an application for registration prior to the provision of those services. More information on the registration process can be found here.

Safeguarding of virtual assets

Under Article 1(20c) of the AML Law, a credit institution acts as a VASP when providing services to its customers that directly safeguard their virtual assets, such as custody platforms, and will need to notify the CSSF of such activity in a timely manner.

In contrast, when appointing VASPs, the CSSF expects credit institutions to find ways to avoid VASPs from potentially disrupting their regulated financial activities and affecting stakeholders. Under civil law, a credit institution holding its customers’ virtual assets as an off-balance sheet item, would be required to compensate its customers for the loss or theft of such virtual assets.

As such assets are generally kept at external exchange and custody platforms, a credit institution is subject to counterparty risk towards the VASPs offering the external service. In this case, the credit institution can adopt one of two approaches and discuss this with the CSSF:

1. Transferring the counterparty risk to its customers through a contract between the VASP and customer which is considered the most effective approach for mitigating risk; or

2. Keeping the counterparty risk and comply with the large exposure limits framework as set out in the CRR.

The CSSF considers that a credit institution can act as a depository for investment funds investing directly in virtual assets under certain conditions. These conditions are the same as those set out in the CSSF FAQ on virtual assets for UCIs⁶ and require depositaries to put in place adequate organisational arrangements and an appropriate operational model, considering the specific risks related to the safekeeping of virtual assets. For further details, please see CSSF updates its FAQ on virtual assets.

Mitigation of risk

Internal governance arrangements

The CSSF has re-affirmed that a credit institution intending to offer virtual asset services must present a detailed business case, in particular the assessment and management of risk, and then submit this to the CSSF.

When offering of transacting in virtual assets, credit institutions must adhere to the principles of sound and prudent risk management and the ex-ante New Product Approval Process⁷ to ensure the operational requirements are in place to mitigate the risks and protect the regulated financial activities of credit institutions.

Investor protection

Credit institutions that facilitate investments in virtual assets are expected by the CSSF to set up their own investor protection framework considering these assets fall outside the scope of the investor protection rules under the Directive 2014/65/EU of 15 May 2014 on markets in financial instruments (MiFIDII).

This protection framework must ensure best execution, suitability and appropriateness of the investments and prepare educational material and transparent reporting regarding its holdings in virtual assets to keep investors informed.

Next steps

Credit institutions should:

• inform the CSSF prior to conducting any activity involving virtual assets.
• follow regulatory developments and the CSSF guidance package on virtual assets that will be updated regularly concerning the prudential treatment of virtual assets and the related practical implications and approaches applicable to credit institutions in respect of virtual assets in Luxembourg.
• continue to conduct risk-benefit assessments of their virtual asset activities in light of current regulations and foreseeable regulatory developments, especially those under the upcoming European Markets in Crypto-assets Regulation (MICA) that will regulate certain virtual assets which until now have fallen outside of the scope of existing legislation, and adapt their business and operational arrangements activities accordingly.

For further information, please do not hesitate to reach out to the Banking, Capital Markets and Regulatory team of the Luxembourg office.

¹ CSSF FAQ on virtual assets (credit institutions)
² CSSF guidance on virtual assets
³ Undertakings for Collective Investment in Transferable Securities
⁴ Undertakings for Collective Investment
⁵ Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012
⁶ CSSF FAQ on virtual assets (UCIs)
⁷ As defined in Circular CSSF 12/552 (as amended by Circulars CSSF 13/563, 14/597, 16/642, 16/647, 17/655, 20/750, 20/759 and 21/785) on central administration, internal governance and risk management