CSSF white paper on DLT use in financial services

On 24 January 2022, the Commission de Surveillance du Secteur Financier (CSSF) published guidelines in the form of a white paper aimed at guiding interested professionals in the conduct of their due diligence process related to the Distributed Ledger Technology (DLT) and its use in the provision of services in the Luxembourg financial sector.

As a basis for the understanding of the white paper comes to concept of DLT (Distributed Ledger Technology). A DLT is a distributed database or ledger which is maintained on a network where each participant (node) can transfer information to other nodes without having to go through a central server. In addition to being decentralised, this network is also distributed which is to say that all the servers and computers of the network are interconnected and can share information.

The CSSF identifies the following two elements that differentiate DLT from traditional databases and qualify a technology as DLT:

• A consensus mechanism: the DLT need an efficient, reliable, and secure mechanism to ensure that all the transactions occurring on the network are genuine and all participants agree on a consensus on the status of the ledger. This task is performed via the consensus mechanism, which is a set of rules that decides on the legitimacy of contributions made by the various participants of the DLT; and
• The DLT uses cryptography to securely store data, cryptographic signatures and keys to allow access only to authorized users. The technology creates an immutable database, which means information, once stored, cannot be deleted and any updates are permanently recorded and also provides for an authentication and authorisation process to the transactions between participants.

From a regulatory perspective, the white paper highlights, amongst other things, the associated risks to be considered by entities looking to use a DLT to support the provision of financial services, particularly in terms of governance risk. To this end, the regulator recalls that the use of the DLT within an inadequate governance framework could generate a risk of sanction.

In addition, the user entity should anticipate the impacts in terms of business continuity. In terms of organisation, the CSSF recommends a dedicated person in charge of any technical malfunctions related to the DLT at the service provider. The entity must also take into account the obligation to execute court orders or even to block access to the assets stored within a DLT. Among the technical risks inherent in DLT, the supplier must ensure upstream that the consensus algorithm has been tested correctly and must implement a resilient solution if necessary. Therefore, the solution provider must justify the measures put in place in terms of control related to information on the owners of the assets, all AML/CFT obligations must be strictly required to when using DLT.

The white paper also suggest potential applications of the DTL technology by financial institutions in line with the AML/CFT obligations mentioned in the previous paragraph. The CSSF provide examples where the AML/CFT obligations of professionals subject to them (including financial institutions) can be satisfied by using this new tool in order to operate the KYC data management. The CSSF also provides examples of funds distribution platforms using the DLT technology to tokenize investment funds in which investors can subscribe and redeem their units through a web or mobile application and where investors’ accounts are assimilated to a wallet on a DLT and the units of funds they are investing into are tokens stored in their wallet.

It is important to note that, in December 2021, the European Council approved the European Commission's proposal to establish a pilot project for market infrastructures using DLT technology. This initiative will enable the implementation of a set of measures on digital finance area and will have most certainly, once implemented, additional effects on the Luxembourg DLT legal framework.

Please click here to read the white paper published by CSSF.