12 May 2021





The European Commission has adopted an ambitious and comprehensive package of measures to help improve the flow of money towards sustainable activities across the European Union. Among other measures, the package is comprised of the EU Taxonomy Climate Delegated Act, a proposal for a Corporate Sustainability Reporting Directive, and 6 Delegated Acts on fiduciary duties amending existing regulations.


Luxembourg Market Update:

The Association of the Luxembourg Fund Industry (ALFI) announced that the total assets under management in Luxembourg domiciled investment funds hit another all-time record of EUR 5,050.132 billion as at 31 January 2021. This represents an increase of 1.54% over one month compared to EUR 4,973.780 billion at the end of 2020. The growth was fuelled by the positive impact of financial markets amounting to EUR 35 billion and strong net inflows of EUR 41 billion.


Regulatory Developments in and beyond Luxembourg:

29 March 2021:

ESMA updates Q&A on inducements

The European Securities and Markets Authority (ESMA) informed the market of an update of the Q&A on MiFID II and MiFIR investor protection and intermediaries topics. The update concerns one of the conditions under which an inducement can be considered as designed to enhance the quality of the relevant service to the client. The condition contains that the inducement is justified by the provision of an additional or higher-level service to the relevant client, proportional to the level of inducements received (article 11 (2) (a) of the MiFID II Delegated Directive (EU) 2017/593). ESMA highlights that the assessment whether a particular quality enhancement complies with the said elements is ultimately to be performed on a case-by-case basis. Nonetheless, ESMA provides some guidance in the updated Q&A to ensure a consistent approach in the application of the requirements.


1 April 2021:

CSSF announces Annual AML Audit of AIFMs and Management Companies

The CSSF announced that it plans to issue a Circular in 2021 detailing the requirements for an annual external AML audit of AIFMs and Management Companies. Registered AIFMs who do not yet have an external auditor appointed will have to appoint an external auditor. The first annual AML audit is currently planned to be implemented for December 2021. The CSSF will issue a prescriptive AML audit work program. All audit firms are to use this and all AIFMs and Management Companies will be subject to it. The principle is that the AIFM/ManCo will perform a self assessment by topic. The auditor is required to perform a validation of this self assessment and sample testing work. The results of the audit will be presented in a table format and to be uploaded on CSSF eDesk by the auditor.


1 April 2021:

CSSF announces new LFR for Funds

The CSSF announced that it will issue a Circular in 2021 detailing the requirement for an annual Long Form Report (LFR) for Funds. The scope includes all regulated funds. The first annual audit is currently planned to be implemented for years ending as from 30 June 2022 (though this is still to be confirmed). The IFM of the Fund will be required to complete a Self Assessment Questionnaire (SAQ) which will follow the requirements of CSSF Circular 18/698. Selected answers from the SAQ will be subject to testing by the external auditor.


9 April 2021:

CSSF publishes Circular CSSF 21/769 on Teleworking

The Circular covers specific governance and security requirements for supervised entities to perform tasks or activities through telework. The Circular enters into force on 30 September 2021 and is addressed to all Supervised Entities of the financial sector.

Note that the implementation of Telework by Supervised Entities will not necessitate any prior approval by the CSSF. The CSSF will however monitor compliance of these entities with this circular and amend these requirements if necessary.


Topics of note include:

  • The Board of Directors of the Supervised Entity (or any representational body) will bear ultimate responsibility for the Telework organisation;
  • The Supervised Entities must ensure Telework does not bring any violation to the applicable legal and regulatory requirements, especially requirements from mandatory public policy provision, professional secrecy, data protection, social security and tax related requirements;
  • In order to maintain a robust central administration, specific criteria shall be applied to define the extent of Telework permitted with regards to the number of staff, working times and presence of key function holders. Staff members shall be able to return to the Supervised Entities premises on short notice in case of need. In addition, at least one authorised manager shall be on-site at the head-office at all times;
  • The Supervised Entities shall perform and regularly review a risk analysis to identify the inherent risks in implementing Telework;
  • The Supervised Entities shall determine and enforce the key principles to be applied in a Telework context in order to ensure that the entity’s activities continue in an effective and secure manner. In particular, it shall define and regularly review (at least annually) a Telework Policy;
  • The Supervised Entities shall maintain internal records to evidence compliance with its Telework Policy and make such evidence, upon request, available to the CSSF;
  • The Supervised Entities’ internal control functions shall independently review the Telework processes and operating controls, and annually report on the use of Telework as well as any significant operational incidents.
  • A telework security policy shall be approved by the Board of Directors, which is aligned with the results of the performed risk analysis and is part of either the security policy or the Telework policy of the Supervised Entity;
  • The Supervised Entity shall ensure sufficient awareness amongst all staff members related to the risks concerning Telework (e.g. phishing, ransomware attacks) through trainings and internal communications;
  • Access rights dedicated to Telework should preferably be limited compared to on-premise work and subject annual reviews (semi-annual for privileged users);
  • The Supervised Entity must ensure that it keeps control over the security of the devices used by the users to connect remotely (both corporate and private devices);
  • Remote connections in the Telework context are subject to defined criteria to be met to properly authenticate the user and secure the connections. In addition, data in transit is supposed to be encrypted following current leading practices;
  • The Supervised Entity shall monitor and identify emerging security threats to apply necessary corrections if required, especially related to privately owned devices used for Telework;
  • The Supervised Entity should organise regular vulnerability scans/penetration tests to identify risks in relation to Telework;
  • Access logs are supposed to be collected and securely retained for security monitoring purposes.


21 April 2021:

Sustainable Finance and EU Taxonomy

The European Commission adopted an ambitious and comprehensive package of measures to help improve the flow of money towards sustainable activities across the European Union. Among other measures, the package is comprised of:

  • The EU Taxonomy Climate Delegated Act, which aims to support sustainable investment by making it clearer which economic activities most contribute to meeting the EU's environmental objectives. The Delegated Act introduces the first set of technical screening criteria to define which activities contribute substantially to two of the environmental objectives under the Taxonomy Regulation: climate change adaptation and climate change mitigation;
  • A proposal for a Corporate Sustainability Reporting Directive (CSRD): this proposal aims to improve the flow of sustainability information in the corporate world. It will make sustainability reporting by companies more consistent, so that users of the information can use comparable and reliable sustainability information. This proposal revises and strengthens the existing rules introduced by the EU’s Non Financial Reporting Directive (NFRD). It will extend the EU's sustainability reporting requirements to all large companies and all listed companies. Nearly 50,000 companies will need to follow detailed sustainability reporting standards, an increase from the 11,000 companies currently subject to reporting;
  • 6 amending Delegated Acts on fiduciary duties, investment and insurance advice will ensure that financial firms, e.g. advisers, asset managers or insurers, include sustainability in their procedures and their investment advice to clients. This includes:


For further information, please contact:

Tobias Ettlin
m: +352 691 111 931

Disclaimer: This regulatory update has been prepared for clients of ONE group solutions and its subsidiaries for informational purposes and is not intended to be relied upon as professional advice. Please visit:

Our Resources and Strengths


We operate around the principle that if our people have a stake in the business, they will do a better job for our clients. We have a committed and stable team, as they see the benefit of long-term value creation through building long-standing relationships. We build value for clients, and their end customer.


You can have the best technology and the most efficient processes in the world, but if you don’t have the people to operate them, your business is worth very little. Thus, our biggest asset is our team of professional and passionate experts.


We operate next generation technology through a combination of in-house, and best in market solutions to deliver an impeccable service and use technology to excel in both service delivery and efficiency.


We delight in valued long-term partnerships with clients, team, industry partners and our stakeholders. We aim to work with clients who share our belief in the importance of building strong partnerships over time.


* Mandatory
ONE respects your privacy and is committed to ensure the data you supply to us is kept safe. Please confirm that you accept our privacy notice on how we process your data.