Last updated
CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide
Authorisation file evidence map
Use CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide when a CSSF-facing question needs a structured file rather than a loose policy summary. It explains understanding the Luxembourg regulatory obligation, supervisory evidence, internal ownership, and escalation points in CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide, then shows how to map the controlling rule, prepare board or compliance evidence, and know when a CSSF-facing specialist should review the file. The later sections connect authorisation file evidence map, start with the sector route, and core file architecture so the next step is easier to judge. Read it before assigning owners or responding to a supervisory request, so the evidence file matches the regulatory question.
| Application layer | Evidence to assemble | Question it answers |
|---|---|---|
| Scope and programme | Requested licence scope, business plan, programme of operations, target clients and activity boundaries. | Can CSSF see exactly what the applicant wants to be authorised to do? |
| Governance and ownership | Shareholder structure, management-body records, fit-and-proper evidence, local substance and committee design. | Who controls and manages the applicant, and where are decisions made? |
| Risk and operating model | Policies, outsourcing register, ICT/security controls, compliance monitoring, reporting calendar and remediation owners. | Can the operating model support the proposed regulated activity? |
Current as of June 4, 2026. This article is general regulatory information, not legal advice, licensing advice, or a conclusion that a specific activity requires authorisation.
Direct Answer
A CSSF authorisation application file should start with the regulated activity and entity type, not with a generic checklist. Luxembourg funds, fund managers, investment firms, payment institutions, electronic money institutions, AISPs, credit institutions, crowdfunding service providers and other regulated actors do not all use one identical file. The CSSF's sector pages and procedure pages define the relevant route.
The practical file structure is still consistent: identify the legal basis, activity scope, governance, shareholders, managers, capital and financial resources, AML/CFT framework, internal controls, ICT/outsourcing arrangements, forms and supporting evidence. Then organise the file so each claim is supported by a document, policy, contract, governance record or source.
Start With the Sector Route
The CSSF page Authorisation of an investment vehicle or an investment fund manager states that Luxembourg investment vehicles and fund managers must be authorised by the CSSF before carrying out activities, and that the procedure depends on the entity type. The Authorisation of a UCI page is different from an investment-firm or payment-institution route.
For investment firms, the CSSF's Legal requirements and authorisation procedure for investment firms page describes an initial qualification discussion, formal written application, completeness review and decision timing. For payment institutions, electronic money institutions and AISPs, the CSSF page explains that application files are submitted electronically through CSSF MFT after the required link is provided on request.
Core File Architecture
| File section | Purpose |
|---|---|
| Legal qualification | Explains the activity, legal status requested and applicable route. |
| Applicant identity | Confirms entity details, group structure and corporate documents. |
| Ownership and control | Identifies shareholders, beneficial owners and qualifying holdings. |
| Governance | Shows management body, committees, responsibilities and minutes. |
| Key functions | Explains conducting officers, compliance, risk, internal audit and AML roles where relevant. |
| Programme of operations | Describes services, products, target clients, geographies and operating model. |
| Financial resources | Shows capital, projections, budget and prudential readiness where applicable. |
| AML/CFT | Documents risk assessment, onboarding, monitoring, escalation and training. |
| ICT and outsourcing | Shows systems, resilience, providers, oversight and exit arrangements. |
| Policies and procedures | Connects written controls to the proposed activity. |
| Forms and declarations | Follows the current CSSF route and submission format. |
This structure is an editorial model, not a universal CSSF form. The final file must follow the current official procedure for the specific status.
Timing Caveats
The investment-firm procedure page states that once a complete and compliant application file is received, the CSSF examines it and may request more information. It also states that the authorisation decision must be notified within six months after receipt of the complete and compliant application file or after receipt of missing information if the file was incomplete, with a 12-month outside limit after receipt of an official complete and compliant application.
Do not convert this into a guaranteed project timeline. "Complete and compliant" matters. CSSF questions, missing information, changes in business model and shareholder or governance issues can affect the process.
Common Readiness Problems
Common problems include unclear activity perimeter, inconsistent group charts, weak governance evidence, generic policies copied from another entity, insufficient AML/CFT file logic, unsupported outsourcing arrangements, vague ICT controls, missing fit-and-proper evidence and financial projections that do not match the business model.
The article should not say these always cause refusal. The safer claim is that they create file-quality risk and often trigger questions.
Evidence Discipline
Every file statement should have evidence. If the file says the applicant has experienced management, identify names, roles, time commitment and supporting records. If it says outsourcing is controlled, include due diligence, contracts, oversight reporting and exit planning. If it says AML/CFT risks are managed, show risk assessment, onboarding process, monitoring, escalation and training.
The best file is not the longest. It is the file where the CSSF can quickly see the requested authorisation, the legal basis, the operating model and the evidence supporting each material claim.
Source Review Status
Reviewed on June 4, 2026 against the official source URLs listed in this article. This publication batch excludes CSSF articles with official CSSF URLs that returned a non-200 HTTP status during the pre-publication check.
Official Sources
- CSSF, Authorisation of an investment vehicle or an investment fund manager, last update 12 March 2026.
- CSSF, Authorisation of a UCI, last update 12 March 2026.
- CSSF, Legal requirements and authorisation procedure for investment firms, last update 4 March 2026.
- CSSF, Authorisation procedure of a PI or EMI or registration of an AISP, last update 18 May 2022.
Bottom Line
A CSSF authorisation file should be built from the applicable sector route and supported by evidence. Do not start with a generic checklist. Start with the activity, source, status requested and proof that the applicant can operate under supervision.
Decision Matrix
| Decision point | What to verify | Evidence to keep |
|---|---|---|
| Reader profile | Confirm nationality, residence status, tax position, employment or study route, and timing before applying general advice. | Identity document, route-specific official page, appointment record, and dated notes. |
| Controlling source | Identify whether an authority, regulator, bank, insurer, university, employer, marketplace, or broker decides the outcome. | Official page, provider terms, contract wording, and the date checked. |
| Money and deadline exposure | Find deposits, fees, premiums, delivery costs, tuition, margin exposure, or cancellation windows before committing. | Invoice, receipt, policy terms, order page, margin statement, or refund rule. |
| Fallback route | Define the second legitimate route before the first route fails or becomes too expensive. | Alternative provider, later appointment, second programme, different bank, or adviser note. |
Main Risks
- Following a generic checklist that does not match the reader's country, status, institution, or deadline.
- Paying, signing, trading, booking, or submitting before the accepted evidence format is clear.
- Relying on provider marketing, forums, or old summaries where an official or regulated source controls the decision.
- Keeping no dated proof of what was checked, submitted, refused, accepted, or promised.
- Missing the fallback route until the first provider, authority, school, platform, or broker has already refused.
Official Sources
Use this source pack to verify the practical claims in this guide before acting on CSSF Authorisation Application File in Luxembourg: How to Structure a Regulated Entity File. The links below are intentionally broad because they help readers separate official rules, institutional terms, and private advice.
- EUR-Lex Regulation (EU) No 236/2012
- ESMA short selling regulation topic
- FINRA short interest investor education
- Federal Register short sales rule release
- CSSF short selling page
Related Guides
- What is short selling?
- Short squeeze explained
- Read net short position data
- EU short selling regulation
- CSSF short selling in Luxembourg
- Why investors short stocks
Reader Action Checklist
Before relying on this guide, make a one-page case note. Name the reader category, the deciding institution, the rule or source checked, the documents available today, the document that is still missing, the payment or deadline at risk, and the fallback route. That short note makes the article useful in a real decision rather than only informative.
If the topic affects immigration, tax, insurance, employment, regulated finance, consumer rights, housing, university admission, or large payments, ask the relevant authority, regulated provider, or qualified adviser to confirm the current rule for the specific facts. The point is not to collect more links; it is to make the next action verifiable.
For comparison work, separate three layers. First, identify the rule or contract that decides the case. Second, identify the provider or institution that applies that rule in practice. Third, identify the document, screenshot, statement, receipt, filing, or confirmation that proves the reader meets the rule today. A guide is strongest when it helps the reader move through those layers without pretending that every country, bank, insurer, school, shop, broker, or authority behaves the same way.
When information conflicts, prefer the newest official page, the regulated provider's written terms, and dated correspondence over summaries that do not show their source. If the decision is expensive or hard to reverse, pause until the reader can name the missing evidence, the deadline, the amount at risk, and the person or institution that can confirm the next step.