Last updated

CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide

Authorisation file evidence map

Use CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide when a CSSF-facing question needs a structured file rather than a loose policy summary. It explains understanding the Luxembourg regulatory obligation, supervisory evidence, internal ownership, and escalation points in CSSF Authorisation Application File: Luxembourg Evidence and Governance Guide, then shows how to map the controlling rule, prepare board or compliance evidence, and know when a CSSF-facing specialist should review the file. The later sections connect authorisation file evidence map, start with the sector route, and core file architecture so the next step is easier to judge. Read it before assigning owners or responding to a supervisory request, so the evidence file matches the regulatory question.

Application layerEvidence to assembleQuestion it answers
Scope and programmeRequested licence scope, business plan, programme of operations, target clients and activity boundaries.Can CSSF see exactly what the applicant wants to be authorised to do?
Governance and ownershipShareholder structure, management-body records, fit-and-proper evidence, local substance and committee design.Who controls and manages the applicant, and where are decisions made?
Risk and operating modelPolicies, outsourcing register, ICT/security controls, compliance monitoring, reporting calendar and remediation owners.Can the operating model support the proposed regulated activity?

Current as of June 4, 2026. This article is general regulatory information, not legal advice, licensing advice, or a conclusion that a specific activity requires authorisation.

Direct Answer

A CSSF authorisation application file should start with the regulated activity and entity type, not with a generic checklist. Luxembourg funds, fund managers, investment firms, payment institutions, electronic money institutions, AISPs, credit institutions, crowdfunding service providers and other regulated actors do not all use one identical file. The CSSF's sector pages and procedure pages define the relevant route.

The practical file structure is still consistent: identify the legal basis, activity scope, governance, shareholders, managers, capital and financial resources, AML/CFT framework, internal controls, ICT/outsourcing arrangements, forms and supporting evidence. Then organise the file so each claim is supported by a document, policy, contract, governance record or source.

Start With the Sector Route

The CSSF page Authorisation of an investment vehicle or an investment fund manager states that Luxembourg investment vehicles and fund managers must be authorised by the CSSF before carrying out activities, and that the procedure depends on the entity type. The Authorisation of a UCI page is different from an investment-firm or payment-institution route.

For investment firms, the CSSF's Legal requirements and authorisation procedure for investment firms page describes an initial qualification discussion, formal written application, completeness review and decision timing. For payment institutions, electronic money institutions and AISPs, the CSSF page explains that application files are submitted electronically through CSSF MFT after the required link is provided on request.

Core File Architecture

File section Purpose
Legal qualification Explains the activity, legal status requested and applicable route.
Applicant identity Confirms entity details, group structure and corporate documents.
Ownership and control Identifies shareholders, beneficial owners and qualifying holdings.
Governance Shows management body, committees, responsibilities and minutes.
Key functions Explains conducting officers, compliance, risk, internal audit and AML roles where relevant.
Programme of operations Describes services, products, target clients, geographies and operating model.
Financial resources Shows capital, projections, budget and prudential readiness where applicable.
AML/CFT Documents risk assessment, onboarding, monitoring, escalation and training.
ICT and outsourcing Shows systems, resilience, providers, oversight and exit arrangements.
Policies and procedures Connects written controls to the proposed activity.
Forms and declarations Follows the current CSSF route and submission format.

This structure is an editorial model, not a universal CSSF form. The final file must follow the current official procedure for the specific status.

Timing Caveats

The investment-firm procedure page states that once a complete and compliant application file is received, the CSSF examines it and may request more information. It also states that the authorisation decision must be notified within six months after receipt of the complete and compliant application file or after receipt of missing information if the file was incomplete, with a 12-month outside limit after receipt of an official complete and compliant application.

Do not convert this into a guaranteed project timeline. "Complete and compliant" matters. CSSF questions, missing information, changes in business model and shareholder or governance issues can affect the process.

Common Readiness Problems

Common problems include unclear activity perimeter, inconsistent group charts, weak governance evidence, generic policies copied from another entity, insufficient AML/CFT file logic, unsupported outsourcing arrangements, vague ICT controls, missing fit-and-proper evidence and financial projections that do not match the business model.

The article should not say these always cause refusal. The safer claim is that they create file-quality risk and often trigger questions.

Evidence Discipline

Every file statement should have evidence. If the file says the applicant has experienced management, identify names, roles, time commitment and supporting records. If it says outsourcing is controlled, include due diligence, contracts, oversight reporting and exit planning. If it says AML/CFT risks are managed, show risk assessment, onboarding process, monitoring, escalation and training.

The best file is not the longest. It is the file where the CSSF can quickly see the requested authorisation, the legal basis, the operating model and the evidence supporting each material claim.

Source Review Status

Reviewed on June 4, 2026 against the official source URLs listed in this article. This publication batch excludes CSSF articles with official CSSF URLs that returned a non-200 HTTP status during the pre-publication check.

Official Sources

Bottom Line

A CSSF authorisation file should be built from the applicable sector route and supported by evidence. Do not start with a generic checklist. Start with the activity, source, status requested and proof that the applicant can operate under supervision.

Decision Matrix

Decision pointWhat to verifyEvidence to keep
Reader profileConfirm nationality, residence status, tax position, employment or study route, and timing before applying general advice.Identity document, route-specific official page, appointment record, and dated notes.
Controlling sourceIdentify whether an authority, regulator, bank, insurer, university, employer, marketplace, or broker decides the outcome.Official page, provider terms, contract wording, and the date checked.
Money and deadline exposureFind deposits, fees, premiums, delivery costs, tuition, margin exposure, or cancellation windows before committing.Invoice, receipt, policy terms, order page, margin statement, or refund rule.
Fallback routeDefine the second legitimate route before the first route fails or becomes too expensive.Alternative provider, later appointment, second programme, different bank, or adviser note.

Main Risks

  • Following a generic checklist that does not match the reader's country, status, institution, or deadline.
  • Paying, signing, trading, booking, or submitting before the accepted evidence format is clear.
  • Relying on provider marketing, forums, or old summaries where an official or regulated source controls the decision.
  • Keeping no dated proof of what was checked, submitted, refused, accepted, or promised.
  • Missing the fallback route until the first provider, authority, school, platform, or broker has already refused.

Official Sources

Use this source pack to verify the practical claims in this guide before acting on CSSF Authorisation Application File in Luxembourg: How to Structure a Regulated Entity File. The links below are intentionally broad because they help readers separate official rules, institutional terms, and private advice.

Related Guides

Reader Action Checklist

Before relying on this guide, make a one-page case note. Name the reader category, the deciding institution, the rule or source checked, the documents available today, the document that is still missing, the payment or deadline at risk, and the fallback route. That short note makes the article useful in a real decision rather than only informative.

If the topic affects immigration, tax, insurance, employment, regulated finance, consumer rights, housing, university admission, or large payments, ask the relevant authority, regulated provider, or qualified adviser to confirm the current rule for the specific facts. The point is not to collect more links; it is to make the next action verifiable.

For comparison work, separate three layers. First, identify the rule or contract that decides the case. Second, identify the provider or institution that applies that rule in practice. Third, identify the document, screenshot, statement, receipt, filing, or confirmation that proves the reader meets the rule today. A guide is strongest when it helps the reader move through those layers without pretending that every country, bank, insurer, school, shop, broker, or authority behaves the same way.

When information conflicts, prefer the newest official page, the regulated provider's written terms, and dated correspondence over summaries that do not show their source. If the decision is expensive or hard to reverse, pause until the reader can name the missing evidence, the deadline, the amount at risk, and the person or institution that can confirm the next step.