CSSF Circular 26/906: Why governance is now a Board-level growth issue for payment fintechs

Governance in the payments sector has entered a new phase

On 20 January 2026, the Commission de Surveillance du Secteur Financier (CSSF) published Circular CSSF 26/906, establishing a consolidated framework on central administration, internal governance and risk management applicable to Payment Institutions (PIs) and Electronic Money Institutions (EMIs).

The circular repeals several legacy governance circulars and clarifies how the amended Law of 10 November 2009 on payment services is expected to be applied in practice. Its objective is explicit: to ensure that institutions operate with sound and prudent management arrangements that are proportionate to the nature, scale and complexity of their activities.

While the circular may initially appear as a technical consolidation exercise, its underlying message is more structural. Governance is no longer viewed as an ancillary control function. It has become a core condition for sustainable growth, safeguarding effectiveness and supervisory confidence.

A sector that has outgrown its legacy governance assumptions

The Luxembourg payments and electronic money sector has evolved rapidly. Institutions now process significant transaction volumes and values, rely on complex outsourcing and IT ecosystems, and operate business models that combine payments, safeguarding, technology and, increasingly, cross-border activities.

Circular 26/906 explicitly acknowledges that PIs and EMIs can no longer be treated as low-impact or purely operational actors. They hold client funds, ensure continuity of essential payment services, and form part of the financial system’s operational backbone.

In this context, governance weaknesses rarely remain contained. They tend to materialise through:

• safeguarding incidents,

• operational disruptions,

• weaknesses in internal control functions,

• or delayed supervisory intervention.

  
  

The circular therefore reinforces the principle already embedded in the Law of 10 November 2009: effective governance is a prerequisite for authorisation, continuity and credibility.

Governance is no longer a management topic — it is a Board responsibility

One of the most consequential aspects of Circular 26/906 is the way it reframes Board accountability in practice.

The circular places clear expectations on:

• the collective responsibility, composition and effective functioning of management bodies,

• the independence, authority and organisation of internal control functions, and

• Board-level oversight of conflicts of interest, new product approval and safeguarding arrangements.

  
  

This is not about producing additional policies for supervisory files. It is a supervisory signal that governance outcomes — including failures — are attributable to the Board as a whole, not merely to executive management or control functions.

In day-to-day terms, this changes how Boards are expected to operate. For example:

• approving a product no longer means endorsing a business case, but ensuring that risk, safeguarding and operational impacts have been effectively challenged;

• receiving compliance or risk reports is not sufficient if the Board cannot demonstrate active oversight and informed judgement;

• outsourcing arrangements require Board understanding of dependencies, not just contractual comfort.

This shift is further reinforced by the introduction of a mandatory annual compliance attestation, to be signed by the entire management body. By signing it, Board members collectively confirm compliance with all applicable CSSF requirements, or explicitly disclose deficiencies, root causes and remediation timelines. In practice, this often exposes gaps not in documentation, but in Board-level regulatory literacy and confidence.

In practical terms, this raises a fundamental Board question: are all members in a position to sign this attestation with confidence, based on their own understanding of the institution’s governance, risk and compliance framework?

This is not a formality. It requires Boards to ensure that they collectively possess — or have access to — sufficient regulatory, governance and compliance competence to exercise informed judgement, challenge management where needed, and stand behind the declaration they are asked to sign.

One of the most practical implications of the circular is this: governance must now be demonstrable from within the Luxembourg entity. A registered office alone is no longer sufficient. The CSSF expects the decision-making and administrative centre of the institution to be genuinely anchored locally, with management reachable in Luxembourg and the Board able to exercise oversight without default reliance on group headquarters.

From fragmented controls to a coherent governance framework

Circular 26/906 consolidates governance expectations across several interdependent areas that now need to function as a single governance system:

• Management bodies: Clear allocation of responsibilities, documented decision-making and effective oversight of strategy, risk appetite and safeguarding principles — with the expectation that Boards understand how these elements interact in practice.

• Internal control functions: Reinforced requirements for Compliance, Risk Management and Internal Audit, including independence, access to information and escalation to the Board. Control functions are no longer expected to “report” risk — but to enable Board-level challenge.

• Conflicts of interest: Stronger identification and governance of conflicts, particularly relevant for group structures, shareholder influence and embedded finance models. Boards are expected to understand not only declared conflicts, but structural incentives.

• New product approval: A formalised process that links innovation to governance. Boards are expected to ensure that products are not only commercially viable, but operationally and legally sustainable.

• Safeguarding of client funds: The circular reinforces that safeguarding is not an operational afterthought. It is a governance responsibility, requiring Board oversight of processes, controls and escalation mechanisms.

Supervisory expectations increasingly focus on traceability: institutions must be able to demonstrate how weaknesses identified by control functions or auditors are prioritised, assigned, monitored and ultimately resolved.

Institutions are expected to formally document why their governance arrangements correspond to the nature, scale and complexity of their activities, with this assessment reviewed and approved at Board level.

The circular also expands governance oversight into areas that were historically treated as operational, including customer communications and marketing language. Boards are expected to ensure that terminology used by payment institutions does not create misleading associations with credit institutions or banking activities.

Together, these elements articulate a clear supervisory narrative: payment and electronic money institutions must demonstrate governance maturity proportionate to their systemic relevance.

Why this is a growth issue — not merely a compliance one

Governance is sometimes perceived by payment fintechs as a constraint on speed. Circular 26/906 challenges that assumption directly.

In practice, weak or unclear governance tends to result in:

• delayed supervisory approvals,

• remediation programmes imposed under time pressure,

• constrained product launches,

• or loss of partner and client confidence.

  
  

Conversely, Boards that operate with clear governance frameworks and informed oversight are better positioned to:

• engage constructively with the CSSF,

• absorb regulatory change,

• support innovation without creating supervisory friction.

  
  

In this sense, governance becomes a strategic enabler, not a brake on growth.

The role of independent oversight under CSSF supervision

As governance expectations increase, the value of independent challenge at Board level becomes more pronounced.

While Circular 26/906 does not mandate Board composition, its emphasis on effective oversight, conflict management and collective accountability implicitly raises expectations around independence, experience and regulatory literacy.

In practice, experienced independent non-executive directors add value by:

• translating regulatory expectations into Board-level decisions,

• challenging assumptions without operational or shareholder bias,

• supporting Chairs in structuring effective Board discussions, and

• ensuring that governance frameworks remain workable as institutions scale.

  
  

For many PIs and EMIs, strengthening independent oversight is no longer a theoretical governance discussion. It is becoming a pragmatic response to supervisory expectations.

Looking ahead to 30 June 2026

Institutions in scope of Circular 26/906 are required to assess and review their central administration, internal governance and risk management frameworks to ensure compliance by 30 June 2026.

The challenge is not understanding the text of the circular. It is embedding its principles into how Boards actually operate, decide and oversee.

Boards that engage early, reflect honestly on their governance model and reinforce effective independent oversight will be best positioned to demonstrate sound and prudent management.

At the same time, European supervision of financial crime risks is undergoing a structural transformation with the creation of the European Anti-Money Laundering Authority (AMLA).

I recently explored what this means for Board governance and data architecture in this article: AML Stays on Top of the Board Agenda — With AMLA Ahead.

Closing reflection — and what this means in practice

Circular CSSF 26/906 should not be understood as a technical update. It reflects a supervisory recalibration of Board responsibility in payment and electronic money institutions.

As business models become more complex, governance is no longer assessed through the existence of policies or committees alone. Supervisory focus increasingly lies on how Boards exercise judgement, how accountability is discharged in practice, and how early governance intervention occurs when risks emerge.

In practical terms, this means Boards are expected to:

• understand the institution’s operational and organisational realities,

• actively oversee internal control functions beyond formal reporting lines,

• exercise informed challenge in areas such as safeguarding, product governance and conflicts of interest, and

• intervene early when governance or risk signals arise.

Governance is no longer a layer applied after strategic decisions are taken. It is an integral part of how those decisions are shaped, tested and owned at Board level.

Institutions that treat Circular 26/906 as an opportunity to strengthen effective Board oversight, rather than as a compliance exercise, will be better positioned to maintain supervisory confidence and support sustainable growth beyond 30 June 2026.

Author perspective

This analysis reflects my experience working with Boards and management bodies of CSSF-regulated institutions, including payment and electronic money institutions, on governance, risk oversight and supervisory engagement.

As an independent non-executive director and board advisor, I work at the intersection of regulatory expectations and boardroom decision-making — supporting Chairs and Boards in translating supervisory requirements into effective, workable governance.

Through Linkvalue, I focus on board effectiveness, governance design and independent oversight in regulated fintech environments, where growth, innovation and supervisory expectations must be balanced carefully.

If you would like a practical overview of board responsibilities in payment and electronic money institutions, you can find it here: Board Oversight in Payment Institutions & Electronic Money Institutions

By Sonja Hilkhuijsen, Founder & Independent Non-Executive Director – Linkvalue

📩 sonja@linkvalue.lu