top of page
Search

CSSF Circular 26/906: Why governance is now a Board-level growth issue for payment fintechs

What Boards of Payment and Electronic Money Institutions must rethink ahead of 30 June 2026.

Governance expectations for payment fintechs are increasingly shaped at Board level.
Governance expectations for payment fintechs are increasingly shaped at Board level.

Governance in the payments sector has entered a new phase


On 20 January 2026, the Commission de Surveillance du Secteur Financier (CSSF) published Circular CSSF 26/906, establishing a consolidated framework on central administration, internal governance and risk management applicable to Payment Institutions (PIs) and Electronic Money Institutions (EMIs).


The circular repeals several legacy governance circulars and clarifies how the amended Law of 10 November 2009 on payment services is expected to be applied in practice. Its objective is explicit: to ensure that institutions operate with sound and prudent management arrangements that are proportionate to the nature, scale and complexity of their activities.


While the circular may initially appear as a technical consolidation exercise, its underlying message is more structural. Governance is no longer viewed as an ancillary control function. It has become a core condition for sustainable growth, safeguarding effectiveness and supervisory confidence.


A sector that has outgrown its legacy governance assumptions


The Luxembourg payments and electronic money sector has evolved rapidly. Institutions now process significant transaction volumes and values, rely on complex outsourcing and IT ecosystems, and operate business models that combine payments, safeguarding, technology and, increasingly, cross-border activities.


Circular 26/906 explicitly acknowledges that PIs and EMIs can no longer be treated as low-impact or purely operational actors. They hold client funds, ensure continuity of essential payment services, and form part of the financial system’s operational backbone.


In this context, governance weaknesses rarely remain contained. They tend to materialise through:


  • safeguarding incidents,

  • operational disruptions,

  • weaknesses in internal control functions,

  • or delayed supervisory intervention.


The circular therefore reinforces the principle already embedded in the Law of 10 November 2009: effective governance is a prerequisite for authorisation, continuity and credibility.


Governance is no longer a management topic — it is a Board responsibility


One of the most consequential aspects of Circular 26/906 is the way it reframes Board accountability in practice.


The circular places clear expectations on:


  • the collective responsibility, composition and effective functioning of management bodies,

  • the independence, authority and organisation of internal control functions, and

  • Board-level oversight of conflicts of interest, new product approval and safeguarding arrangements.


This is not about producing additional policies for supervisory files. It is a supervisory signal that governance outcomes — including failures — are attributable to the Board as a whole, not merely to executive management or control functions.


In day-to-day terms, this changes how Boards are expected to operate. For example:


  • approving a product no longer means endorsing a business case, but ensuring that risk, safeguarding and operational impacts have been effectively challenged;

  • receiving compliance or risk reports is not sufficient if the Board cannot demonstrate active oversight and informed judgement;

  • outsourcing arrangements require Board understanding of dependencies, not just contractual comfort.


This shift is further reinforced by the introduction of a mandatory annual compliance attestation, to be signed by the entire management body. By signing it, Board members collectively confirm compliance with all applicable CSSF requirements, or explicitly disclose deficiencies, root causes and remediation timelines. In practice, this often exposes gaps not in documentation, but in Board-level regulatory literacy and confidence.


In practical terms, this raises a fundamental Board question: are all members in a position to sign this attestation with confidence, based on their own understanding of the institution’s governance, risk and compliance framework?


This is not a formality. It requires Boards to ensure that they collectively possess — or have access to — sufficient regulatory, governance and compliance competence to exercise informed judgement, challenge management where needed, and stand behind the declaration they are asked to sign.


From fragmented controls to a coherent governance framework


Circular 26/906 consolidates governance expectations across several interdependent areas that now need to function as a single governance system:


  • Management bodiesClear allocation of responsibilities, documented decision-making and effective oversight of strategy, risk appetite and safeguarding principles — with the expectation that Boards understand how these elements interact in practice.

  • Internal control functionsReinforced requirements for Compliance, Risk Management and Internal Audit, including independence, access to information and escalation to the Board. Control functions are no longer expected to “report” risk — but to enable Board-level challenge.

  • Conflicts of interestStronger identification and governance of conflicts, particularly relevant for group structures, shareholder influence and embedded finance models. Boards are expected to understand not only declared conflicts, but structural incentives.

  • New product approvalA formalised process that links innovation to governance. Boards are expected to ensure that products are not only commercially viable, but operationally and legally sustainable.

  • Safeguarding of client fundsThe circular reinforces that safeguarding is not an operational afterthought. It is a governance responsibility, requiring Board oversight of processes, controls and escalation mechanisms.


Together, these elements articulate a clear supervisory narrative: payment and electronic money institutions must demonstrate governance maturity proportionate to their systemic relevance.


Annual Compliance Attestation.
Annual Compliance Attestation.

Why this is a growth issue — not merely a compliance one


Governance is sometimes perceived by payment fintechs as a constraint on speed. Circular 26/906 challenges that assumption directly.

In practice, weak or unclear governance tends to result in:

  • delayed supervisory approvals,

  • remediation programmes imposed under time pressure,

  • constrained product launches,

  • or loss of partner and client confidence.


Conversely, Boards that operate with clear governance frameworks and informed oversight are better positioned to:


  • engage constructively with the CSSF,

  • absorb regulatory change,

  • support innovation without creating supervisory friction.


In this sense, governance becomes a strategic enabler, not a brake on growth.


The role of independent oversight under CSSF supervision


As governance expectations increase, the value of independent challenge at Board level becomes more pronounced.


While Circular 26/906 does not mandate Board composition, its emphasis on effective oversight, conflict management and collective accountability implicitly raises expectations around independence, experience and regulatory literacy.


In practice, experienced independent non-executive directors add value by:


  • translating regulatory expectations into Board-level decisions,

  • challenging assumptions without operational or shareholder bias,

  • supporting Chairs in structuring effective Board discussions, and

  • ensuring that governance frameworks remain workable as institutions scale.


For many PIs and EMIs, strengthening independent oversight is no longer a theoretical governance discussion. It is becoming a pragmatic response to supervisory expectations.


Looking ahead to 30 June 2026


Institutions in scope of Circular 26/906 are required to assess and review their central administration, internal governance and risk management frameworks to ensure compliance by 30 June 2026.


The challenge is not understanding the text of the circular. It is embedding its principles into how Boards actually operate, decide and oversee.


Boards that engage early, reflect honestly on their governance model and reinforce effective independent oversight will be best positioned to demonstrate sound and prudent management.


Closing reflection — and what this means in practice


Circular CSSF 26/906 should not be understood as a technical update. It reflects a supervisory recalibration of Board responsibility in payment and electronic money institutions.


As business models become more complex, governance is no longer assessed through the existence of policies or committees alone. Supervisory focus increasingly lies on how Boards exercise judgement, how accountability is discharged in practice, and how early governance intervention occurs when risks emerge.


In practical terms, this means Boards are expected to:


  • understand the institution’s operational and organisational realities,

  • actively oversee internal control functions beyond formal reporting lines,

  • exercise informed challenge in areas such as safeguarding, product governance and conflicts of interest, and

  • intervene early when governance or risk signals arise.


Governance is no longer a layer applied after strategic decisions are taken. It is an integral part of how those decisions are shaped, tested and owned at Board level.


Institutions that treat Circular 26/906 as an opportunity to strengthen effective Board oversight, rather than as a compliance exercise, will be better positioned to maintain supervisory confidence and support sustainable growth beyond 30 June 2026.


Author perspective


This analysis reflects my experience working with Boards and management bodies of CSSF-regulated institutions, including payment and electronic money institutions, on governance, risk oversight and supervisory engagement.


As an independent non-executive director and board advisor, I work at the intersection of regulatory expectations and boardroom decision-making — supporting Chairs and Boards in translating supervisory requirements into effective, workable governance.


Through Linkvalue, I focus on board effectiveness, governance design and independent oversight in regulated fintech environments, where growth, innovation and supervisory expectations must be balanced carefully.


By Sonja Hilkhuijsen, Founder & Independent Non-Executive Director – Linkvalue

 
 
 
bottom of page