CSSF guidance on virtual assets (credit institutions)

On 23 December 2021, in an FAQ Virtual Assets – Credit institutions (“FAQ"), the CSSF provided guidance for credit institutions wishing to offer virtual asset services; this was updated on 4 January 2022.

The FAQ currently addresses seven questions:

1. Are credit institutions allowed to invest in virtual assets?

Yes. The CSSF recalls that banking regulation does not prohibit credit institutions from directly investing in virtual assets but certain accounting and capital-related considerations apply.

• Accounting considerations: since virtual assets lack physical substance, they should be recognised as intangible unless they qualify for the accounting treatment applied to other cash asset classes like cash equivalents or financial instruments.
• Capital-related considerations: when risk-weighting virtual assets under the Capital Requirements Regulation ("CRR"), credit institutions must adopt a conservative approach. Gross exposures to virtual assets shall receive a 1250% risk weight or alternatively be deducted from capital. Additional risks, in particular operational risks, not fully covered by CRR risk weights have to be capitalised under Pillar 2.

2. Are credit institutions allowed to open accounts in virtual assets?

Yes. Credit institutions may open accounts that allow customers to deposit virtual assets. Such accounts are comparable to securities accounts for the safekeeping of traditional financial instruments, but they come with their specific operational risks.

The FAQ clarifies, however, that credit institutions cannot open bank accounts (e.g. current accounts) in virtual assets.

3. What registrations/notifications are needed for credit institutions that intend to provide virtual asset services?

Before offering virtual asset services, the following steps must be considered:

• The offering of virtual asset services, either within scope of Article 1(20c) of the amended 2004 Law on the fight against money laundering and terrorist financing ("AML/CFT Law") or any other activity in relation to virtual assets, requires the prior presentation of a detailed business case to the CSSF.
• For services within scope of Article 1(20c) of AML/CFT Law, a complete application file for registration as a virtual asset service provider ("VASP") needs to be submitted.

4. What are the expectations of the CSSF towards credit institutions that use specialised virtual assets exchange and custody platforms, in particular as regards custody services?

The CSSF observes that Luxembourg banks generally keep virtual assets at external exchange or custody platforms. This counterparty risk may contractually be transferred to the customer but to be effective from a risk perspective, this would require the customer to contract directly with the virtual asset service provider. This has to be taken into account in the context of the large exposure limits framework provided in the CRR for the counterparty risk on custody or exchange platforms.

Credit institutions that envisage directly safeguarding virtual assets are required to inform the CSSF of such plans in a timely manner.

5. What are the CSSF’s requirements with regard to investor protection in the context of the provision of virtual asset services?

Even though virtual assets are not deemed to be financial instruments within the meaning of the amended Law of 5 April 1993 on the financial sector and as such do not fall under the investor protection rules of MiFID, the CSSF expects credit institutions to set up an effective investor protection framework (including best execution, suitability and appropriateness) and to inform investors accordingly of the underlying risks.

6. What are the general operational requirements that credit institutions have to comply with?

The general principles of sound and prudent banking further to Circular CSSF 12/552 apply:

• guaranteeing knowledge, competence and expertise, infrastructure and human resources, at the operational, control and management levels;
• applying the ex-ante New Product Approval Process;
• mitigating all risk to avoid operational and financial contagion effects on the regulated activities.

7. Can a Luxembourg depositary act as depositary for investment funds investing directly in virtual assets?

Depositaries mandated to act as depositary for investment funds investing directly in virtual assets must comply with the requirements under Q.4 in addition to the specific requirement that generally applies to Luxembourg fund depositaries. The latter have to notify the CSSF beforehand.

Where the IFM/investment fund directly appoints a specialised VASP offering a “custodian wallet type of service” (i.e. the depositary does not offer safekeeping or administration type of services), only this provider is liable for the restitution of the assets and the IFM/investment must have a direct contractual relationship with the latter.

If the depositary directly provides services related to safekeeping or the administration of virtual assets (including the custodian wallet service), it has the obligation to register as a VASP within the meaning of the AML/CFT law. In addition, as indicated in Q.4, such fund depositaries are also required to inform the CSSF.