Agefi Luxembourg - décembre 2025

AGEFI Luxembourg 14 Décembre 2025 Consultance B anks are exposed to fraud frommultiple directions. Internally, employeesmaymisuse client funds. Externally, clientsmayuse their accounts toperpetrate fraud or fall victimto external schemes. Fraud risks are increasingdue to criminal ingenuity, evolving attacks, the exponential growth in electronic paymentmethods, and the speedof transac- tions. Thismultifaceted threat landscape demands an equally comprehensive response that combines com- pliancewith legal and regu- latory requirements, strong governance, robust process- es, proper forensic investiga- tion expertise and strategic crisismanagement. The legal framework From a contract law perspective, banksaretheagentsoftheirclients and are obligated to execute pay- ment orders correctly and dili- gently.Theyshallverifytheorigin of transfer orders and check the regularity and authenticity of instructions based on their form, appearance, and general circum- stances. Any anomaly that casts doubt on the authenticity of an instruction triggers the duty to suspend execution and seek con- firmation fromthe client. Banksareboundbyadutyofcare, meaning they have to detect both intellectualandmaterialanomalies intransactions.Theyshouldthere- fore configure both ex ante and ex post transaction monitoring sys- tems to consider several criteria surrounding the circumstances of transactions(e.g.theamount,ben- eficiary, jurisdiction, frequency, transactionhistory,andclientpro- file),whilstensuringthereisalsoa humanreviewofalerts.However, this duty of care is balanced against the bank’s duty of non- interference in the client’s affairs. From a regulatory perspective, the second Payment Services Directive(PSD2)statesthatclients are tobeprovidedwithappropri- atemeans to notify the loss, theft, misappropriation, or unautho- riseduseofpaymentinstruments, and imposes the confidentiality and integrity of security data throughstrongcustomer authen- tication based on independent factors (e.g., a password, device, or biometric data). The third Payment Services Directive (PSD3) proposal requires banks toverifywhetherthebeneficiary’s IBANmatches the account hold- er’s name to reduce fraud. Banks are also subject to profes- sional obligations regarding the fight against money laundering (1) and terrorist financing, as per the amended law of 12 November 2004,includingduediligencemea- sures adapted to the client’s risk level, adequate internal organisa- tion,andcooperationwithauthor- ities. Administrative and criminal sanctions may be imposed if a bankviolates these obligations. In addition, accepting or transfer- ringillicitfundsmayexposebanks to money laundering liability. Jurisdictions hold that it is suffi- cient for a bank to know or sus- pect, based on factual circum- stances, that any legal provenance of the funds canbe excluded (2) . Operational excellence: beyond rule-basedmonitoring FraudandAMLtransactionmon- itoringappeardistinct,yettheyare tightly interconnected. Fraud is a key predicate offence to money laundering. Therefore, reducing fraud exposure directlymitigates the money laundering risk. Although in-house anti-fraud and AML teams often operate separately, they rely on the same transactional data, just analysed through different lenses. Failing to connect these insights may imply overlooking important synergies and risks. Mostmonitoring frameworks are still originator-centric, focussed on something being “unusual for my customer”. Beneficiaries typ- ically receive limited scrutiny beyond sanctions or PEP screen- ing. This creates a structural blind spot for mule accounts and scam beneficiaries tooperatewithmin- imal visibility. Traditional monitoring relies on static rules and thresholds that criminals circumvent through micro-transactions, rapid fund movement,andhigh-velocitypat- terns.Withinstantpaymentselim- inating post-event review win- dows, institutions risk detecting yesterday’s activity while new patternsgounnoticed.Regulators increasingly expect intelligence- led, real-time monitoring capable of adapting to emerging threats. Modern monitoring therefore requires a shift toward beneficia- ry-centric and behaviour-driven analytics. Beneficiary profiling, mapping typical inflows, sender diversity, timing and network relationships all help reveal repeated payments, mule signa- tures, and abnormal fan-in/fan- out behaviour. Behavioural analytics strengthen effectiveness by establishing dynamic baselines for each cus- tomer (e.g., transaction rhythm, device use, payment velocity and counterparties)becauseanomalies inthisdatacanhelpidentifyfraud. Applying this approach tobenefi- ciaries and their networks uncov- ersmuleclustersandscamecosys- tems invisible to static rules. However, none of this can be achieved without high-quality data.Poordocumentationofbusi- ness relationships that offers no insightintoexpectedtransactional behaviour weakens AML and fraudmonitoring. Improving data quality means capturingaccurateonboardingin- formation, enriched payment fields, and consistent beneficiary identifiersacrosschannels.Indus- try-wide sharing of known scam beneficiariesandstrongdatagov- ernance could further enhance monitoring effectiveness. Whenprevention fails: safeguarding rights across multiple proceedings If fraud occurs despite robust frameworks, banksmust simulta- neously navigate administrative, criminal, and civil proceedings associatedwithsignificantreputa- tionalandoperationalexposure.It is therefore critical to safeguard procedural rights and build a strong defence strategy, which requires knowledge of the facts. Thisisthetimetoonboardforensic experts, as their fact-based and documented insights will help to trace assets andprovide informed answers to the authorities. Administrative proceedings From an administrative perspec- tive, banks are subject to continu- ousCSSFsupervisionandtheobli- gation to cooperate,meaning they shouldprovidethemostcomplete and accurate answers to the regu- lator. It helps to conduct gapanal- yses against legal and regulatory requirements and prepare for inspections by establishing dedi- cated teams and locatingkeydoc- umentation. Remediation mea- sures should be taken in case of non-compliance. Criminal liability One of the fundamental princi- plesincriminallawisthatanindi- vidual or legal person cannot be held criminally liable for the acts of others. However, a bank may beheldcriminally liable incertain situations: - Having knowingly participated in fraud: a person with decision- makingpowerinthebankhaving participated in the fraudulent ac- tivity is enough to engage the bank’s criminal liability. How- ever, the bank may contest its criminal liability if, for instance, the individual did not act in the interests of the legal person. The individual,whether anemployee or a director, may then be held personally criminally liable. - Internal complicity and super- visory failures: even in cases involving third parties, financial institutions may be held liable if internal employees facilitated the fraud and inadequate supervi- sion allowed it to occur. -AML violations: banks also face criminal risk for violations of the amended law of 12 November 2004 if they fail to detect fraudu- lent activity. Several legal argumentsmayhelp mitigate and limit criminal risk exposure: - Cooperatingwith the authorities and considering a prosecution agreement (“ jugement sur accord ”), which involves negotiating the recognised offences, the sentence, andother key aspects of the case. - Criminal proceedings brought againstafinancialinstitutioncould be declared inadmissible under the nonbis in idem principle, on the grounds that an administrative sanction had previously been imposedonitbyanadministrative authority, as confirmed by recent court decisions (3) , and by the SupremeCourt in June 2025 (4) . Banksmay alsofile criminal com- plaints if they are victims of fraud, thoughthisdoesnotprecludecivil liability frombeing engaged. Civil liability Banks’liabilityisoftenpursuedby fraud victims as the most solvent parties subject to regulatory obli- gations.Twoliabilityregimesmust be distinguished: - the special regimeunder the am- ended law of 10 November 2009 on payment services (PSD I/II), which applies to “unauthorised” payment transactions and trans- actions not executed, incorrectly executed or executed late, and -theordinaryliabilityregimecom- prising contractual liability, tor- tious liability, AML law, which applies to “authorised” payment transactions. The distinction between “autho- rised” and “unauthorised” trans- actionsisnotstraightforward.The 2009 law defines “authorised” transactions as those where the payer has given consent. In the absenceofconsent,thetransaction is deemed “unauthorised”, with- out any further definition of what constitutes an unauthorised pay- ment authorisation. Legal provisions and case law suggest that consentmust appear to be valid. The fact that consent is vitiatedbecause it does not cor- respond to the client’s real inten- tion (due to deception or threats) is not considered. The special regimeprovides automatic reim- bursementwithout proving fault, counterbalanced by a 13-month dispute deadline. For “unautho- rised” transactions, banks must provide reimbursement unless clients miss the 13-month dead- line (note that a deadline of 30 days has been accepted between professionals according to case law (5) ) or demonstrate fraudulent conduct or gross negligence. For “authorised” transactions, banks have several defence argu- ments, including contesting the bank’s fault through contractual documentation and client profile analysis; demonstrating the user’s fault, including breach of enhanced vigilance duties; chal- lengingthecausallinkbetweenthe alleged fault and damage; and contestingthecertainty,directness or personal nature of the damage. Forensic experts: essential for legal counsels and their lawyers Fromdawnraidstointernalinves- tigations, forensic experts play a critical role in identifying, collect- ing,analysing,andpreservingevi- denceinafullydefensiblemanner. As the bridge between raw data and strategic defence, they trans- late vast volumes of information intoadmissibleevidence,building evidence-based arguments that withstand judicial scrutiny. Forensicanalysiscanhelpaddress the moral dimension of alleged offences. In money laundering cases,demonstratingthediligence processes conducted and the research into the origin of funds can be crucial to prove that a banker acted with appropriate care, thereby negating the intent element required for criminal lia- bility. Forensic experts collaborate seamlesslywithlegalcounselsand their lawyers to help them respond to proceedingswith facts and safeguard the bank’s rights. Conclusion Exponential fraud risks require that Luxembourg banks imple- ment a holistic strategy. As fraud risksevolve,sotoomustthestrate- gies and tools used to protect banks and their clients. Therefore, collaborating with multidisci- plinary teams capable of navigat- ing complex regulatory, criminal, and civil proceedings is essential. ClaraBOURGI, Counsel-Arendt&Medernach NoémieHALLER, Counsel–Arendt&Medernach EdouardDELFOSSE, Director–ArendtRegulatory&Consulting Markos-MariosBIKAS, Director–ArendtRegulatory&Consulting 1) The recent bill of law 8486, as amended, aimstomodifytheCriminalCodebyreplacing thelistofoffencesthatmaybequalifiedaspred- icate offences through a general reference to criminaloffences(“délits”and“crimes”). 2)Courd’appel,14May2019,n°173/19. 3) Chambre du Conseil de la Cour d’appel, 26 February2025,n°106/25Ch.c.C. 4) Cour de cassation, 12 June 2025, n°102/2025. 5)Courd’appel,5November2024,n°159/24. Fraud risks targeting Luxembourg banks: a multi-layered defence strategy L es institutions finan- cières accélèrent le transfert de processus clés vers des agents d’intel- ligence artificielle (IA), transformant en profon- deur la relation client dans la banque et l’assurance. Selon le World Cloud Report in Financial Services 2026 du Capgemini Research Institute, les banques déploient principale- ment ces agents pour le service client (75 %), la détection de fraude (64 %), le traitement des prêts (61 %) et l’onboarding (59 %). Les assureurs suivent la même dynamique, avec le ser- vice client en tête (70 %), puis la souscription, la gestion des sinis- tres et l’intégration client. Les agents d’IApourraient géné- rer jusqu’à 450 milliards de dol- lars de valeur économique d’ici 2028. Pour capter ce potentiel, un tiers des banques développent leurs propres agents et près de la moitié des institutions créent de nouveaux rôles pour les supervi- ser. Le cloud devient un pilier stratégique : 61 % des dirigeants estiment que l’orchestration cloud est essentielle à leur straté- gie IA, les plateformes cloud de- venant de véritables moteurs d’innovation à grande échelle. Si 80%des entreprisesdusecteur sont en phase de conception ou de pilotes, seules 10 % ont dé- ployé les agents d’IA à grande échelle. Les fonctions jugées les plus inefficaces restent l’onboar- ding et le KYC, le traitement des prêts et des sinistres, ainsi que la souscription. Les dirigeants at- tendent des agentsd’IAuneprise de décision en temps réel, une meilleure précision et des délais de traitement réduits. Au-delà de l’efficacité, les agents d’IA sont perçus comme des le- viers de croissance : expansion géographique sans investisse- ments lourds, tarification dyna- mique et offres personnalisées, assistance multilingue conforme aux réglementations locales. En conséquence, jusqu’à 40 % des budgetsd’IAgénérative sont déjà dédiés aux agents d’IA, et un quart des entreprises prévoit d’augmenter fortement ces inves- tissements d’ici 2028. Cependant, des freins subsistent : le manque de compétences, les contraintes réglementaires et les coûtsélevés.Pouryrépondre,cer- taines entreprises se tournent vers des modèles de type Service-as-a- Software ,privilégiantlepaiementà l’usage et aux résultats plutôt qu’aux licences ou infrastructures. Cetteévolutionimposeégalement une transformation culturelle et organisationnelle des institutions financières. La collaboration entre équipes métiers, IT et conformité devient essentielle pour sécuriser les déploiements, garantir la confiancedesclientsetassurerune adoption durable des agents d’IA à l’échelle de l’entreprise. Les banques et assurances déploient des agents d’IApour lutter contre la fraude ©Freepik