Suspicious Operations Reporting in Luxembourg – New Guideline (Version 2.2, effective 06/01/2026)
The Financial Intelligence Unit (FIU) of Luxembourg published Version 2.2 of its Suspicious Operations Report guideline, effective 6 January 2026. The guideline replaces the prior FIU document from 2018 and clarifies expectations for all professionals subject to the Luxembourg AML/CFT Law. It reiterates that any professional, their directors or employees who know, suspect or have reasonable grounds to suspect money laundering, an associated predicate offence or terrorist financing must report without delay, supplying all supporting information and documents that gave rise to the suspicion. The reporting duty applies whether the operation is complete or merely attempted and irrespective of transaction value or whether the predicate offence can be determined.
Who is covered and when a suspicion arises
The AML/CFT Law’s scope includes domestic professionals, branches of foreign firms in Luxembourg and foreign-established professionals providing services into Luxembourg without a local branch. Suspicion is defined broadly as a negative judgment based on hints, impressions or circumstances rather than proven facts; therefore reporting does not require evidence, only reasonable grounds. Suspicion can arise from the person involved, the development of the operation, the origin of funds, the purpose, nature or process of the transaction, and may concern money laundering, any predicate offence or terrorist financing whether committed or attempted.
Clarification on money laundering and terrorist financing
The guideline summarises the criminal law framing in Luxembourg: money laundering covers facilitation of misleading justification of property, placement, concealment, disguise, transfer or conversion of proceeds, and acquiring, holding or using proceeds when the recipient knows their criminal origin. Any crime or offence can be a predicate offence. Attempted laundering is punishable equally to completed offences, including when primary offences occurred abroad. Terrorist financing is defined as directly or indirectly providing or collecting funds or property, unlawfully and deliberately, with intent or knowledge that they will be used to commit terrorist offences, even if no specific terrorist act is identified. The obligation to report applies to any funds that are reasonably suspected of being linked to terrorism.
How to report: goAML registration and submission options
Before filing, professionals must register as a reporting entity on the FIU’s goAML Web application and designate at least one compliance officer. Registration is mandatory and supports timely cooperation with information requests. Once validated, users may file reports online using the FIU forms or upload XML exports from internal systems. The FIU provides distinct forms to distinguish money laundering from terrorist financing and to differentiate suspicious transaction reports (STRs) from suspicious activity reports (SARs). Forms contain mandatory and optional fields; reporters should complete as many relevant fields as possible and may supplement with other pertinent indicators or narrative.
Responding to FIU information requests
Even absent an initial STR from a professional, the FIU can issue information requests. Recipients must reply without delay using the goAML feedback forms; responses may be submitted online or via XML. Where feasible, responses should be provided within two weeks. Requests marked “urgent” should be answered within a week, and “very urgent” requests – common in terrorist financing contexts – require a 24-hour turnaround.
Confidentiality, communication ban and legal protections
A strict communication ban forbids disclosing that information has been, will be or may be reported to the FIU or that an FIU investigation or freezing order exists. Disclosing the existence of an STR, an FIU information request or a freezing order is a criminal offence unless authorised by the FIU. Exceptions permit disclosure to Luxembourg supervisory authorities and certain self-regulatory bodies, and within groups where cross-border sharing complies with group-wide AML policies and legal standards. Professionals may, in appropriate contexts, dissuade clients from illegal activity without breaching the ban. The guideline stresses that reporters acting in good faith enjoy immunity from civil, criminal or administrative proceedings for making bona fide reports; materials supplied to the FIU cannot be used against the reporting person for breach of professional obligations. The FIU, where possible, will avoid disclosing whether provided information originated from an STR or the reporter’s identity when sharing with foreign counterparts or prosecutors.
Outcomes for business relationships and execution of transactions
The decision to maintain or terminate a business relationship remains with the professional; there is no automatic legal obligation to terminate simply because a report was filed. Professionals must, however, refrain from executing transactions they know, suspect or reasonably suspect to be linked to money laundering or terrorism until they have informed the FIU. After a report is filed, goAML generates an acknowledgement. Unless the FIU issues a freezing order, professionals may, at their own risk, decide to carry out the transaction once they have received the system-generated acknowledgement; such execution remains their sole responsibility. The FIU does not provide authorisations or legal opinions on transactions, and professionals should not seek transactional clearance from the FIU.
Identification methodology and indicators
The guideline encourages a contextual and structured approach to identifying suspicious operations. Single indicators may suffice when especially relevant; more often, a combination of otherwise innocuous factors produces reasonable grounds for suspicion. The FIU recommends use of indicators supplied in goAML forms and additional ones where necessary; these are grouped by transaction patterns, typologies, sectors, products and contextual factors to help structure reporting and enable trend analysis. The guideline reinforces that there is no monetary reporting threshold and that even attempted transactions must be reported when suspicion exists.
Sanctions for non-compliance
Failure to file an STR or to respond to an FIU information request exposes professionals to criminal fines ranging from EUR 12,500 to EUR 5,000,000. Equivalent penalties may apply for unlawful disclosure of an STR, an FIU request or a freezing order. Supervisory authorities and self-regulatory bodies have expanded sanctioning powers to enforce AML/CFT obligations, including administrative measures and professional sanctions.
Practical implications for compliance teams
The 2026 guideline underscores several practical imperatives for compliance functions.
First, ensure mandatory goAML registration and maintain validated user accounts and designated compliance officers.
Second, equip transaction monitoring and reporting systems to export goAML-compatible XML or ensure effective manual reporting processes for fewer or smaller reports.
Third, document the contextual analysis that underpins suspicion, including the indicators selected and why they support reasonable grounds – this strengthens the defensibility of reporting decisions.
Fourth, implement strict internal controls and staff training on the communication ban and on how to handle requests from the FIU, including response timelines for ordinary, urgent and very urgent inquiries.
Finally, preserve a clear escalation path for cases where the decision to continue or terminate a relationship raises legal, regulatory or reputational issues, and seek external legal counsel when necessary without breaching confidentiality restrictions.
Closing note
Version 2.2 harmonises procedural expectations and clarifies duties and protections for reporting professionals in Luxembourg. It places strong emphasis on prompt reporting, thorough documentation, protected confidentiality, and cooperation with FIU requests. Compliance teams should review their goAML readiness, indicator frameworks, internal reporting protocols and staff training to ensure alignment with the guideline and to mitigate regulatory and criminal risk.
Dive deeper
- CRF ¦ Mise à jour des lignes directrices relatives aux obligations de déclaration et d’information à la CRF ¦ Link