Luxembourg Tightens Identity Verification Rules With Circular 792 quater

The Luxembourg Registration Duties, Estates and VAT Authority has released a major regulatory clarification through Circular 792 quater, tightening the rules governing customer identification and identity verification for all professionals under its supervision. The circular reinforces compliance with the amended Law of 12 November 2004 on combating money laundering and terrorist financing, with a particular focus on the realities of digital finance and complex legal arrangements. By updating and clarifying these obligations, Luxembourg is seeking to reinforce its financial safeguards and ensure a consistently high level of transparency across all supervised activities. A central feature of the new guidance is the requirement for professionals to demonstrate the effectiveness of their verification processes, placing the responsibility for evidencing compliance squarely on service providers themselves.

Under the revised framework, the identification of natural persons must follow a strict and methodical process based on reliable and independent sources. Professionals are required to collect and verify official government-issued identification documents for every individual client, primarily valid identity cards or passports. To meet regulatory expectations, these documents must include a clear photograph, the holder’s signature, and must not be expired at the time of verification. The authority stresses that identification is not a procedural formality but a core defense against the entry of illicit actors into the legitimate financial system. All documents must be fully legible and comprehensible to ensure transparency during supervisory inspections. Where foreign identification documents are used, professionals must be able to provide an official translation into English or one of Luxembourg’s official languages within two weeks if requested, preventing language barriers from obscuring fraudulent conduct or inconsistencies during audits.

The circular marks a clear departure from passive document gathering toward an active and risk-based verification approach. Professionals are expected to assess whether the documents genuinely correspond to the individual, taking into account factors such as geographic origin and personal risk indicators. For clients onboarded remotely, the authority encourages the use of electronic identification methods or trust services in line with EU Regulation 910/2014. These tools must be recognized or approved by national authorities and offer a level of assurance equivalent to in-person verification. While digital solutions are acknowledged as facilitators, the circular makes clear that they do not diminish the professional’s ultimate responsibility for data accuracy. All information collected must be verified against independent databases or official sources before establishing a business relationship.

The requirements become more detailed when professionals deal with legal persons or complex legal structures, reflecting the heightened risk of misuse through shell entities. Professionals must collect comprehensive information, including the entity’s official name, legal form, and registered office. Where the principal place of business differs from the registered address, both locations must be recorded to provide a complete overview of the entity’s operations. Identification must also cover legal representatives, directors, and any individuals authorized to bind the entity legally, ensuring that the people behind the structure are subject to the same scrutiny as individual clients. In addition, professionals must obtain the most recent coordinated articles of association and a current extract from the commercial register to confirm the entity’s legal existence and status.

A key element of the updated rules is the obligation to obtain an organizational chart clearly showing the ownership and control structure of the legal person. This chart must be sufficiently detailed to allow the identification of ultimate beneficial owners who exercise significant control or influence. By imposing this requirement, Luxembourg aims to make it harder for individuals to conceal financial interests behind multi-layered corporate arrangements. All documentation, whether held in physical or electronic form, must be stored securely and remain readily available for inspection by competent authorities. Professionals are also required to treat client information as dynamic rather than static, updating their records promptly when corporate structures change or new directors are appointed, thereby maintaining an accurate and current risk assessment.

The 2026 update formally recognizes the growing role of financial technology by allowing the use of secure electronic or remote identification processes, provided they are regulated and accepted by national authorities. These methods must be embedded within internal risk management systems so that the level of vigilance remains proportionate to the risks identified. The circular draws an important distinction between verification and authentication, noting that authentication is a more formal process generally applied in situations requiring enhanced scrutiny. Understanding this distinction is essential for professionals when designing internal controls and selecting technology providers for identity verification services.

Responsibility for proving the adequacy of verification measures rests entirely with the professional, who must be able to justify the chosen methods based on a documented risk analysis. If a digital verification solution fails to detect a sophisticated forgery, the professional must demonstrate that all regulatory requirements were followed and that appropriate due diligence was exercised. The use of trust services and electronic signatures adds an element of non-repudiation, reducing the likelihood that clients can later dispute their involvement or claim misuse of their identity. As financial services continue to evolve in an increasingly digital and interconnected environment, the circular provides a stabilizing framework that ensures consistent transparency across both traditional and digital channels. Professionals are expected to remain attentive to technological and regulatory developments to keep their systems aligned with Luxembourg and EU standards.

The circular also reinforces the principle that customer due diligence is an ongoing obligation rather than a one-off exercise. Professionals must maintain continuous vigilance throughout the duration of the business relationship, regularly reviewing client information to ensure it remains accurate and relevant. These reviews should take into account changes in client behavior or circumstances that could alter the risk profile. The depth and frequency of monitoring must follow a risk-based approach, with higher-risk relationships subject to more frequent and detailed scrutiny.

By adopting this proactive and comprehensive stance, Luxembourg seeks to protect the integrity of its financial system against increasingly sophisticated financial crime. The authority underlines that compliance goes beyond checklist adherence and requires a genuine understanding of risks and appropriate mitigation measures. As supervised professionals implement the updated requirements of Circular 792 quater, they contribute to preserving Luxembourg’s reputation as a transparent and secure financial center. Achieving this objective will depend on clear internal policies, continuous staff training, and robust technical systems capable of supporting the complexities of modern identity verification.

By fLEXI tEAM