There are different ways in which (regulated) start-ups may be formed depending on the activity, size and preference of its (future) shareholders or legal/tax advice obtained from local advisors. This article describes the process from a situation in which nothing exists at the beginning until the point where the company is no longer to be considered as a start-up as business has been launched. As opposed to integrating an existing entity or department as a compliance officer (“CO”), managing or integrating the compliance function in regulated start-up environments represents additional challenges on top of the already quite heavy burden on CO’s nowadays, as set out hereafter.

Steven Curfs.jpg

Steven Curfs

Associate Director Ocorian

Screen Shot 2018-09-25 at 17.53.20.png

Steven is responsible for the legal and compliance department in Luxembourg. He also acts as the accredited data protection officer and serves as secretary to the Board of Directors.

Steven started his career as a corporate lawyer in a magic circle law firm before joining a leading global financial institution where he was co-responsible for all alternative investment products.

In the last six years he has specialised in setting-up and managing regulated entities such as management companies and service providers for alternative investment funds in Luxembourg and has experience in both emerging and established markets. He acts as a Director on several regulated and unregulated entities in Luxembourg and abroad and is a member of ALCO & ALFI working groups in the field of alternative investments. Steven has been an ILA certified director since 2016.

Steven holds a Master of Laws from Maastricht University and a LLM in International Business Law from McGill University, Montréal. He also speaks eight languages including French, English, German, Dutch, Luxembourgish, Spanish, Portuguese and Italian.

Starting point

The Law of 5 April 1993 on the financial sector, as amended (the “1993 Law”), provides, in general terms, for the following regulated entities to be set-up:

 -  Banks

 -  Investment firms

 -  Specialised PSF’s

 -  Support PSF’s

 -  Payment agents

Each category of entities carries different rules and regulations and as a consequence, requirements. However, similarities exist for all of them, and it is those that we will focus on.

A regulated start-up is usually set-up with one or more (future) members of the entity’s (the “Entity”) board and management being appointed with the task of initiating the so-called licence request (demande d’agrément) with the CSSF. A simple private or public limited liability company may be set-up by the (future) shareholders (the “Shareholders”) to enable these members to be employed, to attract office space, to set up a first IT environment, and so on, although this is not mandatory. It is also usual for the Shareholders to obtain prior legal and tax advice from advisors locally or abroad to ensure that their project has a chance of being accepted by the CSSF. 

The dedicated CO may already be employed at this time by the Entity to assist with the different phases of the licence request, the drafting of documents, structure charts, policies and procedures, and so on. It is also possible that advisors or consultants provide the CSSF with these documents based on standard forms, which will later be adapted by the Entity’s CO to the specific needs of the Entity. The CSSF permits a member of the daily management of certain Entities to act as CO for a limited period of time upon obtainment of the relevant licence according to the proportionality principle. This is not the case for financial institutions, payment firms or investment firms, which need a CO right away.


CO’s tasks and priorities during the licence obtainment process

Depending on the solidity of the licence request file, the obtainment process may last more or less time. A CO employed from the outset should ensure that any additional document or clarification request from the CSSF be treated as a top priority. An electronic track of the initial request as well as all follow-up requests from the CSSF + answers sent to the CSSF in return should be kept for future reference (see below).  

The Entity’s CO should use as much time as possible during this period to start setting-up the skeleton of the compliance function. A good starting point is to take the applicable laws and regulations applicable to the Entity and to map those out (for instance using an excel sheet). Once this has been done, an analysis can be made as to what needs to be put in place in terms of policies and procedures to ensure satisfactory compliance with such requirements. The licence request file will also be a good help as it sets out in some detail the specific requirements which the CSSF imposes on the Entity. It is recommended to use a separate excel sheet or tab to line out the requirements and the answers given by the Entity to the CSSF in that document as well as any follow-up between the Entity and the CSSF prior to licence obtainment. This is particularly important in the light of the requirement of the newly introduced article 15(9) of the 1993 Law which obliges the Entity to inform the CSSF of any “important” changes made in comparison with the original licence request. 

The mapping document referred to above is also crucial to enable the CO to put a yearly compliance monitoring plan in place once the Entity will be up and running (see below). 

Another important task for the CO during this period is to create an electronic and physical filing environment in line with the IT set-up as described in the licence request file. Thought should be given to the actual implementation of the policies and procedures, checklists and KRI/KPI documents, reporting to the Entity’s authorised management and its board of directors, and so on. A coherent electronic and physical filing system will allow for the reduction of errors and thus the reduction of the legal & compliance risk for the Entity from the outset. Standard reporting can already be prepared in draft form for use at launch. 

The CO may very well also be involved in the operational set-up of the Entity, reviewing operational procedures, the set-up of Entity bank accounts, signing powers, selection and set-up of relevant third party client software to be used to service the Entities clients, and so on. Standard service agreements and other documents binding the companies to its future clients may well also need to be reviewed by compliance (and might even need to be included in the original licence request, depending on the licence sought).


Finally, the CO will inevitably be involved in the scrutiny of any outsourced activities (for instance finance, payroll, IT, and so on) and will usually also have to be informed on the proposed set-up in regards of the internal and external auditor of the Entity. 


“ Another important task for the CO is to create an electronic and physical filing environment in line with the IT set-up, as described in the licence request file. ”

Upon obtainment of the licence

Once the Entity has gotten the green light from the CSSF and has obtained its licence from the Ministry of Finance, the activity can be launched. If not yet launched, the Entity can formally be incorporated and its governing bodies and external auditor appointed, if already launched, the bylaws may now be changed to reflect the required changes needed for regulated entities. The CO should not forget to ensure that the board of directors and/or the authorised management of the Entity approve of the relevant policies, procedures and other documents that shall apply throughout the Entity’s duration and are required by law or regulation. Where applicable, these decisions and/or documents should be provided to the CSSF for information (for instance the internal audit charter, tri-annual internal audit plan, remuneration policy, formal appointment of governing bodies and external auditors, and so on). Others might be laid down with the Luxembourg Business Register (“LBR”), such as an authorised signatories list of the Entity. Infrastructural and IT requirements must now be in line with the description set-out in the licence request (secured office space, Chinese walls for IT systems where required, and so on). External and internal auditors, IT and other service provider may now be hired through engagement letters or service contracts. 

Now is also a good time to set-up and design the yearly compliance monitoring plan which will derive from the mapping (excel) document referred to earlier on. A risk and priority level can for instance be added to every single requirement of that document, which can then be translated into a multi-year compliance monitoring plan, taking into account the identified risks and priorities. Of course, such a plan is very likely to be a living document in a start-up environment for obvious reasons. Also, any comments received from the CSSF during a first courtesy visit as well as feedback from the internal and external audit functions and, last but not least, the compliance function itself after the first year of business should be taken into account and integrated.

“ The challenge of the CO in regulated start-up environments is that it requires deep knowledge of the applicable and current laws and regulations for the Entity. ”

In order to comply with the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the “2004 Law”), and CSSF Regulation 12-02 on the same topic (the “CSSF Regulation”), transaction monitoring checks, usually integrated in the Entity’s KYC Policy and Procedure, should be put into place and carried out in line with such internal documents. ALCO offers a good model document, consisting of a (1) Client Profile and (2) Transaction Monitoring document, which can be used from the outset and until the activity of the Entity allows for it, taking into account the nature and frequency of transactions carried out by its clients. Furthermore, the Entity must now ensure, in line with the CSSF Regulation, that any of its clients’ UBO’s are now screened on a regular basis vs. relevant defined watch lists. Several software solutions exist that can assist with this requirement if the Entity cannot base itself on group systems which will have been approved for use in Luxembourg by the CSSF. 

In line with the requirements outlined here before, it is also wise to already request the “Go AML” access from the Cellule de Renseignement Financier attached to the State Prosecutor (Parquet) (“CRF”), by (1) obtaining a Luxtrust certificate for the CO and (2) register online on the CRF’s website. 

In order to allow authorised management, and thus indirectly the board of directors, of the Entity to be informed on a regular basis on the activity from an operational and support functions point of view, it is advisable to set-up internal KPI’s/KRI’s for each department which are filled-out and communicated to authorised management on a monthly basis. Any outsourced activities should be the object of similar reporting from the companies/persons to which such activities are outsourced, notwithstanding any annual reporting that may be made available to external/internal control functions. Authorised management can then use these KPI’s/KRI’s to compile a quarterly reporting to the Entity’s board of directors.


Any regulatory or legal changes applicable to the Entity should be included in the aforementioned mapping (excel) document and translated into the multi-year compliance monitoring program. This will allow for (1) changing relevant policies and procedures whenever needed, (2) formal approval by the authorised management or board of directors of the Entity, (3) an audit trace and (4) compliance with these new regulations or laws. A good starting point is to subscribe to the newsletters from the CSSF and the Ministry of Finance (sanctions’ lists) as well as those of the big four and magic circle law firms in Luxembourg and/or abroad.

Last but not least membership to professional bodies like ALCO, ALJB, ALFI, ILA, and so on may now be considered in order to stay up-to-date of industry standards and to be able to contribute to these organisations where this could be mutually beneficial. 


As can be deducted from the short outline given here above, the challenge of the CO in regulated start-up environments is that it requires deep knowledge of the applicable and current laws and regulations for the Entity. Consequently, an affirmed and experienced person should be hired for this kind of function. 

The chosen CO should also be very flexible and eager to work cross-functionally, at least at the start of the Entity’s corporate life and during the licence request file, as in the absence thereof, the puzzle of building a regulated start-up Entity will not be able to be finished adequately. This is however also the charm of the CO’s function in such a setting, as it will be very enriching and allow for a much broader view of the Entity’s business, not limited to the mere “traditional” compliance tasks which one can imagine an established entity’s compliance department.