Fund tokenisation is revolutionising the investment landscape, making asset management more efficient, transparent, and accessible. At its essence, this process transforms traditional fund units into blockchain-based tokens, enabling investors to trade and transfer ownership with the speed and ease of digital assets – all while adhering to regulatory requirements. Unlike cryptocurrencies, these tokens are fully backed by real-world assets, blending innovation with security.

Leading financial institutions, from asset managers like Janus Henderson to regulatory centres such as Abu Dhabi, are actively exploring fund tokenisation to modernise investment structures. A notable example is Janus Henderson’s $11 million Anemoy Liquid Treasury Fund 1 , which employs tokenisation to enhance liquidity and accessibility. Likewise, Abu Dhabi’s Realize T-BILLS Fund 2 represents an ETF transformed through tokenisation, highlighting the rising institutional interest in this innovation. Luxembourg, a long-established financial hub, is also positioning itself at the forefront of tokenised funds 3 , drawing on its regulatory expertise and market infrastructure.As tokenisation gains traction, understanding its fundamentals, benefits, and challenges is crucial for investors and industry players. Let’s break it down, step by step.

I. Fund Tokenisation Explained

At its core, fund tokenisation is the process of converting traditional fund units into blockchain-based tokens. Instead of dealing with paper-based transactions, manual record- keeping, and slow settlement processes, investors can hold digital representations of fund shares on a secure and transparent blockchain. This makes transactions faster, more efficient, and easier to track. One key distinction to make: tokenised funds are not cryptocurrency. Unlike Bitcoin or other volatile digital assets, tokenised funds are fully regulated and backed by real-world assets, such as stocks, bonds, or real estate 4 . Think of tokenisation as modernising the way fund shares are managed – without changing their underlying value or risk structure. A useful approach to understanding asset management is to view it as the evolution of traditional processes, digitising ownership and optimising fund transactions for greater efficiency. By replacing cumbersome paperwork and outdated methods with streamlined digital solutions, investors experience a more efficient and modernised approach to fund management. This transformation is well underway. Norton Rose Fulbright 5 highlights tokenisation as a key driver in the evolution of investment funds, enhancing efficiency and lowering costs.

2. Key Benefits – How Tokenisation Enhances Investment Management

Enhanced Liquidity: Streamlining Transactions

One of the primary advantages of tokenised funds is improved liquidity. Unlike traditional fund shares, requiring multiple days to settle, tokenised assets facilitate near-instant transactions. This enables investors to enter or exit positions with greater ease, as explained by Tommaso Cervellati 6 , State Street Blockchain Specialist: “Private assets are typically illiquid, affecting secondary market trading and increasing the liquidity premium demanded by investors. Tokenisation addresses liquidity limitations, offering investors the possibility of trading tokens on a blockchain network 24/7. On the issuer’s side, converting private assets into blockchain tokens can increase liquidity through cheaper and more secure transactions.”

Enhanced Transparency: Leveraging Immutable Ledgers for Security

Blockchain technology ensures that all transactions are permanently recorded on an immutable ledger, mitigating fraud risks and improving operational efficiency. Real-time verification of fund ownership and transaction history reduces reliance on intermediaries, minimising errors and delays.

Expanded Market Access: Enabling Fractional Ownership

Tokenisation facilitates fractional ownership, allowing investors to purchase smaller portions of traditionally high-barrier assets. This broadens access to investment opportunities previously limited to institutional investors and high-net-worth individuals. As explained for real estate by Alex Taylor, Business Development Lead at TISE 7 , “Traditionally, [these] investments require a significant capital investment whilst having lengthy transaction times and complex/prolonged legal processes. Tokenisation simplifies the whole process, allowing properties to be divided into tokens (digitally), enabling investors to purchase a fractional share/s of a property”.

Institutional Adoption: Growing Interest from Traditional Investors

While blockchain technology was once viewed with scepticism by traditional investors, major financial institutions such as BlackRock 8 and Fidelity 9 are now actively exploring tokenisation. As established market players integrate this innovation, broader industry adoption is
becoming increasingly evident.

Conclusion: The Future of Fund Tokenisation

Fund tokenisation presents significant advantages. However, its successful adoption depends on addressing key challenges. Regulatory frameworks such as the Markets in Crypto-Assets Regulation (MiCA) are establishing compliance standards, ensuring market integrity while simultaneously adding layers of complexity. Additionally, technological considerations, ranging from smart contract vulnerabilities to broader security risks, necessitate continuous refinement and oversight. Despite these challenges, industry momentum continues to grow. Leading financial institutions are actively integrating tokenisation, reinforcing its long-term viability rather than positioning it as a short-lived trend. However, widespread adoption will require coordinated efforts among asset managers, regulators, and technology providers to develop a secure, scalable, and regulatory-compliant infrastructure. As the industry evolves, one reality is becoming increasingly evident: traditional, paper-based fund management is gradually being phased out. The question is no longer whether tokenisation will redefine investment management, but rather when, and which organisations will take the lead in shaping this transformation.

For expert insights, industry trends, and real-world applications, visit the LHoFT. Our ecosystem brings together leading experts, financial institutions, and innovative start-ups developing cutting-edge tokenisation solutions. Explore our in-depth insights and see howfund tokenisation is shaping the future of finance.

Citation

Featured Image source: Midjourney

1 Financial Times (September 13, 2024) “Janus Henderson to follow BlackRock and Fidelity into tokenisation” https://www.ft.com/content/648f2249-5783-4e98-8412-4056f56ad1b0

2 Reuters (November 2, 2024) “Abu Dhabi firm to launch tokenised US Treasuries fund” https://gulfbusiness.com/abu-dhabi-firm-to-tokenise-us-treasuries/#:~:text=Realize%2C%20an%20Abu%20Dhabi based%20technology%20firm%2C%20has%20launched,be%20held%2C%20traded%20and%20transferred%20on%20a%20blockchain.

3 PwC “Banking Trends and Figures 2023 – Technology, an enabler of a threat?” https://www.pwc.lu/en/banking/docs/pwc-banking-luxembourg-trends-figures-2023.pdf

4 Smain Bouchareb (13 Sep 2024) “Tokenization of real world assets: why choose Luxembourg?” https://iqeq.com/lu/insights/tokenization-of-real-world-assets-why-choose-luxembourg/

5 Podcast “Understanding tokenization: Insights, challenges and opportunities” https://www.nortonrosefulbright.com/en/knowledge/publications/60edb8c8/understanding-tokenization

6 Tommaso Cervellati (January 17, 2025) “Tokenization of Private Assets: Unlocking Liquidity, Transparency, & Access in the Modern Investment Landscape” https://caia.org/blog/2025/01/17/tokenization-private-assets-unlocking-liquidity-transparency-access-modern

7 Alex Tailor (10 Feb 2025) “Tokenisation – the future of ownership?” https://tisegroup.com/news/2025/tokenisation-the-future-of-ownership/

8 Natalia Karayaneva (Mar 21, 2024) “BlackRock's $10 Trillion Tokenization Vision: The Future Of Real World Assets” https://www.forbes.com/sites/nataliakarayaneva/2024/03/21/blackrocks-10-trillion-tokenization-vision-the-future-of-real-world-assets/

9 Ian Allison (Jun 10, 2024) “Fidelity International Tokenizes Money Market Fund on JPMorgan’s Blockchain” https://www.coindesk.com/business/2024/06/10/fidelity-international-tokenizes-money-market-fund-on-jpmorgans-blockchain

The financial sector is confronting significant challenges in combating money laundering, exacerbated by the rapid increase in non-cash transactions, which reached 1,3 trillion globally in 2023 (1)  and are projected to reach 2.3 trillion by 2027, with a growing rate of 15% annually. This surge is driven by the proliferation of digital payments and innovative financial services. Concurrently, money laundering schemes have become more sophisticated, with criminals exploiting advanced technologies and complex financial instruments to obscure illicit activities. Traditional rule-based AML systems are increasingly inadequate, generating high false-positive rates that burden compliance teams with resource-intensive investigations and failing to adapt to evolving laundering techniques. These inefficiencies underscore the urgent need for innovative approaches, such as AI-driven solutions(2), to effectively combat global financial crime.

The General Role of AI in Modernising AML

Traditional AML systems face significant challenges due to their reliance on static, rule-based mechanisms and manual processes. These systems often struggle to keep pace with the evolving sophistication of illicit financial activities, such as layering and structuring, which are designed to evade detection. This static approach results in high false-positive rates, overwhelming compliance teams with alerts that require extensive human effort to investigate, thereby diverting resources from genuine threats (3).  Moreover, the cost-benefit imbalance is stark; financial institutions incur substantial compliance costs, yet the recovery rates of illicit funds remain low, highlighting the inefficiency of traditional AML frameworks (4).  These limitations underscore the urgent need for more dynamic and adaptive AML solutions that can effectively address the complexities of modern financial crime.

Key Innovations Brought by AI

AI is transforming AML frameworks by integrating advanced technologies that collectively tackle the complexities of modern financial crime. At the core of this transformation is Machine Learning (ML), which enhances anomaly detection through adaptive algorithms capable of learning from vast, diverse datasets. By identifying subtle patterns and behaviours, ML significantly minimises false positives, enabling compliance teams to concentrate on genuine risks rather than expending resources on irrelevant alerts.

Graph analytics further strengthens detection capabilities by facilitating the analysis of intricate transaction networks. This method uncovers hidden connections and suspicious clusters that might otherwise remain undetected. Notably, graph analytics can reveal “unknown unknowns”—new and unexpected financial crime patterns—allowing institutions to identify and mitigate emerging threats before they escalate.

Underpinning these advancements is High-Performance Computing (HPC), which ensures AI systems can scale to process billions of data points efficiently. HPC provides the speed and computational power needed to analyse large-scale, complex transaction data in real-time, allowing institutions to monitor and respond to financial crime as it unfolds.

The Broader Impact

The integration of AI into AML frameworks brings about transformative changes that go far beyond immediate operational gains. By automating intricate detection processes and streamlining investigative workflows, AI dramatically improves efficiency, cutting down both investigation time and associated costs. This enables compliance teams to allocate their efforts to high-priority cases, enhancing overall accuracy and effectiveness.

AI’s capacity to analyse financial activities in real time introduces continuous monitoring and facilitates the detection of emerging money laundering patterns. This proactive approach allows institutions to anticipate and address evolving criminal tactics, rather than merely reacting after they occur.

Moreover, standardised and scalable AI tools foster greater global collaboration. By ensuring consistency and interoperability across institutions and jurisdictions, these technologies enable seamless information sharing and coordinated efforts to combat money laundering on a global scale.

Mopso’s Innovative Contribution to AI-Driven AML

Andrea Danielli, CEO and Founder of Mopso (5) , presents their solution: 

Combining Social Network Analysis and AI for Continuous Risk Monitoring

Mopso, in collaboration with the LIST, developed the project PAMLA (Performant Anti Money Laundering Analytics), which has been granted a HPC bridge from the Ministry of Economy. We aim at improving network analysis in the transaction monitoring domain, through the development of techniques for identifying specific crime-related traits in the topology of the network and associated attributes. The software will identify and characterise clusters looking for network motifs and other features that map to established crime patterns, as defined by the authorities. Secondly, if we can dispose of real banking data, we will look for the unknown-unknown, i.e., we will test many machine learning techniques like graph neural networks and deep neural networks, to explore unknown connections’ patterns not yet addressed by the actual transaction monitoring systems. 

Centralising Data for a Comprehensive View of Customer Activity

Mopso uses semantic web technologies to integrate a very large number of information sources that can be of different nature: internal to the financial institution, coming from open data, from data providers and from open-source intelligence. This means that, for every customer, the solution finds and combines up to 200 data sources, comparing data in between different time intervals. Once elaborated, this data could produce specific alerts, called “scenarios”, which create the customer’s individual money laundering risk profile. Then the technology is able to combine individual risk profiles into a bigger picture, thanks to network analysis, making it possible to spot profiles that, at first glance, seem legitimate. 

Prefilled SARs and More

We use different AI techniques in our software: the exploratory part is linked to fully explainable rule-based algorithms; on top of the analysis results we then use a layer of LLM to summarise the results or guide analysts in the necessary insights. The combination of the solutions allows to intercept, analyse and summarise the activities at risk of money laundering.

Transforming AML Workflows

Some preliminary results, prior to the PAMLA project, allowed us to identify as suspicious some operations that no transaction monitoring system had intercepted. In one exemplary case, we succeeded because we identified patterns that involved several subjects, both Italian and foreign, all traceable to the same pivotal subject, sometimes implicated as an administrator, sometimes as a partner. We noted that this technology is very strong in combating the so-called shell companies, widely used in the field of money laundering as they are easy to open, operate and allow the laundering of huge amounts of money.

Conclusion

The financial sector stands on the cusp of a transformative era, as AI offers groundbreaking tools to combat money laundering. Traditional methods, constrained by static rules and plagued by high false-positive rates, struggle to keep pace with increasingly sophisticated financial crimes. AI-powered solutions enable real-time monitoring, reveal hidden patterns, and craft comprehensive customer risk profiles, ushering in a proactive approach to tackling financial crime.

The moment for decisive action is here. As the industry turns to AI, financial institutions have an opportunity to lead by adopting these transformative technologies, enabling a more transparent and resilient financial ecosystem. Embracing cutting-edge innovations helps strengthen compliance, and positions organisations as frontrunners in the fight against financial crime in this new age of AI.

^Footnotes:

Image: Midjourney

(1) Capgemini (14 Sep 2023) “Global non-cash transaction volumes set to reach 1.3 trillion in 2023” https://www.capgemini.com/news/press-releases/global-non-cash-transaction-volumes-set-to-reach-1-3-trillion-in-2023

(2) European Institute of Management and Finance (EIMF) “The Impact of Artificial Intelligence in Anti-Money Laundering” https://eimf.eu/the-impact-of-artificial-intelligence-in-anti-money-laundering

(3) Team Sanction Scanner (19 July 2024) “The Future of Anti-Money Laundering: Trends and Technologies” https://www.sanctionscanner.com/blog/the-future-of-aml-trends-and-technologies-917 

(4) Raditio Ghifiardi (November 9, 2024) “The Urgency of AI in Anti-Money Laundering and Counter-Terrorism Financing: A Global Imperative” https://moderndiplomacy.eu/2024/11/09/the-urgency-of-ai-in-anti-money-laundering-and-counter-terrorism-financing-a-global-imperative

(5) https://www.mopso.eu/

At a recent industry conference, experts and leaders from Elvinger Hoss^[2], PwC Luxembourg^[3], Fundvis^[4], and Proximus^[5] convened at the Luxembourg House of Financial Tech (LHoFT) ^[6] to tackle the practical hurdles posed by DORA. The discussions highlighted a range of complexities, from compiling comprehensive registers of ICT services to renegotiating contracts with third-party providers. Despite the daunting nature of these tasks, attendees emphasised the transformative potential of DORA. Addressing these challenges head-on, will allow financial institutions to meet regulatory demands and ensure their operational resilience in an increasingly digital world.

DORA’s Core Requirements

The regulation introduces a comprehensive framework designed to fortify the digital resilience of financial institutions across Europe. Centred on five key pillars, it addresses distinct facets of operational resilience, providing financial entities with a structured approach to align and reinforce their operational foundations.

ICT Risk Management

ICT risk management lies at the heart of DORA, requiring organisations to identify, assess, and mitigate risks related to their information and communication technology. This involves comprehensive mapping exercises to pinpoint critical functions and dependencies, a prerequisite for effective implementation. Financial entities must continuously monitor and update their risk controls to address evolving threats​​.

Incident Reporting

Timely incident reporting is a non-negotiable requirement. Organisations must have standardised processes to report ICT-related incidents to regulators promptly. Clear documentation and communication protocols are essential to demonstrate compliance and support the broader financial ecosystem’s resilience​.

Digital Operational Resilience Testing

Resilience testing ensures that financial institutions can withstand disruptions. Regularly scheduled tests, such as penetration tests, must be conducted at least every three years and aligned with real-world risk scenarios. These tests provide invaluable insights into potential vulnerabilities and validate the effectiveness of existing controls​​.

Third-Party Risk Management

Managing third-party risks is one of the more challenging aspects of the regulation. Financial entities must:

• Update contracts with service providers, prioritising intra-group agreements and major suppliers like AWS and Microsoft.
• Create a register of information detailing third-party dependencies and the criticality of their services.

This process demands rigorous internal coordination complete with extensive external collaboration to collect and verify data​​.

Governance and Oversight

Effective governance is a cornerstone of DORA compliance. Organisations must:

• Engage their boards in overseeing digital resilience initiatives.
• Regularly present dashboards tracking compliance progress and remediation plans.
• Ensure that boards are aware of their accountability in meeting regulatory requirements.

Pathways to Achieving Compliance

With the January 17th deadline looming, financial institutions must adopt a structured approach. The following strategies focus on practical steps to meet regulatory requirements effectively while addressing key challenges.

Prioritise Mapping and Register Creation

The foundation of DORA compliance lies in conducting a comprehensive mapping exercise to identify all ICT services, their criticality, and dependencies. This step is essential before undertaking other compliance actions, as it informs all subsequent processes.

• Critical Focus Areas: Ensure the identification of business-critical functions and their ICT dependencies.
• Data Accuracy: Avoid skipping this step to save time, as inaccuracies here will lead to costly revisions later​.

Once mapping is complete, organisations must create the Register of Information, a central repository required by regulators. This task involves collecting extensive details from internal sources and external providers.

• Regulators will expect submissions in early Q1, and incomplete registers will not be accepted.
• Even if the register is not perfect, submit a robust first draft to demonstrate effort and readiness​

Address Third-Party Dependencies Proactively

Managing relationships with third-party service providers is one of the most time-consuming aspects of this regulation. Financial institutions should adopt a tiered approach:

• Intra-Group Agreements First: Update internal agreements within your organisation, as these require no external dependencies.
• Engage Key Providers: Prioritise updating contracts with critical providers like Microsoft and AWS, which often have pre-prepared DORA-compliant agreements.

• Small and Medium Providers: These providers may lack preparedness for DORA, making it crucial to document your engagement efforts meticulously​​.

Best practices include using standardised contract templates and documenting every communication to show your compliance efforts to regulators​​.

Implement Tools and Expertise for Efficiency

Leverage technology to streamline compliance activities:

• SaaS Platforms: Tools like Fundvis centralise register creation, automate data entry, and generate compliance reports for boards and regulators. These platforms help track progress and highlight areas needing attention​.
• External Support: Engage consultancy firms like PwC for gap analyses, third-party risk management, and assistance with resilience testing. Their industry expertise can expedite compliance​​.

Engage the Board and Document Efforts

Board-level engagement is vital for maintaining momentum and accountability:

• Present dashboards at every board meeting to track compliance progress and remediation plans.
• Highlight risks, gaps, and strategies for addressing outstanding issues​.

Regulators emphasise the importance of documenting all compliance efforts. From initial mapping exercises to third-party contract negotiations, keeping a detailed audit trail demonstrates commitment and ensures readiness for regulatory scrutiny​.

Conclusion

DORA compliance is a pivotal opportunity to fortify operational resilience across Europe. While tight deadlines and complex requirements demand swift, strategic action, financial institutions can rise to the challenge by prioritising key initiatives: mapping processes, updating registers, collaborating with third-party providers, and harnessing the right tools and expertise. Immediate engagement is essential; by embracing this regulation as a strategic advantage, financial institutions can future-proof their operations, earning the trust of regulators, stakeholders, and clients while navigating tomorrow’s challenges with confidence. 

Now is the time to act.

^Footnotes:

^{Featured Images: Midjourney}

^{[1] Rowan Armstrong (02 July 2024) ” EU Digital Operational Resilience Act: Countdown to comply with the January 2025 Deadline’ https://www.brownejacobson.com/insights/dora-countdown-to-comply-with-january-2025-deadline}

^{[2] https://elvingerhoss.lu}

^{[3] https://www.pwc.lu/} 

^{[4] https://fundvis.org/}

^{[5] https://www.proximus.lu/fr/index-en/}

^{[6] https://lhoft.com/lhoftv1/}

The highly critical sectors are mentioned in Annex I of Directive (EU) 2022/2555.

But NIS2 is more than a checklist of requirements; it represents a whole new field of action. For compliance teams facing “compliance fatigue,” the key to success lies in mastering two foundational principles: the all-hazards approach and cyber hygiene. By adopting a comprehensive approach to risk management and security, compliance leaders can enhance their organisations’ resilience, better preparing them for a secure digital future.

The All-Hazards Approach

What Is It?

NIS2’s all-hazards approach^[3] pushes organisations to look beyond conventional IT threats, requiring a broad assessment of risks across all operational areas, from HR to the supply chain. Cyber incidents may be the most prominent risks, but NIS2 recognises that any area that indirectly supports IT infrastructure can pose security threats if left unmanaged.

IT Risks: Traditional vulnerabilities like system flaws, network weaknesses, and outdated software remain critical, particularly given today’s advanced malware and phishing tactics. Companies should favour proactive measures, such as penetration testing and intrusion detection, to reduce these risks. The 2017 WannaCry ransomware attack^[4], which exploited a software vulnerability and affected thousands of systems globally, highlighted the importance of vigilant IT risk management.

HR Risks: Security also depends heavily on personnel. Untrained staff can accidentally expose systems to cyber threats. Compliance teams must address issues like data misuse, insider threats, and social engineering, and NIS2 mandates that management teams participate in cybersecurity training^[5], underscoring the need for a proactive approach to HR risk management.

Supply Chain Risks: A company’s cybersecurity is often only as strong as its partners. The SolarWinds breach^[6] illustrated how vulnerabilities in third-party software can allow attackers to infiltrate even well-defended organisations. NIS2 requires rigorous third-party risk assessments^[7], ensuring that all service providers adhere to cybersecurity standards to protect the entire supply chain.

Why It Matters

NIS2 underscores that resilience isn’t just about IT defences; it’s about securing the continuity of the entire organisation. This broad approach equips companies to adapt to unexpected disruptions, protecting all components of the operation and minimising downtime. Compliance leaders who adopt the all-hazards framework strengthen their organisation’s reliability and contribute to create a more comprehensive shield against potential crises.

How the Leaders Do It

Top compliance professionals see NIS2’s all-hazards approach as a strategic defence tool. They foster resilience by embedding a culture of risk awareness across all departments, ensuring that everyone from HR to procurement understands their role in cybersecurity. This unified effort ensures that all organisational components support the digital security strategy and align with regulatory standards.

Cyber Hygiene, The First Line of Defense

The Daily Routine

Like personal hygiene protects physical health, cyber hygiene practices provide essential protection against cyber threats. For NIS2 compliance, fundamental cybersecurity measures such as multi-factor authentication, encryption, and secure communication channels are non-negotiable. These actions create an affordable, effective cybersecurity foundation that can scale with evolving threats.

Multi-Factor: Authentication (MFA): Requiring multiple verification steps significantly reduces unauthorised access risks. MFA is essential, particularly for sectors like finance, where data breaches carry severe consequences.

Encryption: Safeguarding data during transmission and storage keeps sensitive information secure, even if it is accessed illegally. In May 2024, Ticketmaster experienced a significant data breach^[8] where hackers accessed unencrypted customer data, including names, addresses, emails, phone numbers, and partial credit card details – emphasising the critical importance of robust encryption policies to protect sensitive customer information.

Secure Communication Channels: All data within an organization should flow through secure channels. Tools like VPNs and secure messaging apps reduce risks of eavesdropping or interception, strengthening internal security.

Why It Matters

Cyber hygiene is more than “best practice”; it’s essential for reducing infiltration risks. Without consistent application, even sophisticated systems can fail. By embedding these fundamentals into daily routines, compliance professionals protect their organisations and ensure security awareness aligned with NIS2’s standards.

How the Leaders Approach It

Leading compliance officers make cyber hygiene a core aspect of organisational culture. They collaborate with IT and department heads to ensure cyber hygiene becomes second nature for all employees. Through regular cybersecurity training and reinforcement of daily protocols, compliance professionals cultivate a shared responsibility for cybersecurity that extends beyond compliance, building long-term resilience.

Conclusion: The Stakes and Path to Resilience

With fines reaching €10 million or 2% of global annual turnover^[9], NIS2 compliance stakes are high. However, for compliance leaders, the drive toward NIS2 compliance is more than avoiding penalties: it’s about building a stronger, more resilient organisation. By mastering the all-hazards approach and instilling cyber hygiene practices, compliance officers are doing more than meeting regulatory demands. They are fortifying their organisations against threats, elevating security, and embedding cybersecurity deeply into their operational culture.

As the European Union steps into this new cybersecurity era, the role of the compliance officer is expanding, requiring a proactive approach to risk management and innovation. By championing NIS2’s principles, professionals contribute to establish robust systems that can withstand tomorrow’s challenges, keeping their organisations secure and adaptable in a rapidly evolving digital landscape.

To dive deeper into how the financial sector is embracing cybersecurity and regulatory resilience, visit LHoFT.com. Discover resources and insights that can help you stay ahead in the evolving digital landscape. Protect your organisation, empower your team, and join the leaders shaping the future of finance with robust cybersecurity practices today!

Footnotes:

^[1] As of 18 October 2024, Directive 2016/1148/EU (Network and Information Systems) (NIS) will be repealed by Directive 2022/2555/EU (NIS2), dated 14 December 2022, which shall be implemented by the member states by 17 October 2024. Entities of the banking and financial sector fall within the scope of application of the NIS2 Directive. However, with regard to financial entities, this Directive shall be read in conjunction with Regulation 2022/2554/EU on digital operational resilience for the financial sector (DORA), which will be applicable as of 17 January 2025, with a direct effect in all member states. Source: https://ntpartnerlawfirm.com/fintech-in-luxembourg-2024/

^[2] Consolidated text: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02022L2555-20221227

^[3] See article 21.2: “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents…”

^[4] Josh Fruhlinger (24 Aug 2022) “WannaCry explained: A perfect ransomware storm” https://www.csoonline.com/article/563017/wannacry-explained-a-perfect-ransomware-storm.html

^[5] See article 20.2: “Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain

sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”

^[6] ​​Saheed Oladimeji, Sean Michael Kerner (03 Nov 2023) “SolarWinds hack explained: Everything you need to know” https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

^[7] See article 21.2 (d): “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;”

^[8] Mark Sellman (May 30 2024) “Ticketmaster customers urged to change passwords after global hack”

^[9] See article 34.4: “4. Member States shall ensure that where they infringe Article 21 or 23, essential entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the under taking to which the essential entity belongs, whichever is higher.

The Digital Operational Resilience Act (DORA), enacted by the EU on 16 January 2023, aims to strengthen the financial sector’s ability to manage ICT-related risks, including those highlighted by the COVID-19 pandemic and rising cyber threats. It introduces a standardized framework for operational resilience, ensuring that financial institutions and their critical third-party providers, like Google Cloud, maintain robust risk management, ongoing resilience testing, and transparent incident reporting. DORA places significant emphasis on securing digital infrastructures and minimizing service disruptions which are crucial for market stability and consumer trust. The regulation will officially apply from 17 January 2025, by which time financial institutions must comply with its rigorous standards^[1].

Building a Unified Framework for Resilience

Strengthening ICT Risk Management

DORA consolidates a broad range of existing EU regulations^[2], establishing a standardised framework for ICT risk management. It mandates financial entities to develop comprehensive ICT risk management systems including regular monitoring, incident reporting, and robust operational resilience testing. These requirements aim to ensure the stability of financial services, even under severe operational disruptions, by incorporating critical cyber threat intelligence and vulnerability monitoring into business continuity plans​.

ICT risk management framework in a nutshell^[3]:

• Identification of all sources of ICT risk
• Protection of ICT systems
• Detection of anomalous activities
• Response and recovery plans and procedures
• Continuous learning and evolving
• Crisis Communication policies and plans

Service Providers Under Scrutiny

A significant aspect of DORA is its extended oversight of critical ICT providers, including cloud service providers like Google Cloud. This new scrutiny is part of DORA’s third-party risk management rules, ensuring that cloud providers are accountable for maintaining high levels of transparency and resilience. Financial entities are required to assess the risks posed by these third-party services, report on their contracts, and ensure critical functions remain intact, even if disruptions occur. The ESAs (European Supervisory Authorities) will also oversee these providers, ensuring compliance with strict resilience and security standards.

Managing third-party risk in a nutshell:

• ICT third-party risk as an integral part of the ICT risk management framework
• Strategy on ICT third-party risk
• Register of information
• Pre-contracting analyses over ICT services
• Promotion of standard contractual clauses
• Empowerment of supervisory authorities to designate and exercise oversight over critical third-party service providers

Proactive Resilience Measures

DORA emphasizes proactive measures such as resilience testing and threat-led penetration testing^[4], particularly for financial institutions and their critical ICT systems. These tests ensure that firms can swiftly recover from disruptions while minimising the risk of significant failures. The regulation also mandates regular testing of systems and operational resilience measures to safeguard continuous service availability. For large institutions, advanced testing like TLPT (Threat-Led Penetration Testing) will be required, to ensure vulnerabilities are promptly addressed​.

Digital operational resilience testing in a nutshell:

• A digital operational resilience testing program as an integral part of the ICT risk management framework
• Advanced testing based on TLPT
• Requirements for testers for the carrying out of TLPT

Google Cloud’s Example

Google Cloud is actively preparing for the implementation of DORA^[5] by enhancing its cybersecurity, resilience testing, and third-party risk management capabilities to support European financial institutions. Recognising DORA’s potential to streamline incident reporting, strengthen operational resilience, and enable direct regulatory oversight of critical ICT providers, Google Cloud is committed to aligning with these new regulations.

Through initiatives such as the Cloud On Europe’s Terms^[6], Google Cloud ensures compliance with EU requirements for data sovereignty, security, and sustainability. Its industry-leading security infrastructure, including tools like the Security Command Center^[7], enables customers to manage and monitor incidents independently. Additionally, Google Cloud supports rigorous resilience testing, including penetration and disaster recovery tests, helping financial entities meet DORA’s requirements.

Conclusion

DORA is more than just another regulatory hurdle; it’s a bold directive reshaping the very foundation of operational resilience in Europe’s financial sector. By demanding enhanced cybersecurity, continuous testing, and tighter third-party oversight, DORA pushes financial entities to not just comply but thrive in an era of relentless digital threats. As the 2025 deadline looms, this is a call to arms for the sector: to evolve from reactive risk management to proactive, ironclad resilience. Service providers like Google Cloud are already embracing this challenge, setting the standard with advanced security infrastructures and collaborative transparency with regulators. The question now is not whether financial institutions are ready to comply, but whether they are ready to lead.

Ready to future-proof your financial institution under DORA? Discover how Luxembourg’s financial hub is preparing for the challenges and opportunities ahead. Visit LHoFT for the latest insights, resources, and support to ensure your operational resilience strategies are not only compliant but positioned for leadership in this new era of digital security.

^Footnotes:

^{Featured Images: Midjourney}

^{Images https://sosafe-awareness.com/glossary/dora/}

^{[1]    For More Information on the Draft RTS :https://www.eiopa.europa.eu/publications/set-rules-under-dora-ict-and-third-party-risk-management-and-incident-classification_en}

^{[2] McCann FitzGerald LLP (30 June 2023), “Exploring DORA: the EU Digital Operational Resilience Act” http://mccannfitzgerald.com/knowledge/finance/briefing-dora-digital- operational- resilience-act}  

^{[3]  Onur Ozdemir (12 April 2023) “DORA regulation: all your questions answered – Read about the new regulatory framework for digital risk management” https://kpmg.com/lu/en/blogs/home/posts/2023/04/dora-regulation-all-your-questions-answered.html}

^{[4] “What is Threat Led Penetration Testing and why does DORA require it” https://www.secura.com/services/integrated-approach/dora/what-is-threat-led-penetration-testing} 

^{[5] Phil Venables (June 4 2022) “Google Cloud’s preparations to address the Digital Operational Resilience Act” https://cloud.google.com/blog/products/identity-security/what-google-cloud-is-doing-to-prepare-for-dora} 

^{[6] https://cloud.google.com/blog/products/identity-security/helping-build-the-digital-future-on-europes-terms} 

^{[7] https://cloud.google.com/security/products/security-command-center}  

Over the past few years, Luxembourg has developed into one of the leading Fintech hubs in Europe. More and more Fintech companies appreciate the central location within Europe, the low-threshold offers, and the advanced regulations for businesses. Luxembourg is one of the leading international financial centers in Europe – with 120 banks and a multitude of insurance companies. With managed assets of over six trillion euros, it is the second-largest fund management center in the world. The proximity to decision-makers from local institutions has attracted numerous B2B Fintech companies that find their customers here.

As a result, more and more innovative businesses have been settling in the country for years. This development is supported by strong connections to Germany, which facilitate cross-border cooperation and growth.

Learn here why you can start your startup in Luxembourg without bureaucratic hurdles and how the country supports Fintech companies.

Four Growth Segments of the Luxembourg Fintech Ecosystem

The Luxembourg Fintech ecosystem shines through diversity and innovative power. In four central segments, companies are driving technological development and thus setting new standards in the financial sector.

Payments

In the area of payments, companies like A352 and Pliant stand out with their innovative solutions. These companies develop technologies that make the payment process more efficient and secure, thereby significantly contributing to the transformation of the financial sector.

Fundtech

Next Gate Tech, Fundcraft, and FundsDLT are pioneers in the field of Fundtech. They work on advanced platforms that automate and optimize the fund management process, resulting in significant efficiency gains.

Blockchain

The pioneering work of HQLAX and Stokr in the field of tokenization is revolutionizing the financial markets. These companies use blockchain technology to make the trading of digital assets more secure and transparent.

Regtech

The pioneering work of HQLAX and Stokr in the field of tokenization is revolutionizing the financial markets. These companies use blockchain technology to make the trading of digital assets more secure and transparent.

Opportunities for Companies in Luxembourg

Luxembourg offers Fintech companies unique advantages. These include a stable political and economic environment, modern regulations, and access to a diverse, international talent pool. This creates ideal conditions for firms looking to develop innovative solutions in the financial sector.

“Luxembourg’s position as a leading Fintech hub in Europe demonstrates our commitment to promoting innovation and creating a supportive environment for business development. The close relationships we maintain with Germany and other neighboring Fintech ecosystems expand opportunities and promote cross-border cooperation and growth. Luxembourg is not just a location, but a strategic launchpad for Fintechs that want to lead the future of finance.” – Nasir Zubairi, CEO of the Luxembourg House of Financial Technology (LHOFT)

Furthermore, Luxembourg maintains close partnerships with German Fintech ecosystems such as TechQuartier, HOFT Berlin, and the Frankfurt Accelerator. These collaborations promote the exchange of knowledge and resources and create cross-border growth opportunities for Fintech companies.

“Collaborations like these are very valuable to us,” says Alice Rettig, Managing Director of TechQuartier in Frankfurt. “Innovations do not stop at national borders. Cross-regional cooperation is essential and increases the innovative power of both ecosystems.”

Luxembourg Fintech Map 2024

Luxembourg’s Key Players in the Fintech Sector

Startup Luxembourg serves as the gateway to the Luxembourg startup ecosystem and provides comprehensive support for startups looking to establish themselves in Luxembourg. By promoting networks, knowledge exchange, and cooperation opportunities, the LHOFT Foundation helps companies navigate the complex financial landscape. This makes Luxembourg a premier location for Fintech companies, startups, investors, and financial institutions, offering a dynamic and future-oriented market with many opportunities for growth and innovation.

In June 2023, The European Commission unveiled two significant legislative proposals: the third Payment Services Directive (PSD3)^[1] and the Payment Services Regulation (PSR)^[2]. These updates are designed to replace the existing framework under PSD2, which has been in place since 2015. PSD3 and PSR aim to modernise and strengthen the regulatory environment for payment services across the European Union, ensuring that it keeps pace with the rapid advancements in digital finance. These texts introduce crucial changes that will shape the future of innovation, competition, and security in the payment service industry.

By tightening regulatory oversight, enhancing consumer protections, and enabling a more competitive landscape, these proposals will both address current challenges and set the stage for the next wave of Fintech evolution.

Key Changes and Innovations

Merging of E-Money and Payment Services

One of the most significant updates is the merging of the E-Money Directive with the Payment Services Directive^[3]. This integration aims to create a unified regulatory framework for both payment institutions and electronic money institutions, reducing the complexity that previously existed between these two sectors.

While this merger does streamline the regulatory framework, it may not necessarily lower barriers to entry. The requirements for an e-money license are expected to remain the same, if not become more stringent, which could limit the ease with which new players can enter the market. Previously, a Payment Institution (PI) license, and in some countries a Small Payment Institution, license, offered a more accessible entry point for smaller firms to establish themselves. However, the increased regulatory rigor could enhance banks’ confidence in providing transactional banking services to licensed entities, as they benefit from stronger compliance measures.

Strengthened Regulatory Oversight

PSD3 introduces more stringent licensing and authorisation requirements for payment service providers. These include higher capital requirements^[4], mandatory winding-up plans^[5], and a more streamlined authorisation process^[6]. The aim here is to enhance the stability and reliability of payment services across the EU.

While these changes are designed to increase consumer trust and market integrity, they also pose significant challenges for smaller Fintech firms. The increased compliance demands may strain resources, particularly for startups and smaller companies, potentially leading to market consolidation as these firms struggle to meet the new requirements^[7].

Enhanced Open Banking and Open Finance

PSD3 also brings significant enhancements to the Open Banking framework, including clearer guidelines for improved user protection and confidence, and expanded access rights for third-party providers. These changes are intended to remove existing barriers and improve the functionality of open banking across the EU^[8]. The new rules offer an opportunity to deliver more robust and competitive services. Improved standards (dedicated data access interface^[9] for ASPSPs^[10] etc.) and increased access rights will enable Fintechs to integrate more seamlessly with banks, enhancing their ability to innovate and provide better services to consumers. Conversely, firms must also invest in more reliable infrastructure to remain competitive.

Security and Consumer Protection

Strong Customer Authentication (SCA)

Regarding PSR and according to EY^[11], “A significant change in the cybersecurity domain is the expansion of security requirements to encompass payment card schemes, payment gateways, and merchants. The regulation also now covers third parties to whom technical, operational, and communication services have been outsourced. This mandates more parties in the payment chains to implement systems such as Strong Customer Authentication (SCA)^[12] to bolster payment security.” The new rules also introduce other rigorous fraud prevention mechanisms, including enhanced transaction monitoring^[13] and stricter liability rules.

Anti-Fraud Measures

Alongside the strengthened SCA, PSR introduces several new anti-fraud measures aimed at safeguarding consumer transactions. Key among these is the mandatory IBAN-name matching for credit transfers, which helps verify that the payee’s details match the intended recipient^[14]. Additionally, the regulation promotes enhanced data-sharing protocols^[15] among payment service providers to detect and prevent fraudulent activities more effectively.

While these measures may increase operational complexity, they are essential for maintaining a secure and trustworthy service in the eyes of consumers and regulators alike.

Conclusion

Regulations streamlining, better consumer protection, more competitive market… These proposals are set to significantly reshape the landscape of digital payments. For Fintech companies, this evolution presents both challenges and opportunities: while increased market compliance demands may strain resources, especially for small players, the potential for innovation and improved security offers a pathway to greater trust and adoption in the market.

Firms that adapt quickly and invest in strengthening their infrastructure and compliance frameworks will be well-positioned to thrive in this new era. PSD3 and PSR are not just regulatory updates, they bring the foundation for the next waves of innovation and growth in payment services.

Curious to learn more about E-Money services and how they’re shaping the future of finance? Dive into the latest insights on regulatory updates, market trends, and opportunities for innovation!

Notes:

Featured image source : Midjourney

^{[1] Proposal for a Directive of the European Parliament and the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52023PC0366}

^{[2] Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0367}

^{[3] See Recital 5 of PSD3: “Even though the issuance of electronic money is regulated under Directive 2009/110/EC of the European Parliament and of the Council,31 the use of electronic money to fund payment transactions is to a very large extent regulated by Directive (EU) 2015/2366. Consequently, the legal framework applicable to electronic money institutions and payment institutions, in particular with regard to the conduct of business rules, is already substantially aligned. (…) It is therefore appropriate that the authorisation and supervision regime applicable to electronic money institutions is further aligned with the regime applicable to payment institutions.}

^{[4] See Recital 25 of PSD3: “To cater for the risks posed by their activities, payment institutions need to hold enough initial capital combined with own funds. Considering the possibility for payment institutions to engage in the wide range of activities covered by this Directive it is appropriate to adjust the level of the initial capital attached to individual services to the nature and the risks attached to these services.”}

^{[5] See the Explanatory Memorandum pf PSD3, p.7, “Licensing and supervision of payment service providers”: “The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application, but made fully consistent for institutions providing payment services and electronic money services.”}

^{[6] See Recital 18 of PSD3: “To ensure a level playing field and a harmonised process for the granting of an authorisation to undertakings applying for a payment institution license, it is appropriate to impose to competent authorities a time limit of 3 months for the authorisation process to be concluded, after the receipt of all the information required for the decision.”}

^{[7] See articles 5 and 6 of PSD3.}

^{[8] See page 5 of PSD3: “There are four specific objectives of the initiative, corresponding to the identified problems: 1. Strengthen user protection and confidence in payments; 2. Improve the competitiveness of open banking services; 3. Improve enforcement and implementation in Member States; 4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.”}

^{[9] See p.5 of PSD3: “requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface; “permissions dashboards” to allow users to manage their granted open banking access permissions;”}

^{[10] Account Servicing Payment Service Providers}

^{[11] Rudrani Djwalapersad (22 Feb 2024) “PSD3 and PSR: regulatory uniformization for enhanced protection” https://www.ey.com/en_nl/cybersecurity/psd3-and-psr-regulatory-uniformization-for-enhanced-protection}

^{[12] See article 85 of the PSR.}

^{[13] See p.10 of the PSR, “Operational and security risks and authentication”: “A new provision is added requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of strong customer authentication and to improve the prevention and detection of fraudulent transactions.”}

^{[14] See p.6 of the PSR: “Improvements to the application of SCA, (…) extension of IBAN verification to all credit transfers.” See Recital 104 of PSR: “‘Unique identifier’ should be understood as referring to ‘IBAN’“}

^{[15] See article 84 of the PSR: “Payment service providers shall alert their customers via all appropriate means and media when new forms of payment fraud emerge…”}

Navigate the Fintech Seas with Ease! Let our map guide you in finding like-minded partners and facilitating growth through collaborative ventures.

The LHoFT – Luxembourg House of Financial Technology is committed to fostering a dynamic and flourishing Fintech community. To facilitate navigation and maximise opportunities within the Luxembourg Fintech ecosystem, we have developed the Luxembourg Fintech Map in collaboration with LFF, The Payments Association EU, ALFI, ACA, and ABBL.

This comprehensive Fintech map provides an extensive overview of the dynamic and flourishing Luxembourg Fintech ecosystem. While it may not be exhaustive, this map offers valuable insights into the diverse range of Fintech companies and organizations operating within Luxembourg.

Together, let’s ensure every Fintech entity in #Luxembourg is represented on our map!

We identified 200+ companies to be included in the map. Is your company, or another company you know missing from the map? Does your logo need updating?

Click here to let us know!

Innovation-friendly environment and technological advances

Luxembourg is known for its openness to new technologies and its ability to adapt quickly. With the introduction of blockchain, artificial intelligence and other technologies, the country has positioned itself as a pioneer in digital transformation. The government has recognized that an innovative environment and a strong digital infrastructure are crucial to remaining competitive as a global financial centre.

An outstanding example of this innovative power is Luxembourg’s blockchain legislation, which has created a robust legal framework for tokenization. Luxembourg was one of the first countries in Europe to introduce new laws for blockchain to promote its use in the financial industry. This legislation enables financial institutions to process transactions more efficiently and securely with finality, making Luxembourg an attractive location for companies specializing in blockchain technologies.

A significant result of this progressive legislation was the first tokenized bond issuance in the European Union. Both the World Bank and the European Investment Bank (EIB) have issued their first tokenized bonds under Luxembourg law. These transactions underline Luxembourg’s pioneering role in financial innovation and demonstrate the potential of blockchain technology in the securities sector.

In addition, tokenization is increasingly being used in the fund and securities sector. Tokenized funds offer a new way for investors to acquire and trade shares in funds in a more efficient and transparent manner. These developments help to further strengthen Luxembourg’s position as a leading centre for innovative financial services.

Regulatory excellence and stability

A key component of Luxembourg’s success as a financial centre is its stable and flexible regulatory environment. The Commission de Surveillance du Secteur Financier (CSSF) is continuously working to align regulation with international standards while supporting innovative approaches. This has contributed to Luxembourg being perceived not only as a safe but also as a dynamic location for financial services.

A notable example is the introduction of the Markets in Crypto-Assets Act (MiCA) at the European level, which Luxembourg has actively helped to shape. MiCA creates a unified legal framework for crypto-assets in the European Union and provides legal certainty and trust for companies and investors. Luxembourg’s involvement in the development and implementation of these regulations demonstrates the country’s commitment to integrating modern technologies into the financial sector.

Luxembourg has also consolidated its leadership in sustainable finance. By adopting environmental, social and governance (ESG) policies and promoting green bonds, the country has laid the foundation for a sustainable future for the financial sector. The Luxembourg Green Exchange (LGX) is one of the world’s first platforms focused exclusively on green, social and sustainable securities. These initiatives underline Luxembourg’s commitment to moving the financial sector in a more sustainable direction.

Digitalisation and future prospects

Digitalisation is a key driver for the future of the financial sector and Luxembourg has established itself as a pioneer in this field. The promotion of fintech innovations and the implementation of modern technologies have made the country an attractive location for start-ups and established technology companies.

The Luxembourg House of Financial Technology (LHoFT) plays a central role in the digital transformation of the financial sector in Luxembourg. As a hub for the exchange of ideas and collaboration between start-ups, established companies and academic institutions, LHoFT promotes the development of new technologies and solutions that increase the competitiveness of the Luxembourg financial sector on a global level. LHoFT is strongly committed to the education and training of professionals and promotes the development of skills that are essential for the digital future of the financial industry.

LHoFT also plays a leading role in the EU by working closely with other innovation hubs to drive fintech and digital innovation. This cross-border collaboration helps to create a strong and connected European fintech community that leads the global competition.

Another key aspect of digitalization is the area of ​​cybersecurity. Luxembourg has made significant investments in cybersecurity infrastructure to ensure the protection of sensitive financial data. The introduction of strict data protection laws and the establishment of specialized bodies such as the Cybersecurity Competence Centre (C3) underline the country’s commitment to ensuring the security and integrity of the financial system.

Conclusion

Luxembourg has established itself as a leading financial centre that impresses with a unique combination of innovation and regulatory excellence. Advanced blockchain legislation, active participation in shaping European crypto asset regulations and a commitment to sustainable finance are just a few examples of the country’s forward-looking orientation.

By promoting fintech innovation and strengthening cybersecurity infrastructure, Luxembourg, supported by the work of LHoFT, is well positioned to continue to play a key role in the global financial sector in the future. The harmonious integration of innovation and regulation will enable Luxembourg to continue to serve as a model for other financial centres and to consolidate its place as a leading location for financial services.