KYC/AML software · Luxembourg-specific

The Luxembourg KYC compliance that international tools cannot deliver.

Verifying who is really behind a Luxembourg company is complicated. International tools like Onfido or ComplyAdvantage know how to scan an ID card and check sanctions lists. But they stop there. When the investor goes through a cascade of holding companies, fund associations, foreign trusts and nominees, your international tools return an "OK" score and the regulator still asks how you identified the real beneficial owner. Our KYC Luxembourg is built for that work. Reconstruction of complex organisation charts down to natural persons, integration of Luxembourg registers, explainable scoring, and an AI agent that digs when standard sources return nothing.

Build my quote → Contact us
Main features

What the software actually does.

4-step max onboarding, mobile-first

For an individual: identity + patrimonial situation + source of funds + liveness selfie + eIDAS qualified e-signature via LuxTrust or Itsme. For a company: enter RCS number, automatically retrieve directors, agents, shareholders, articles, K-bis. Each UBO becomes an individual personal journey. Client doesn't wait 3 weeks: full KYC often within 24 hours.

UBO organisation chart reconstructed level by level

This is the Luxembourg core business. The tool climbs each ownership branch, level by level, multiplying percentages, until identifying natural-person beneficial owners under the 13 January 2019 law. It handles SOPARFI, SCS, SCSp, SCA, SA, SARL, RAIF, SIF, SICAV, SICAR, foundations, ASBL, foreign trusts, nominee shareholders. It compares what it reconstructs with the RBE declaration filed by the entity and flags divergences. Interactive graphical visualisation with auditable PDF export.

Sanctions, PEP, adverse media, continuously, without false positives

The tool continuously scans your portfolio against UN, EU consolidated, OFAC SDN, UK HMT, national sanctions lists. It identifies politically exposed persons, their family, their associates. It aggregates adverse media mentions. But mostly, it intelligently filters false positives: multilingual phonetic matching (Arabic, Cyrillic, Chinese), date of birth / country / profession cross-checking, learning from past analyst decisions. No more drowning in useless alerts.

Explained 0-100 scoring, not a black box

When the CSSF asks why a client is rated 67/100, you need to answer. Our scoring aggregates 8 weighted dimensions (country, structure, sector, PEP, sanctions, adverse media, behavioural, onboarding channel) with an explainable model (documented gradient boosting, not an opaque neural network). Each score is broken down dimension by dimension with quantified contribution of each factor. You justify every decision to the auditor in 2 minutes.

When standard sources return nothing, the AI investigation agent takes over

The feature that changes everything on complex cases. An indirect UBO via a Cayman trust, an individual with no digital footprint to verify PEP status, an RBE declaration inconsistent with the economic context: your standard KYC returns "OK" and you know that's not enough. You launch the AI agent. It receives the question, develops an investigation plan, searches the web with advanced operators, reads UK Companies House annual returns, cross-checks with OpenSanctions, OCCRP Aleph, ICIJ Offshore Leaks (Pandora Papers, Panama Papers), Luxembourg local press (Paperjam, Delano, Wort). It returns an argued dossier with cited sources. You validate or reject.

CSSF 12-02 workflow compliant to the letter

The tool exactly reflects the responsibility structure CSSF Regulation 12-02 imposes: front office initiates, RC validates, RR escalates if needed, authorised manager decides critical cases. Predefined workflows for standard onboarding, EDD, enhanced due diligence, sanctions alert (automatic temporary freeze), periodic review per risk class, and suspicious transaction report to the Financial Intelligence Unit via goAML with pre-drafted argued narrative validated by human.

Your sensitive data does not go to OpenAI

For banking or insurance secrecy actors (Article 41 LSF), no covered data leaves your infrastructure. The AI engine routes each task by sensitivity: documentary OCR in specialised cloud for non-sensitive documents, AI model installed on your own server (vLLM, Ollama, local Mistral) for analysis of contracts under secrecy. That's what lets banks and PSFs use an AI agent without CSSF exception.

CSSF audit ready at all times

For each client: complete dossier exportable as digitally signed PDF with documents, decisions, scores, alerts, investigation files. For management: quarterly dashboard structured per CSSF expectations. For RR: automatic annual AML report. For FIU: pre-filled goAML format suspicious transaction reports. For external auditor: read-only access with timestamped signed export. Immutable audit trail (cryptographic signatures, eIDAS qualified timestamping), 5-year retention post-relationship per AML law.

Use cases

Who it is for, and in what context.

Retail banks, private banks, business banks Luxembourg: individual and institutional client onboarding, periodic KYC renewed every 1-3 years per risk.

PSFs (specialised, support, others) supervised by CSSF: institutional client KYC, counterparty KYC.

Management companies (UCITS, AIFM, ManCo) and funds (SIF, SICAV, SICAR, RAIF): individual and corporate subscriber onboarding, final UBO identification, distributor due diligence.

Trustees, family offices: KYC of settlors and beneficiaries of structures they administer.

Life insurance (CAA): KYC of subscribers and designated beneficiaries.

Crypto-asset platforms (CASPs) under MiCA: mandatory KYC since December 2024.

Law firms and accountants under Luxembourg AML law.

Regulatory compliance

The Luxembourg and European regulatory framework.

  • 12 November 2004 law on AML, updated for AMLD4, AMLD5 and virtual asset service provider regulation.
  • CSSF Regulation 12-02 and its FAQ: AML governance, customer due diligence, enhanced due diligence, suspicious transaction reports.
  • 13 January 2019 law establishing the Beneficial Ownership Register, with professional access via LuxTrust since LBR Circular 22/01.
  • AMLR (EU Regulation 2024/1624) directly applicable on 10 July 2027: the platform is designed to absorb the transition.
  • eIDAS 2.0 for qualified electronic signatures (LuxTrust, Itsme).
  • GDPR Article 9 (biometric data) with mandatory DPIA, Article 22 on automated decisions (the platform proposes, the human decides).
  • Article 41 LSF (banking secrecy): exclusive on-premise AI routing for affected actors.
  • AI Act 2024/1689: AI components classified (limited risk for most, systematic human oversight).
Architecture · Hosting

Technical stack and data sovereignty.

Module integrated with LuxGap platform (shared with DPO Assistant and Third Party Register): a KYC client can become a vendor in TPR without re-entry, a KYC document enters DPO Assistant's erasure scope at end of AML period. Integrable IDV providers: Onfido, Sumsub, Veriff, Fourthline, ComplyCube, Didit (EU sovereign positioning). Screening databases: Dow Jones, LSEG World-Check, LexisNexis, ComplyAdvantage, Sanction Scanner. Core banking connectors: Avaloq, Temenos T24, Olympic. Luxembourg hosting, 100% on-premise mode for Article 41 LSF secrecy.

FAQ

Frequently asked questions

Why not just take Onfido and ComplyAdvantage?
Excellent tools for what they do: verify an ID and screen sanctions lists. But they cannot reconstruct an indirect UBO chain across SOPARFI + SCSp + foreign trust + nominee shareholder. They don't integrate the Luxembourg RBE, don't read local Paperjam press, can't generate goAML reports for the FIU, and have no AI investigation agent when standard sources return nothing. Our tool uses them (Onfido or Sumsub for biometric IDV) and adds the Luxembourg business layer they lack.
Concretely, what does the AI investigation agent do?
Imagine a Luxembourg fund receiving an investor via a British nominee shareholder. Screening on the nominee is clean. You launch the agent. It: reads annual returns at UK Companies House, identifies PSC register to find the real beneficiary, cross-checks with OpenSanctions and ICIJ Offshore Leaks to detect exposure, verifies PEP status via Dow Jones, writes an argued synthesis with per-step confidence score. It returns the dossier in 5 to 15 minutes instead of 2 days of manual investigation.
AMLR 2024 enters into force in 2027, do I need to change tool?
No. AMLR will replace part of today's rules in the 2004 law and CSSF Regulation 12-02. The platform is configurable: due diligence policies, country/sector/channel risk lists, workflows, thresholds. Our legal team updates the templates before 10 July 2027. You keep your tool, data, historical decisions.
Can the AI refuse a client by itself?
No, never. GDPR Article 22 and AI Act compliant: no decision unfavourable to the client is made by AI alone. The module proposes, RC validates, RR escalates if needed, authorised manager decides critical cases. That's the responsibility structure CSSF Regulation 12-02 imposes, and what makes the tool usable by regulated actors without regulatory risk.
Implementation timeline?
Daily-usable version (onboarding, IDV, KYB with LU RCS/RBE + FR/DE/UK registers, basic screening, front/RC workflow): 9 months. Full version with continuous scoring, real-time monitoring, goAML reporting and investigation agent: 15 months. 4-week POC on a dozen of your real clients before any commitment.
How much does it cost?
Pricing by tier of active clients, by tier of monthly onboardings, plus pass-through of paid external APIs (Onfido, World-Check, etc.). For a PSF managing 500 institutional clients with 30 monthly onboardings: 4,000 to 8,000 EUR/month plus API costs. For a large private bank with 5,000 clients and investigation agent: 15,000 to 35,000 EUR/month. Detailed quote within 24h after scoping.
Combine with

Our complementary services.

Try this software on your real data.

POC with no long-term commitment. Tailored quote within one business day.

Build my quote →