Secure & efficient CEDR compliance

CEDR stands for Central Electronic Data Retrieval system. It is a national Luxembourg system established by the CSSF Circular of 25 March 2020 that mandates credit and payment service providers to implement an API-based interface, enabling the CSSF to retrieve information about bank account, payment account, safe-deposit box, and account holder information in a direct, immediate, and secured manner for AML (anti-money laundering) supervision purposes.

CEDR compliance is governed by CSSF Circular 20/747, published on 23 July 2020. The circular mandates that credit institutions and specified payment service providers licensed in Luxembourg implement a secure API-based system aligned with the Law of 25 March 2020. The CSSF selected an API approach specifically to enable real-time supervisory access, positioning Luxembourg’s financial supervisor as a modern data-driven regulator.

All credit institutions and payment service providers established in Luxembourg and subject to CSSF supervision are required to comply with CEDR under CSSF Circular 20/747. This includes Luxembourg banks and credit institutions holding payment accounts or safe-deposit boxes. Payment service providers maintaining payment accounts may also fall within scope.

According to CSSF Circular 20/747, the CEDR API must grant the CSSF direct access to four categories of data: (1) information identifying any customer-account holder and any person purporting to act on their behalf; (2) data relating to the beneficial owner of the customer-account holder; (3) data pertaining to the bank account or payment account, including IBAN; and (4) data pertaining to any safe-deposit box held at the institution. While the CSSF marks some data as “optional” in its technical specifications, if a professional already possesses this data within their internal systems, they have a mandatory obligation to include it in the file exposed to the CSSF

Luxembourg’s IBAN Register is a central national database established by the Law of 25 March 2020, recording all bank accounts and payment accounts identified by IBAN, as well as safe-deposit boxes held at Luxembourg credit institutions. CEDR is the technical mechanism through which the CSSF accesses this registry in real time. LUXHUB’s CEDR API solution provides institutions with the secure, compliant interface needed to feed and expose this IBAN Register data to the supervisor.

CEDR is built on LUXHUB’s infrastructure and is specifically designed to protect data: at no point in the process can LUXHUB access the institution’s data. The institution exports its account data as a CSV file and converts it via using LUXHUB’s software package, which embeds a built-in PGP encryption and a CEDR verifier package. The data is encrypted before it leaves the institution’s systems, so LUXHUB transfers it to the CSSF in its encrypted form without ever having access to its contents. Notifications to the customers are sent at three different stages: when the file is ready to download, when it has been validated for processing, and when it has been successfully processed.

LUXHUB offers several unique advantages as a CEDR partner: its platform is built on the same proven infrastructure as its PSD2 XS2A solution, already trusted by multiple Luxembourg institutions; it simplifies the onboarding complexity by allowing consumers to onboard themselves via a simple interface (no API is exposed to client); it provides rapid onboarding via a dedicated Service Desk; its mutualized model reduces the cost per institution significantly; and its deep familiarity with the CSSF’s technical and regulatory requirements shaped through direct engagement since the circular was published in July 2020 ensuring a reliable and compliant integration path.

Yes. LUXHUB’s entire infrastructure, including its CEDR platform, is hosted in a Tier IV data centre located in Luxembourg. This ensures full data sovereignty, complies with Luxembourg and EU data protection requirements, and meets the CSSF’s strict regulatory expectations for the handling of sensitive financial supervisory data. The Tier IV classification also guarantees the highest levels of uptime, resilience, and disaster recovery capability.

Key features include: effortless file creation via an optional software package with CSV schema and PGP libraries; automated CSV-to-JSON conversion aligned with CSSF’s required schema; secure file transfer via one-time encrypted URL; three-stage notification system (file ready, validated, processed); rapid onboarding through LUXHUB’s established web interface; mutualized costs across multiple Luxembourg institutions; 24/7 infrastructure management; and dedicated Service Desk support throughout the onboarding journey.

LUXHUB’s CEDR onboarding is designed for speed and efficiency. Built on pre-existing API Gateway infrastructure that has already been validated in the Luxembourg financial market, institutions can achieve rapid time-to-compliance. LUXHUB’s Team provideshands-on technical and operational support throughout the onboarding process, from initial configuration and testing to production go-live. Specific timelines depend on institutional readiness, but LUXHUB’s mutualized platform & teams are specifically designed to meet tight regulatory deadlines.

LUXHUB’s CEDR solution adheres to rigorous security standards throughout the full lifecycle. Data files are encrypted using PGP  cryptography before transfer. underlying infrastructure is hosted in a Tier IV Luxembourg data centre and managed to ISO 27001 standards. API communications use HTTPS with certificate-based authentication, and all access to CSSF interfaces is strictly controlled and auditable.

CEDR is fundamentally an AML supervisory tool. The Law of 25 March 2020 and CSSF Circular 20/747 were designed to modernise the CSSF’s AML oversight capabilities by giving API-based access to account holder, beneficial owner, and payment account data. This enables the supervisor to rapidly identify and investigate suspicious financial activity, trace beneficial ownership structures, and respond to AML alerts more efficiently than under previous paper-based or non-standardised reporting systems.

Yes. LUXHUB’s infrastructure is a high-throughput, enterprise-grade platform already handling millions of API calls monthly across its PSD2 and Open Banking services. The CEDR product is built on this same scalable infrastructure, ensuring it can handle the full volume of account records, beneficial owner data, and safe-deposit box information required from large Luxembourg credit institutions, without performance degradation or reliability concerns.

You can initiate the CEDR compliance process by contacting LUXHUB sending an inquiry to info@luxhub.com, or calling +352 288 076. LUXHUB also offers a CEDR product brochure and an infographic explaining the CEDR API for the IBAN Register — both available via the CEDR product page. LUXHUB’s compliance experts will guide you through requirements, integration steps, and the path to CSSF-compliant go-live.