A draft law that affects professional secrecy has been adopted—well, not secretly, but perhaps out of the spotlight. Finance Minister Pierre Gramegna, back in July 2016, proposed draft law no. 7024 on the eve of the parliamentary break. The draft would implement, nationally in Luxembourg, a European regulation on interchange fees for card-based payments, with the larger goal of making data outsourcing to intragroup or external providers easier. But the draft also modified the Laws of 5 April 1993 and 7 December 2015, removing the obligation to process financial institutions’ data inside Luxembourg’s borders. This reduces the scope of professional secrecy.
On 22 February 2018, the State Council opted not to revise the draft law, meaning that it is now deemed to be adopted. It has thus become to Law of 27 February 2018, and came into force a month ago on 5 March 2018.
The conversations about secrecy that the new law poses are reminiscent of those from some years ago, when large depositary banks questioned the relevance of banking secrecy. To them, it made no sense to adhere to costly and cumbersome professional secrecy requirements if there were a possibility of benefitting from high-performing IT platforms based at their international headquarters instead.
In response, the CSSF adopted a pragmatic stance, permitting a few exceptions to professional secrecy on certain grounds. Under the exceptions, data could be exported abroad provided that it be transmitted on an anonymous and encrypted basis so as to conceal client names on computer screens located in foreign IT centres.
What does the new law change?
The Law of 27 February 2018 acknowledges the trend of outsourcing by allowing it. It distinguishes between, and provides guidance on, outsourcing to CSSF-, ECB-, and CAA-supervised firms, and covers other outsourcing situations as well. Additionally, article 41 of the new law exempts professional secrecy requirements—if the client consents—under the terms and conditions agreed on amongst all parties concerned.
Entities under CSSF supervision
The new law sets out organisational requirements for the outsourcing activities of credit institutions and investment firms under CSSF supervision. These include:
- The level and quality of services provided to the clients must not be endangered by the outsourcing. A service level agreement must have been concluded.
- Credit institutions and investment firms bear full responsibility of their obligations.
- The client must have accepted successive sub-contracting beforehand.
- Reasonable steps should be considered to avoid excessive levels of operational risk. The outsourcing of key operational functions should not materially affect the quality of the internal control or hamper the CSSF in its compliance duty.
- Credit institutions and investment firms should put in place sound security measures to ensure confidentiality, authentication of the processes of information sharing, reduction of risk of data corruption and unauthorised access, and prevention of information leakage.
Entities under CAA supervision
The law explicitly provides for an exception to professional secrecy obligations for the intragroup and extra-group outsourcing arrangements of CAA-supervised entities, provided that:
- The service provider, having access to confidential information, is subject to a professional secrecy obligation or has concluded a confidentiality agreement.
- The client has accepted, in accordance with the law (i.e. explicit consent) or with the conditions agreed between the parties, the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing, and the country of establishment of the service provider.
- The national or foreign competent authorities in charge of prudential supervision act within the scope of their legal powers and the information exchanged is covered by the professional secrecy of the authority receiving it. The information exchange to a foreign authority for prudential supervision must be made through the parent undertaking, the shareholder, or an associate under the same supervision as the entity that generated the information. The transmission of the necessary information to the EIOPA, EBA, ESMA, or ECB for the purposes of prudential supervision may be made directly to the relevant institution, or to the national or foreign competent authority in cases where the law applicable to Luxembourg entitles that authority to request the information directly from the person established in Luxembourg.
Notably, reinsurance undertakings are also included in the scope of the new law. The legislator justifies this to prevent the risk of de minimis interpretation whereby the access to information would be granted solely for activities performed under article 269 (i.e. outsourcing of corporate governance functions to service providers). How this will affect reinsurance activities in Luxembourg remains to be fully seen.
Following the new law, much remains to be seen as well for support financial service professionals (PSFs). The status of “support PSF” was developed as a local solution to meet professional secrecy requirements, providing banks and other financial firms with a local outsourcing solution to avoid disseminating confidential data abroad.
We are tracking reactions to the Law of 27 February 2018 with much interest—check this blog regularly for further updates and insights. In the meantime, feel free to leave questions/comments below or to contact me directly.
Next up on the KPMG Blog: