by Josée Weydert, Vincent Wellens and Jad Nader
One of the key principles of Luxembourg financial regulation is the obligation of professional secrecy (often referred to as the bank secrecy, the “Professional Secrecy Obligation”) laid down in Article 41(1) of the law dated 5 April 1993 on the financial sector, as amended (the “Financial Sector Act”). Outsourcing arrangements and, in particular, IT outsourcing operations which can lead to the disclosure of confidential data and thus to a potential breach of the Professional Secrecy Obligation are subject to rather strict legal conditions.
Article 41(5) of the Financial Sector Act provides for an explicit exception to the Professional Secrecy Obligation with respect to the information communicated to credit institutions and duly authorised support financial sector professionals (the “Support PSF”) under a service agreement. On the basis of this exception, outsourcing of financial services can in principle only be made to these two types of entities. Several circulars of the Commission de Surveillance du Secteur Financier (the Luxembourg financial sector regulator, the “CSSF”) further complete the legal framework on outsourcing in the financial sector.
On 29 July 2016, the Minister of Finance introduced the draft law no. 7024 (the “Draft Law”) which creates more possibilities to outsource activities to both external and intra-group undertakings. If voted, the Draft Law will allow regulated financial institutions to outsource activities to:
(i) Luxembourg-based regulated entities other than banks and Support PSF;
(ii) group entities (subject to a prior information of the client);
(iii) other entities (subject to the client’s consent).
Luxembourg based regulated entities
In accordance with the provisions of the Draft Law, the Professional Secrecy Obligation would not apply to the disclosure of confidential information to entities that are:
• established in Luxembourg;
• supervised by the CSSF, the European Central Bank (the “ECB”) or the Commissariat aux Assurances (the Luxembourg insurance sector regulator); and
• whose professional secrecy obligation is subject to criminal sanctions; provided that such disclosure is foreseen by the service agreement.
Therefore, should the Draft Law be adopted in its current version, the scope of regulated entities to whom financial institutions can outsource activities will be significantly extended as compared to the current scope which is limited to credit institutions and Support PSF.
Intra-group outsourcing
As regards credit institutions and investment firms, intra-group outsourcing is currently possible on the basis of the CSSF Circular 12/552 but requires, amongst others, the express consent of the concerned clients if such outsourcing could lead to the disclosure of confidential information.
Under the Draft Law, the disclosure of confidential information without violating the Professional Secrecy Obligation would be possible if made to entities belonging to the same group as the outsourcing entity (the latter has to be supervised by the CSSF or the ECB) and provided that:
• such entities are in charge of the performance of services that are entirely outsourced within the group;
• persons having access to confidential information covered by the Professional Secrecy Obligation must be subject to a professional secrecy obligation or at least be bound by a non-disclosure agreement; and
• clients are duly informed beforehand in writing about the services outsourced to these entities, the type of information transmitted within the context of such outsourcing as well as the country of establishment of such entities.
The Draft Law would thus abolish the consent requirement which was often difficult to satisfy with respect to the whole client base and would replace it with a mere information obligation towards the relevant client, thus facilitating intra-group outsourcing. Unlike regulated entities referred to under paragraph (i), intra-group entities to whom activities may be outsourced, do not seem to have to be based in Luxembourg. The Draft Law also does not explicitly require the entering into an outsourcing agreement in the intra-group context. However, it is very likely that such requirement will continue to exist on the basis of CSSF circulars.
Other entities
Outsourcing to entities other than credit institutions or Support PSF is currently possible on the basis of the circular 12/552. On the basis of such circular, outsourcing arrangements that could potentially lead to the disclosure of confidential information in principle require the consent of concerned the client. If the Draft Law would be adopted in its current version, the consent-based approach would be explicitly embedded in the Financial Sector Act and thus have a more robust legal basis.
The Draft Law allows for the outsourcing of activities to entities that are not (i) Luxembourg-based regulated entities or (ii) group entities under the following conditions:
• the subcontractors, if they have access to the information covered by the Professional Secrecy Obligation are subject to a professional secrecy obligation or are bound by a non-disclosure agreement; and
• the concerned clients consented beforehand in writing to (i) the outsourcing of the relevant services, (ii) the type of the information transmitted within the context of such outsourcing and (iii) the country of the establishment of such subcontracting entities.
Furthermore and even though it is not explicitly required in the current version of the Draft Law, it is to be expected that these subcontractors will need to conclude a written agreement with the outsourcing financial service providers.
Conclusion and first analysis
The Draft Law offers wider possibilities for financial institutions to outsource activities as it enlarges the group of potential outsourcee entities. Nevertheless, the specialised Support PSF will most probably be in the best position to act as subcontractors, in particular when it comes to IT outsourcing. The real added value of the Draft Law appears to be the facilitation of intra-group outsourcing. However, it is not entirely clear how the requirement that the services concerned must be “entirely outsourced within the same group” (“services sous-traités intégralement à l’intérieur du même groupe”) would be interpreted. If interpreted strictly, this requirement could constitute an unnecessary hurdle to the possibility to outsource at an intra-group level.
Furthermore, it remains to be seen whether and, if so, how the CSSF would change its different circulars which exist in addition to Article 41 of the Financial Sector Act and which are extremely important in the shaping of an outsourcing arrangement.
For example, CSSF Circulars 12/552 and 05/178 state the key principles of IT outsourcing, including in particular the following:
• the consistency of the outsourced activity with a documented outsourcing policy approved by the financial institution’s decision-makers and based on, among others, a risk assessment;
• the liability to its clients remains with the outsourcing institution (there is no delegation of liability);
• the permanent guarantee of the confidentiality of data;
• the institution’s ability to control all stages of the outsourcing process; and
• the institution’s ability to continue its business in times of crisis or other exceptional situations.
Another example is the CSSF Circular 13/554 on the use and control of IT resource management tools and the management of access to these resources at an intra-group level. When a multinational financial group comprising a Luxembourg entity wishes to use a general access tool for IT resources (e.g. user accounts, printers, computers, IT services, etc.) at a group level, this circular requires the Luxembourg entity to introduce a formal, detailed authorisation request to the CSSF, proving, amongst others, that it retains full control over the IT resources it is responsible for. Against this background, even if the Draft Law would facilitate IT outsourcing at a group level, this would not give an automatic authorisation to consolidate all IT elements at a group level without the Luxembourg financial entity having any control over the elements it uses.
On a more general note, the explanatory memorandum to the Draft Law does correctly point out that outsourcing arrangements, which are allowed under the Financial Sector Act, would still need to comply with the personal data protection legislation. The latter requires that outsourcing entities have a written contract in place with its subcontractors and that the contract refers to the applicable security measures. The EU General Data Protection Regulation, which comes into force on 25 May 2018, lays down further requirements such outsourcing contracts must comply with (see also our general news alert on the EU General Data Protection Regulation). Furthermore, personal data protection regulations include strict rules on the transfer of personal data to countries outside the EU/EEA having an inadequate level of data protection and could in several cases be an obstacle to outsourcing arrangements. In this respect it must also be repeated that the so-called Privacy Shield, a certification regime which should facilitate the transfer of personal data to US recipients, is not applicable to US financial institutions.
Finally, it must be regretted that the Draft Law does not extend the outsourcing possibilities for insurance companies in the same manner as for financial institutions.
About the authors: Josée Weydert is Managing Partner, Vincent Wellens is Partner and Jad Nader is Counsel at NautaDutilh Avocats Luxembourg.