​On 31 August 2016, we issued an e-alert on the bill of law n°7024 (the Bill of Law 7024)[1], aimed, among others, at amending article 41 of the Luxembourg act of 5 April 1993 on the financial sector, as amended (the Banking Act 1993), which deals with professional secrecy obligations for credit institutions and other professionals of the financial sector.

One of the key amendments concerns the easing of outsourcing arrangements.

Article 14 (3) of the Bill of Law 7024 (concerning the conditions in which confidential information may be communicated by Luxembourg credit institutions and other professionals of the financial sector (PFS) in the context of outsourcing arrangements without entailing a breach of their professional secrecy obligation)[2] ignited protracted discussions:

  • the Chambre de Commerce noted that, the contemplated amendments take into account recent technological developments and permit cost optimisation, thereby reflecting the government’s objective to position Luxembourg as a centre of excellence, in particular for Fintech and digital activities;

  • the Conseil d’Etat raised concerns about the potential impact of article 14 (3) of the Bill of Law 7024, on the labour market and insisted (like the Chambre de Commerce) on strict compliance with the Luxembourg act of 2 August 2002 on the protection of personal data (the Data Protection Act 2002). It also requested that the provisions on the communication of confidential data in the context of intragroup outsourcing be aligned with the existing regulatory framework defined by the CSSF in its circular 12/552;

  • the Chambre des Salariés required that a prior impact assessment, in terms of gains/losses for the employment in the financial sector, be performed;

  • the Commission Nationale pour la Protection des Données aimed concerns about compliance of the contemplated amendments with the Data Protection Act 2002.

Against that backdrop, the Ministry of Finance proposed new amendments to the Bill of Law 7024 on 4 April 2017:

  • a clarification (and a harmonisation) of the conditions in which the confidential data is communicated in the context of outsourcing arrangements;

  • a reinforcement, in the Banking Act 1993, of the conditions to be complied with by credit institutions and other PFSs when entering into outsourcing arrangements.

The proposed amendments to the Bill of Law 7024 also align article 30 of the act of 10 November 2009 on payment services, as amended, on professional secrecy applicable to electronic money and payment institutions and article 300 of the act of 7 December 2015 on the insurance sector, as amended, with the amended version of article 41 of the Banking Act 1993.

Furthermore, article 41 (1) of the Banking Act 1993 is also slightly amended to include a reference to persons established in Luxembourg and subject to supervision of a foreign authority for the exercise of an activity referred to in the Banking Act 1993 (thereby confirming that the professional secrecy obligation also applies to Luxembourg branches of EU and non-EU professionals).

1. Communication of confidential data under outsourcing arrangements

Article 14 of the Bill of Law 7024, which now becomes article 17 of the Bill of Law 7024, is amended as follows:

  • the proposed extension of the scope of exemption to professional secrecy that exists currently under article 41 (5) of the Banking Act 1993, is maintained[3];

  • for all other outsourcing arrangements which do not fall within the scope of the above exemption (including cascade outsourcing):

    • the regime is simplified in that the proposed amendments do no longer make a distinction between intragroup and extra-group outsourcing arrangements;

    • there is no distinction whether the outsourcing is confided to an entity established in Luxembourg, in the EU or outside the EU (irrespective of and without prejudice to the requirements of the Data Protection Act 2002);

    • subject to compliance with specific organisational requirements[4], the professional secrecy obligation does not exist towards a service provider (including its employees and persons at its service) if the following conditions are (cumulatively) complied with:

      • the client has accepted, in accordance with the law or under the information arrangement agreed between the parties, the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider. There is no express reference to a written consent of the protected person (it should therefore be possible, under certain conditions, to obtain such a consent by the insertion of a provision to that effect in the general terms and conditions of the professional); and

      • the service provider, having access to confidential information, must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement.

2. Modernisation of outsourcing arrangements in the Banking Act 1993

Article 13 of the Bill of Law 7024 proposes to insert a new article 36-2 in the Banking Act 1993, which lists the following organisational requirements applicable to a PFS, (other than an investment firm) when entering into an outsourcing arrangement:

  • the outsourcing shall not impair the level and quality of service towards the clients;

  • the outsourcing is formalised in a service level agreement;

  • the PFS remains fully responsible to ensure compliance with all the obligations it needs to satisfy pursuant to applicable prudential regulation;

  • any “cascade” outsourcing must be accepted beforehand by the person (that is established in Luxembourg and that is subject to the CSSF or ECB supervision) who initiated the outsourcing; and

  • the outsourcing of important operational functions may not be undertaken in a way that impairs materially the quality of internal control of the PFS and the ability of the CSSF to monitor compliance, by the PFS, with its obligations under the Banking Act 1993.

Article 14 in the Bill of Law 7024 proposes, in the same vein, to amend article 37-1 (5) of the Banking Act 1993, which lists the organisational requirements applicable to a credit institution or an investment firm, when entering into an outsourcing arrangement. The obligations currently set out in article 37-1 (5) are maintained but completed by the following requirements (which, in part, anticipate forthcoming MiFID II requirements and reflect the requirements provided for in circular 12/552 in the context of outsourcing arrangements):

  • the outsourcing shall not impair the level and quality of service towards the clients;

  • the outsourcing is formalised in a service level agreement;

  • the credit institution or investment firm remains fully responsible to ensure compliance with all the obligations it needs to satisfy pursuant to applicable prudential regulation;

  • any “cascade” outsourcing must be accepted beforehand by the person (that is established in Luxembourg and that is subject to the CSSF or ECB supervision) who initiated the outsourcing; and

  • the credit institution or investment firm has in place strong security mechanisms that guarantee the security and authentication of the means through which information is transferred, reduce the risk of data corruption and unauthorised access and prevent information leakage in order to maintain, at all times, confidentiality of data.