The provisions of the long awaited act of 27 February 2018 (the 2018 Act) which aim at smoothing (especially in the context of outsourcing arrangements) the professional secrecy regime that credit institutions, professionals of the financial sector, payment institutions, e-money institutions and insurance companies must comply with just entered into force.
The 2018 Act introduces amendments in article 41 of the Luxembourg act of 5 April 1993 on the financial sector (the Banking Act 1993) inter alia to ease intragroup cooperation for prudential purposes (1) and to define clear rules for the transmission of client data in the context of outsourcing arrangements (2). In this context the 2018 Act also reinforces the general conditions applicable to outsourcing arrangements in the financial sector (3)2. Substantially the same amendments are implemented in article 30 (on professional secrecy) of the act of 10 November 2009 on payment services which applies to payment institutions and e-money institutions.
The professional secrecy regime provided for in article 300 of the act of 7 December 2015 on the insurance sector, as amended (the Insurance Sector Act 2015) is also similarly amended (4).
Easing of intragroup cooperation for prudential purposes in the banking sector
New paragraph (4) of article 41 of the Banking Act 1993 grants more flexibility for qualified shareholders of a Luxembourg professional of the financial sector, facilitating the intragroup co-operation for prudential purposes.
New article 41(4), first sub-paragraph, relating to the communication of confidential information to qualified shareholders extends the exception to professional secrecy in two ways:
• it provides that the professional secrecy obligation does not exist as regards the communication of confidential information to the shareholders which is strictly necessary not only for the sound and prudent management of a Luxembourg professional of the financial sector but also for the risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis; and
• it removes the prohibition to disclose information on the assets held by the clients3 (such as deposits) to qualified shareholders in this context.
The second sub-paragraph of article 41(4) of the Banking Act 1993 regarding the disclosure of information to the group’s internal control bodies to manage legal risks and reputational risks linked to money laundering or terrorism financing substantially remains unchanged.
Communication of data in the context of outsourcing arrangements in the financial sector
Article 41 (2bis), indent 1 of the Banking Act 1993 extends the current exemption regime applicable to the communication of client data to Luxembourg credit institutions and support professionals of the financial sector (PFS) in the context of a service agreement to any person established in Luxembourg, subject to the prudential supervision of the Commission de Surveillance du Secteur Financier (the CSSF), the European Central Bank (the ECB) or the Commissariat aux Assurances (the CAA) and which is bound by a criminally-sanctioned professional secrecy obligation.
For all other outsourcing arrangements which do not fall within the scope of the above exemption, article 41 (2bis), indent 2 provides that the professional secrecy obligation does not exist towards a service provider (including its employees and persons at its service) where:
• the client has accepted, in accordance with the law or under the information arrangement agreed between the parties, the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider. As already mentioned in our preceding e-alerts, there is no express reference to a written consent of the protected person; and
• the service provider, having access to confidential information, must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement.
The requirements of article 41 (2bis), indent 2 apply irrespective of the fact that the service provider belongs or not to the same group and irrespective of the jurisdiction in which it is established (in Luxembourg, in the EU or outside the EU).
Although this may appear unnecessary, the 2018 Act adds a new paragraph 9 to article 41 emphasising that the rules set out in this latter article apply without prejudice to compliance with the requirements of the Luxembourg act of 2 August 2002 on the protection of personal data, as amended.
Conditions to be complied with by credit institutions and other PFS when entering into outsourcing arrangements
A new article 36-2 is introduced in the Banking Act 1993 which lists the organisational requirements applicable to a PFS (other than an investment firm) when entering into an outsourcing arrangement:
- the outsourcing must not impair the level and quality of service towards the clients;
- the outsourcing must be based on a service level agreement;
- the PFS remains fully responsible to ensure compliance with all its prudential obligations;
- any “cascade” outsourcing must be accepted beforehand by the person (that is established in Luxembourg and that is subject to the CSSF or ECB supervision) who initiated the outsourcing; and - the outsourcing of important operational functions may not be undertaken in a way that materially impairs the quality of internal control of the PFS and the ability of the CSSF to monitor compliance, by the PFS, with its obligations under the Banking Act 1993.
In the same vein and also in anticipation of the implementation of MiFID II, article 37-1 (5) of the Banking Act 1993, which lists the organisational requirements applicable to a credit institution or an investment firm, when entering into an outsourcing arrangement, is amended. The obligations exposed above (for PFS) are also similarly made applicable to credit institutions and investments firms.
They further must have in place strong security mechanisms that guarantee the security and authentication of the means through which information is transferred, reduce the risk of data corruption and unauthorised access and prevent information leakage in order to maintain, at all times, confidentiality of data.
Implications for the insurance and reinsurance sector
The 2018 Act also amends article 300 of the Insurance Sector Act 2015 which covers the professional secrecy regime in the insurance and reinsurance sector, in an attempt to streamline where possible the insurance secrecy regime with the professional secrecy regime set out in article 41 of the Banking Act 1993.
Notwithstanding a full rewriting of paragraph 1 of article 300 of the Insurance Sector Act 2015, the scope of persons subject to the insurance secrecy rules remains in essence the same – article 300 now states that all natural and legal persons established in Luxembourg and subject to the prudential supervision of the CAA or a foreign authority for the exercise of activities covered by the Insurance Sector Act 2015 are subject to the secrecy rules4. Also, in substance, all previously existing exemptions (such as for reinsurance companies) are maintained. The 2018 Act however helpfully provides for clarity on certain situations which were previously uncertain.
New paragraph 2bis, indent 1 exempts from the secrecy duty persons established in Luxembourg that are subject to the prudential supervision of the CAA, the CSSF or the ECB and that are bound by a criminally-sanctioned professional secrecy obligation, to the extent that these persons receive relevant data in the context of a service agreement.
Article 300, paragraph 2bis, indent 2, further introduces a new exemption regime for outsourcing arrangements that do not benefit from the exemption mentioned here above, thereby replicating the new regime introduced in article 41(2bis), indent 2 of the Banking Act 1993. In a nutshell, this provision allows the communication of relevant information to a service provider provided certain conditions are met (client acceptance and servicer being subject to a contractual or statutory confidentiality duty). See section "Communication of data in the context of outsourcing arrangements in the financial sector" above for further detail (the Banking Act 1993 provisions are in substance the same on this topic).