On 16 April 2015, the Luxembourg financial sector supervisor - the CSSF - published Circular 15/611 on outsourcing in the context of the compilation, distribution and consultation of management board/strategic documents and in particular due diligence data room services.
The Luxembourg Law of 5 April 1993 on the Financial Sector, as amended (the "LSF"), regulates the use of service providers, the so-called support-PSF, in the context of outsourcing in the financial sector, setting out specific categories of services and the licenses required for businesses to provide such services. The LSF equally provides for an exception to the professional secrecy where financial service providers ("PSF") subject to the supervision of the CSSF have recourse to a regulated support-PSF, permitting the latter to have access to confidential information in the course of the provision of its service.
In that context, the CSSF has long provided guidelines to be followed where PSFs choose to outsource IT services and guidance as to when recourse should be made to support-PSFs regulated under the LSF.
In its Circular 15/611, the CSSF highlights that the "management board/strategic documents" could contain sensitive data (e.g. the names of clients or investors), which might never be released to the general public. Circular 15/611 addresses more particularly the outsourcing to external data room service providers.
In making use of these compilation, distribution and consultation services of an external provider, the CSSF notes that supervised entities at times have recourse to third party service providers, not located in Luxembourg or not holding a support-PSF license. This creates risks for the supervised entities, especially where confidential information could be included in the outsourcing arrangements. As the CSSF points out, even when outsourcing, the supervised entity must ensure that its professional secrecy obligations are observed at all times and the use of a non-licensed entity would therefore require the supervised entity to make certain that no confidential data would be disclosed to the service provider.
As such, the CSSF advises that supervised entities should carefully consider whether to opt for an unsupervised service provider and should only choose to do so after having carried out a thorough check of the service provider, including a detailed evaluation of the service provider's security measures. Choosing a service provider who offers sufficient security measures is also highly important in order to be compliant with the data protection legislation. The latter, indeed, requires to adopt adequate security measures if personal data are processed and, when subcontracting or outsourcing, to choose a service provider offering such measures.
The CSSF particularly addresses domiciliation agents (such entities are regulated as PSFs). Circular 15/611 highlights that the compilation, distribution and consultation of board/strategic documents activities constitute a core activity for the latter, resulting in the need to observe the requirements of Circular 05/178, as amended, when outsourcing such activities. The latter circular lays down the principal conditions (which have been replaced, consolidated and completed by Circular 12/552 for credit institutions and investment firms) for PSFs to outsource in particular IT related functions :
- the outsourcing must be consistent with a predefined policy based on an in-depth assessment;
- a written agreement with specifications must be in place;
- the outsourcing institution still has the primary liability towards its clients;
- the confidentiality and protection of data must be guaranteed;
- the outsourcing entity must be able and have sufficient expertise to control the outsourcing process;
- the outsourcing entity must assess whether final customers must be informed;
- the business continuity must be assured in crisis or exceptional situations;
- it must be possible for the outsourcing entity to revoke the outsourced activities and to transfer these to another operator if necessary; and the CSSF, approved statutory auditors (réviseur d’entreprises agréé) and internal compliance must have audit rights inter alia on information held by the outsourcee.