The ABBL welcomes the initiative of the Luxembourg government to facilitate intragroup outsourcing arrangements. The Draft Bill n°7024 submitted to the Parliament aims to achieve this by amending the provisions governing professional secrecy as set out in Art.41 of the Law of 5 April 1993 on the financial sector (the LSF).
In April 2017, the government issued amendments to the Draft Bill n°7024, whose main elements are as follows:
Strengthening of organisational requirements
Article 14 amends article 37-1 (5) of the LSF, which lists the organisational requirements applicable to a credit institution or an investment firm, when entering into an outsourcing arrangement. The obligations currently set out in article 37-1 (5) are completed by the following requirements:
- the outsourcing shall not impair the level and quality of service towards the clients; it shall be based on a service level agreement;
- the credit institution and investment firm remain fully responsible to ensure compliance with all their obligations pursuant to applicable prudential regulation;
- any “cascade” outsourcing must be accepted beforehand by the person (that is established in Luxembourg and that is subject to the CSSF or ECB supervision) who initiated the outsourcing;
- the credit institution or investment firm shall take reasonable measures in order to avoid an excessive increase of operational risks; and
- the credit institution or investment firm has in place strong security mechanisms that guarantee the security and authentication of the means through which information is transferred, reduce the risk of data corruption and unauthorised access and prevent information leakage in order to maintain, at all times, confidentiality of data.
New outsourcing possibilities
Article 41 of the LSF will offer the possibility to outsource to another Luxembourg professional that is subject to the supervision of the CSSF, ECB or CAA. It provides for an extension of the scope of the exceptions to the banking secrecy by allowing access to confidential data to any professional of the financial sector or insurance professional established in Luxembourg, provided that the latter are under the supervision of the CSSF, the ECB or the CAA and acting as service provider under an outsourcing arrangement. This means that the exception to professional secrecy that is currently in place under article 41(5) of the Banking Act 1993 (currently applying only vis-à-vis support PFS and credit institutions) will now apply vis-à-vis any professional of the financial sector or insurance professional.
In case of intragroup outsourcing arrangements and all other cases of outsourcing abroad, outsourcing is subject to the following cumulative conditions:
- The sub-contractor shall be bound by a service agreement;
it shall also be subject to a professional secrecy obligation or bound by a confidentiality agreement, and
- The client has accepted:
- the outsourcing of services
- the type of information transmitted to the sub-contractor
- the country of establishment of the sub-contractor
The acceptance is given either in compliance with the law or “according to the conditions agreed by the parties”.
The new flexibility offered in the amended version of article 41 of the LSF is without prejudice to the conditions stemming from the regime applicable under the law of 2 August 2002 on the protection of personal data. This means that in any case the client shall be informed of outsourcing arrangements.
One shall however pay due attention to the forthcoming entry into force of the General Data Protection Regulation (as from 25 May 2018), the provisions of which being also partially transposed within Draft Bill n°7184, repealing the law of 2 August 2002. Indeed, the scope of information to be handed over to the client as foreseen in this new upcoming legal framework will be wider than the current one.
Parliamentary amendments have been published on 9th January 2018.
As regards banking secrecy and outsourcing, the amendments introduce a new paragraph 9 to article 41 of the amended law of 5 April 1993 on the financial sector, which reads as follows: “This provision is without prejudice to the amended law of 2 August 2002 concerning the protection of individuals with regard to the processing of personal data”.
In response to questions raised by the Council of State and the CNPD, this amendment expressly states that the data protection law rules must be complied with, where applicable, in addition to the banking secrecy rules.
This amendment does not impose any additional obligation regarding the consent to be sought under article 41 of the law on the financial sector in case of outsourcing as compared to the previous drafting of the Bill 7024.
After the release of the complementary opinion of Council of State, a vote should be held in February.