Luxembourg Financial Regulator (CSSF) Introduces New Rules On The Access Of A Luxembourg Entity To IT Resources Of The Same Group - Financial Services

On 7 January 2013, the Luxembourg financial regulator, the Commission de Surveillance du Secteur Financier (CSSF) adopted circular CSSF 13/554 on the use and control of IT resources and the management of access to these resources. The circular has entered into force with immediate effect.

The CSSF found that, in practice, international financial groups often have a general access tool (e.g., IBM RAFC) for IT resources at the group level, which allows the uniform and simplified management of IT resources and facilitates access to intragroup IT resources (e.g. user accounts, printers, computers, IT services, etc.).

According to the CSSF, for the Luxembourg entity of such a group, this set-up could result in a loss of control over the IT resources for which it is responsible, which could conflict with the compliance and governance requirements applicable to the entity as a financial sector professional ('FSP") within the meaning of the Financial Sector Act 1993. The CSSF considers such a loss of control to be likely to further weaken the protection afforded confidential data under Luxembourg bank secrecy principle.

Thus, when a multinational financial group with a Luxembourg entity (FSP) wishes to use a general access tool for IT resources at the group level, circular 13/554 requires the Luxembourg FSP to introduce a formal, detailed authorisation request to the CSSF, proving it still has full control over the IT resources for which it is responsible.

This means that:

the Luxembourg FSP must be isolated as a user of the access tools;
a formal access tools policy must be put in place, whereby the Luxembourg FSP within the group approves and controls the policy for its access tools and is able to ensure continuous implementation of the approved access tools policy;
any change(s) to the access tools policy must be approved by the Luxembourg FSP for the access tools for which it is responsible prior to the implementation thereof (principle of preventive control).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.