On 11 December 2012, the Luxembourg financial regulator, the Commission de Surveillance du Secteur Financier (CSSF), issued a new circular (CSSF 12/552) on central administration, internal governance and risk management by credit institutions and investment firms. This circular, which will replace a number of other circulars dealing with these same subjects, codifies the existing prudential rules and brings them into line with recent international texts such as the European Banking Authority Guidelines on Internal Governance (GL 44) of 27 September 2011 and the Basel Committee on Banking Supervision Guidelines on the Internal Audit Function in Banks of 28 June 2012.

The circular, which will enter into effect on 1 July 2013, lays down inter alia prudential rules on the management and outsourcing by credit institutions and investment firms of their IT services. The new circular will replace circular CSSF 05/178, which provides guidance on the compliance of IT outsourcing with the bank secrecy principle and the central administration (including adequate organisation) requirements. It should be noted that a similar codification and update with respect to IT matters would be welcome for other categories of financial sector professionals ("FSPs").

Other relevant IT circulars will not be abolished and, hence, will continue to apply, including to credit institutions and investments firms. These include circulars CSSF 06/240 and 08/350, which provide guidance on FSP support activities subject to a particular type of authorisation issued by the minister of finance under the Financial Sector Act 1993 ("FSA") i.e., the activities of:

  • client communication agents (Art. 29-1 FSA);
  • financial sector administrative agents (Art. 29-2 FSA); and
  • (primary and secondary) IT systems and communication networks operators in the financial sector (Arts. 29-3 and 29-4 FSA).

Pursuant to Article 41-5 FSA, financial institutions can outsource activities to support FSPs without violating the principle of bank secrecy which normally applies to information received by FSPs in the course of their business.

Circular CSSF 12/552 reiterates the key principles of IT outsourcing circular CSSF 05/178 in terms of (i) the consistency of the outsourced activity with a predefined policy based on a risk assessment; (ii) the main liability of the outsourcing institution to its clients; (iii) the confidentiality of data; (iv) the institution's ability to control all stages of the outsourcing process; and (iv) the institution's ability to continue its business in times of crisis or other exceptional situations.

Circular CSSF 12/552 also introduces certain changes to the existing regulatory framework, such as:

  • a clarification that some of the rules apply to outsourcing in general, not only to IT outsourcing;
  • the mandatory appointment of an IT officer and an information security officer;
  • the need to obtain the CSSF's prior authorisation to outsource "material activities", i.e., activities the non- or poor performance of which would diminish the ability of the institution to comply with the applicable regulatory framework or to pursue its operations, as well as activities necessary to sound and prudent risk management;
  • a clearer distinction between the various types of outsourced IT activities (IT systems and communication networks operation and management; IT consulting, development and maintenance; and IT hosting services) and the rules applicable to each;
  • an authorisation to allow the operation and management of IT systems and communication networks, which can in principle only be outsourced to FSPs within the meaning of Arts. 29-3 and 29-4 FSA, to be outsourced to a group entity, to the extent this entity only is only active intragroup and the systems do not contain any readable data;
  • more flexible outsourcing rules when the final client has given its prior consent to the outsourcing (this clarification enshrines the case law of the Luxembourg courts according to which final clients can expressly waive the benefit of bank secrecy);
  • more flexible rules for hosting services by external and unaffiliated subcontractors in Luxembourg and abroad.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.