The IBA uses cookies to provide you with a better website experience. By continuing to use our site, you are agreeing to the use of cookies.
Manage cookies

Outsourcing versus Luxembourg professional secrecy

Back to Banking Law Committee publications

Michael Mbayi
WILDGEN, Luxembourg
michael.mbayi@wildgen.lu

Michel Bulach
WILDGEN, Luxembourg
michel.bulach@wildgen.lu

 

In the digital era it is hardly surprising that digitalisation is now present in almost every aspect of our lives, from social interactions to most of the economy. In the financial sector all participants use the benefit of digitalisation to operate their systems and to provide services. There are many examples, such as the use of the Cloud or the implementation of ‘paperless’ activities inside a group of companies. The Covid-19 pandemic has also shown the importance of digitalisation as a critical tool to ensure the continuity of the activities in the financial sector.

Outsourcing is an important tool for a financial group to provide efficient and adequate services to their clients so that they can allocate the most appropriate team in the group to a particular task, while also permitting efficiencies by externalising certain tasks to a third-party service provider. However, under Luxembourg law, professional secrecy is a core requirement, subject to criminal sanctions unless specific exemptions are provided by law. A Luxembourg professional in the financial sector may only outsource activities if it complies with the requirements of professional secrecy. In 2018, the Luxembourg legislator modernised the regime to help Luxembourg become a hub for outsourcing by group companies in the financial sector. In this article, we consider the main aspects of the regime regarding outsourcing in the Luxembourg financial sector, in light of Luxembourg’s professional secrecy rules.

Legal principle

Article 41 of the Luxembourg law of 5 April 1993 on the financial sector (the ‘Financial Sector Law’) provides that a Luxembourg professional in the financial sector may not disclose confidential data of clients to third parties. This principle is subject to criminal sanctions as provided by Article 458 of the Luxembourg Criminal Code.

The entities targeted by the professional secrecy provisions of Article 41 of the Financial Sector Law are credit institutions, investment firms, specialised professionals in the financial sector and support professionals in the financial sector.

The professional secrecy requirement concerns entities based in Luxembourg or Luxembourg branches of foreign entities.

Members of the board, authorised managers, employees and other persons in service of the in-scope entities are also subject to professional secrecy.

Luxembourg’s professional secrecy rules have international reach, meaning that as long as a person has knowledge of client data in the scope of their work or mandate in Luxembourg, such data may not be disclosed outside Luxembourg. Furthermore, after leaving the relevant functions, that person may not disclose the information.

Outsourcing exemption

The Financial Sector Law provides for exemptions to the principle of professional secrecy. We consider these exemptions with regards to outsourcing activities.

Outsourcing is defined by Circular 12/552 of the Luxembourg control authority of the financial sector (CSSF) as the ‘complete or partial transfer of the operational functions, activities or provisions of services of the institution to an external service provider, whether or not it is part of the group to which the institution belongs’.

We can illustrate two typical scenarios. The first is where an institution wishes to use a Luxembourg-based outsourcing provider controlled by the CSSF, the European Central Bank (ECB) or the Luxembourg control authority of the insurance sector. In this case, where there is a service agreement with an outsourcing provider, there is no obligation of professional secrecy vis-à-vis the provider and the data of the clients may be freely transmitted. Indeed, the outsourcing provider is itself subject to Luxembourg professional secrecy and is under the control of the Luxembourg authorities or the ECB.

The second scenario is where there is another type of outsourcing provider (ie, other than a Luxembourg-based outsourcing provider under the control of a prudential authority). The outsourcing provider may be a company within the same group or a third-party provider. In this case, there is an exemption from professional secrecy if the client has accepted the outsourcing. The acceptance shall be implemented as provided by law or as agreed between the parties. Furthermore, the client needs to approve the type of data transmitted in the scope of the outsourcing and the country to which the data will be transmitted and processed under the outsourcing. The last requirement in this scenario is that the outsourcing provider is under a confidentiality obligation (by law, or pursuant to a confidentiality agreement with the outsourcer).

Practice in the market

Credit institutions in the Luxembourg market have generally integrated the possibilities provided by Article 41 of the Financial Sector Law. Typically, there is a clause in the general terms and conditions of the institutions that provides for outsourcing. There is also a description of the types of data to be transmitted in the scope of the outsourcing and the countries in which outsourcing providers are established. Moreover, there is typically a possibility to update the terms and conditions and the scope of the outsourcing, by notification to the client or by publication on the website of the credit institution. An absence of objection to the amendments is considered approval of the new terms and conditions and of the outsourcing.

Foreign branches

It is important to determine from a professional secrecy perspective whether a foreign branch of a Luxembourg professional of the financial sector is considered to be a third party. One could argue that since a foreign branch is part of the same company and therefore shares the same legal personality with the head office, it would not be considered a third party for professional secrecy purposes. As aforementioned, the Luxembourg professional secrecy applies to Luxembourg-based entities. Conversely, foreign-based entities or foreign branches are not under the scope of the Luxembourg professional secrecy. As a consequence, foreign branches of Luxembourg institutions are third parties from a Luxembourg professional secrecy perspective.

Conclusion

We have seen that the outsourcing regime and the exemptions from professional secrecy obligations have introduced a modern and balanced regime for outsourcing of activities, permitting a framework to enable Luxembourg to become a hub for outsourcing by group companies in the financial sector.

However, when considering the implementation of different outsourcing solutions, local professionals in the financial sector as well as local and international service providers must check that their contractual arrangements are in line with the legal requirements of the relevant exemptions under Luxembourg law.

 

Back to Banking Law Committee publications

Similar topics

International Bar Association 2024 © Privacy policy Terms & conditions Cookie policy Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.