Outsourcing made easier: professional secrecy in the financial and insurance sector softened

Through the law of 27 February 2018 implementing the EU regulation (UE) 2015/751 on interchange commissions for card based payments, which amends various laws relating to the financial sector (and was published in the Luxembourg official gazette on March 1st 2018), the Luxembourg parliament has now relaxed the rules on professional secrecy for banks, investment firms, other regulated professionals of the financial sector, payment institutions, electronic money institutions and insurance undertakings (together the « financial institutions ») to facilitate outsourcing arrangements.

Until now there was some uncertainty around the possibility to rely on a client’s consent for the transfer of client data to third parties, since the professional secrecy rules incumbent upon financial institutions were considered by courts to be public policy provisions,i.e. provisions to which contractual derogations are not allowed.

The new law provides that clients of financial institutions may consent to the transfer of their data by such financial institutions to an outsourcee.

Consent can be explicit or implied based on the information provisions agreed among parties.

Many financial institutions have agreed on general terms and conditions with their clients which provide that amendments may be made thereto by merely giving notice to the client and that they will become effective within a certain period of time failing an objection by the client. Such financial institutions can now rely on this implied consent provision to amend their general terms and conditions and provide for a right to outsource certain functions to a third party outsourcee who will have access to confidential client data.

It seems that the wording of the law even allows for other methods to obtain an implied consent from clients.

The consent needs to be informed in the sense that clients must be informed on (i) the type of data that will be accessible by or transferred to the outsourcee, and (ii) the country where the outsourcee is based.

The outsourcee must be bound by legal professional secrecy duties or by contractual confidentiality duties.

Data protection, governance and data integrity rules are not affected by the above changes.

Finally, the new law broadens also the possibilities to exchange client data among financial institutions.

Related : Arendt & Medernach ( Mr. Philippe Dupont ,  Mr. Pierre-MichaŽl de Waersegger ,  Mr. Glenn Meyer ,  Mr. Paul Mousel )

[+ http://www.arendt.com]

Mr. Philippe Dupont Mr. Philippe Dupont
Mr. Pierre-MichaŽl de Waersegger Mr. Pierre-MichaŽl de Waersegger
Mr. Glenn Meyer Mr. Glenn Meyer
Mr. Paul Mousel Mr. Paul Mousel

Click here to see the ad(s)
All articles Financial law

Lastest articles Financial law

CSSF warning notice on Initial Coin Offering

In a precedent newsflash dated November 16th 2017, we informed you about a press release issued by the Luxe...

Read more


Funds subject to part II of the law of 17 December 2010 on undertakings for collective investment (Part II-Funds resp...

Read more

Anti-money laundering: Amendments to legislation

Significant changes have been brought recently to the Anti-Money Laundering ("AML") legislation. The Luxembou...

Anti-money laundering: Amendments to legislation Read more

The financial outsourcing (r)evolution

Luxembourg's well-known financial secrecy laws are changing. Bill n° 7024 amending inter alia Article 41 of the Fi...

Read more

Lastest articles by Mr. Philippe Dupont

EU Securities Financing Transactions Regulation (ďSFTRĒ): are you ready to comply with Article 15...

The SFTR, which is due to be published shortly, aims at increasing the level of transparency in securities financing trans...

Read more

Lastest articles by Mr. Pierre-MichaŽl de Waersegger

PRIIPs KID: The final pieces of the puzzle

The pieces of the puzzle are finally falling into place. The long- awaited level 3 and 4 measures have been published earl...

Read more

RIIPs KID: Amended Delegated Regulation adopted by the European Commission

On 8 March 2017, the European Commission adopted a Commission Delegated Regulation, including Annexes (PRIIPs RTS), supple...

Read more

PRIIPs KID: Amended Delegated Regulation adopted by the European Commission

On 8 March 2017, the European Commission adopted a Commission Delegated Regulation, including Annexes (PRIIPs RTS), supple...

Read more

PRIIPs KID: the European Commission announces a 12 month-delay in implementation

In the interests of ensuring a smooth implementation and to ensure legal certainty for the industry, the European Commissi...

Read more

Lastest articles by Mr. Glenn Meyer

New anti-money laundering rules in Luxembourg

On 14 February 2018, the law of 13 February 2018 implementing a substantial part of the 4th anti-money laundering directiv...

Read more

Registers of beneficial ownership: new rules to be implemented soon

The draft laws implementing AMLD 4 set out strict rules to allow for protection against improper access to the information...

Read more

Lastest articles by Mr. Paul Mousel

LexGO Network