On 9 April 2021, the Commission de surveillance du secteur financier (“CSSF”) published valuable guidance on the governance and security requirements applicable to remote/home working (“Telework”) in the form of CSSF Circular 21/769 on governance and security requirements for supervised entities to perform tasks or activities through telework (“the Circular”).
The Circular applies to all entities subject to CSSF supervision (credit institutions, management companies, AIFMs, investment firms, specialised and support PFS, payment institutions, electronic money institutions, etc.).
The Circular only applies to entities relying on Telework (defined as “a form of organising and/or carrying out work, using information and communication technologies, within the framework of an employment contract, authorising work, which would ordinarily be carried out on the employer's premises, to be performed outside the premises of the employer”): the Circular does not apply to other forms of remote access or connections from the employer’s premises to systems not hosted at the employer’s premises.
The Circular only applies under normal working conditions: the Circular does not apply in pandemic situations (such as COVID-19) or other exceptional circumstances with similar effects on working conditions.
The Circular does not interfere with applicable labour law provisions and does not regulate the contractual relationship between employer and employee.
2. Entry into force
The Circular enters into force on 30 September 2021.
3. Key principles
The Circular does not impose any requirement for prior approval by the CSSF in order to implement Telework arrangements.
The Circular confirms that supervised entities may generally allow staff to perform tasks through Telework, subject to the limits set by the Circular.
Such limits consist of three types of requirements laid down in the Circular:
- baseline requirements for the purpose of ensuring that entities can continue to perform their activities and meet their regulatory requirements in an effective and secure manner;
- requirements pertaining to the entities’ internal organisation, and to the review of implementation of the Telework Policy and its compliance with applicable requirements by the entities’ internal control functions, such as (where applicable) compliance, risk management including information security (RSSI/CISO) and internal audit; and
- requirements aimed at keeping ICT and security risks at acceptable levels.
4. Specific points to note
Supervised entities must carry out their own assessment of the extent of Telework allowed, in particular by performing a risk analysis identifying all inherent risks, under the ultimate responsibility of the management body (typically the board of directors).
At least one authorised manager as well as the key functions must be on site at supervised entities at all times.
Supervised entities must implement a separate Telework Policy defining the framework and limits under which Telework is allowed, as well as a (separate or integrated) Security Policy defining the rules to protect the confidentiality, integrity and availability of the entities’ data and ICT systems.
Supervised entities must ensure control over the security of the devices used for remote connections to the entities’ ICT systems, notably via robust monitoring and sound logging processes, and ensure that data in transit is secured, notably via encryption and (strong) two-factor authentication processes.
Supervised entities must be able to demonstrate and provide evidence of compliance with the aforementioned policies and with the requirements of the Circular to the CSSF and its external auditors (in particular by recording the name, function and department/unit of each staff member performing Telework).
The requirements of the Circular are to be applied having regard to the principle of proportionality.
5. Broader regulatory context
The rules of the Circular should be read together with other relevant applicable regulatory guidance on internal organisation and governance, such as the internal governance rules specified in the amended CSSF Circular 12/552, CSSF Circular 20/758 and CSSF Circular 18/698.
6. Labour law context
As mentioned previously, the Circular does not interfere with applicable labour law provisions; more specifically, it does not regulate the contractual relationship between employer and employee.
From a labour law perspective, it is also important to highlight that the rules of the Circular must be read in conjunction with other relevant applicable regulations resulting e.g. from the Labour Code as well as from the recently adopted convention defining a new legal framework for Telework, which has been declared of general obligation by a Grand Ducal regulation dated 22 January 2021 (“the Convention”).
Because the Circular and the Convention are not identical in scope and discrepancies between the two sets of rules may arise in certain situations, the interplay between them will require particular attention.
Telework policies should be drafted with care in order to ensure compliance with the various applicable rules and regulations and to avoid potential friction between them (e.g. regarding definitions of certain terms used as well as policy content).
Last but not least, the social security and tax implications for commuters residing and therefore working abroad should be duly monitored.