The financial outsourcing (r)evolution

Luxembourg's well-known financial secrecy laws are changing. Bill n° 7024 amending inter alia Article 41 of the Financial Sector Act of 5 April 1993 (the "FSA") in this respect, initially gave rise to much discussion but was ultimately adopted. Barriers to several financial outsourcing transactions will officially disappear and the (IT) outsourcing landscape could undergo substantial changes. This newsflash takes a closer look at some of the most important changes which not only deal with the rules on professional secrecy but also clarify several organisational requirements to be complied with in outsourcing transactions.

Who is subject to the professional secrecy in the financial sector in Luxembourg?

Many individuals and entities in the financial sector are subject to a duty of professional secrecy, in particular:

  • natural and legal persons subject to prudential supervision by the Commission de Surveillance du Secteur Financier (the "CSSF") pursuant to the FSA;
  • natural and legal persons established in Luxembourg and subject to supervision by the European Central Bank (the "ECB") or a foreign supervisory authority for the exercise of an activity referred to in the FSA (new);
  • administrators, members of management bodies, directors, employees and other persons in the service of the abovementioned natural and legal persons.

A similar professional secrecy obligation has been foreseen for insurance companies and payment service providers in the respective laws regulating these activities.

For the sake of clarity it should be noted that investment funds are not subject to professional secrecy within the meaning of the FSA, but several of their service providers are, such as registrar agents and professional depositaries of financial instruments.

Persons to whom the information covered by professional secrecy may be disclosed

The distinction between outsourcing to intra-group and external entities that was initially made in bill no. 7024 has been abolished and replaced by a clear rule: the disclosure of the information covered by professional secrecy shall be possible where: (a) the sub-contractor is Luxembourg based and supervised itself; or (b) the client has agreed to the disclosure.

a) Supervised sub-contractor based in Luxembourg

Within the framework of a service agreement, the persons who are:

(i) established in Luxembourg;
(ii) supervised by the CSSF, the ECB or the Commissariat aux Assurances (the Luxembourg insurance regulator); and 
(iii) whose professional secrecy obligation is subject to criminal sanctions,

shall, following the adoption of bill no. 7024, be able to receive the information protected by a professional secrecy obligation.

b) Acceptance-based outsourcing

Under the CSSF's guidance to date (see inter alia Circular 12/552 prior to amendment by Circular 17/655), several financial institutions had already been entitled to outsource certain activities based on client consent. This consent-based exemption from professional secrecy obligations was not foreseen in the law, however, and thus gave rise to legal uncertainty. This uncertainty has fortunately been eliminated by new Article 41 of the FSA.

Henceforth, even entities that do not meet the abovementioned criteria may receive or access the information covered by professional secrecy obligations in the context of outsourced services if:

(i) the client has agreed, in accordance with the law or pursuant to a method of providing information agreed in between the parties, to: (a) the outsourcing of the relevant services, (b) the type of information that would potentially be disclosed in the context of such an outsourcing, and (c) the country in which the provider of the outsourced services is established; and
(ii) the relevant entity is subject to a professional secrecy obligation or is bound by a non-disclosure agreement.

While the initial version of the bill required the client's prior acceptance in writing, the final version offers some flexibility since financial institutions may – where there is no specific legal requirement – obtain the client’s acceptance pursuant to methods contractually agreed between the parties and, hence, implied acceptance could under circumstances be allowed.

Thus, the client’s acceptance within the meaning of the financial legislation does not appear to be the same as the data subject’s consent within the meaning of the data protection legislation (i.e. “any freely given, specific, informed and unambiguous indication of the data subject's wishes”). Nevertheless, it is of course possible that some types of outsourcing will require a more active consent in accordance with the data protection rules (e.g., transfers of data outside the EU/EEA that can have no other basis than consent).

How does the FSA revision impact the CSSF's prudential supervision of outsourcing?

The CSSF has amended Circular 12/552 to align it with new Article 41 of the FSA and adopted a new Circular 17/656 on key outsourcing principles. Both circulars now state that “financial sector customers should be informed or their consent obtained”. In other words, the CSSF does not impose in its guidance any consent requirement but has clarified at several occasions that the question as to whether consent must be obtained is to be assessed under Article 41 of the FSA. The latter being a provision subject to criminal law sanctions, the criminal courts have the last word on this.

It must be recalled that the CSSF prudential regulation implements the principles of sound governance and central administration that financial institutions should comply with. Whereas the focus of the FSA revision is with the outsourcing exception to the obligation of professional secrecy, it also has introduced a new set of outsourcing organisational requirements directly in the FSA itself. These requirements are inspired by the existing guidance framework governing insurance and payment institutions. Some of the new organisational requirements (e.g. the existence of a service contract or no delegation of responsibility) also appear to be inspired by the existing CSSF circulars on outsourcing, which still continue to apply alongside the FSA (for an overview, click here).


By simplifying and extending the exceptions to the professional secrecy obligation in order to allow financial institutions to outsource operations in a more flexible manner, the revised FSA is more likely to reassure market players and to accommodate the different interests of all stakeholders concerned.

However, the conditions of the end clients' acceptance, which is a key concept for a valid exception to the professional secrecy, might still give rise to discussions.

Some restrictions to outsourcing activities have been lifted, but such activities nonetheless remain heavily regulated by means of CSSF circulars which lay down robust conditions in this respect. The new outsourcing regime is thus certainly not a revolution but rather an evolution compared to the prior regime.