Article 41 of the Law of 5 April 1993 on the financial sector (“LFS”), as amended, provides for an obligation of professional secrecy with regard to information confided to institutions of the financial sector and their employees or representatives in the context of their professional activities (“Banking Secrecy Obligation”), subject to certain exemptions also provided for in this Article.
Substantial amendments to this provision were adopted on 27 February 2018 in order to allow these institutions to make more extensive use of outsourcing solutions including transfers of confidential information.
Previously, only the communication of information to credit institutions and duly authorised support financial sector professionals within the meaning of the LFS under a service agreement was exempt from the Banking Secrecy Obligation. Several circulars of the Commission de Surveillance du Secteur Financier (“CSSF”) completed the legal framework in practice by admitting the client’s consent under certain conditions as a legitimate reason for the transfer of confidential information.
Under the new regime, the exemption is extended without further conditions for outsourcing to entities established in Luxembourg and supervised by the CSSF, the European Central Bank or the Commissariat aux Assurances and whose professional secrecy obligation is subject to criminal sanctions.
As regards the outsourcing of activities to all other types of entities (whether they are situated inside or outside Luxembourg or whether or not they belong to the same group), information covered by the Banking Secrecy Obligation may be transferred (or given access to) under the condition that the client has agreed, in accordance with the law or pursuant to a method of providing information agreed between the parties, to (i) the outsourcing of the relevant services, (ii) the type of information that would potentially be disclosed in the context of such outsourcing, and (iii) the country in which the provider of the outsourced services is established. The relevant entity must also be subject to a professional secrecy obligation or bound by a non-disclosure agreement.
The means of obtaining client consent (i.e. through provisions of the general terms and conditions) are thus facilitated. Furthermore, a mere contractual confidentiality undertaking will be sufficient at the level of the recipient of the information.
The new regime is also introduced for insurance companies and payment service providers, subject to similar professional secrecy obligations, by way of amendments to the relevant provisions of the respective laws regulating their activities.