Further to the passing of draft law No 7024 on 6 February 2018 by the Chamber of Deputies, the law of 27 February 2018 on interchange fees and amending several laws relating to financial services was published on 1 March 2018 (the "2018 Law").1 Most of its legal provisions (including those covered in this legal alert) entered into force on 5 March 2018.
The 2018 Law has introduced new amendments to article 41 of the Law of 5 April 1993 on the financial sector (the "1993 Law"), which embeds the rules on banking secrecy applicable to Luxembourg credit institutions and PFS.2 As explained below, although the protection of banking secrecy is reaffirmed by the 2018 Law, more flexibility is given regarding the exceptions to this principle.
It is also worth noting that the 2018 Law has also reflected the changes made to Article 41 in the corresponding provisions of (i) the law of 10 November 2009 on payment services, as amended3 (the "2009 Law") and (ii) the law of 7 December 2015 on the insurance sector, as amended4 (the "2015 Law"). As a consequence, payment institutions, electronic money institutions and the entities of the insurance sector in Luxembourg (including insurance and reinsurance undertakings) are now subject to professional secrecy rules which are similar to those currently imposed on credit institutions and PFS.
II. CLARIFICATIONS CONCERNING THE SCOPE OF BANKING SECRECY
The first paragraph of article 41 of the 1993 Law (this article being hereinafter referred to as "Article 41") has been amended so as to bring it in line with legislative changes which have occurred in recent years, namely, (i) the supervision of significant supervised entities (including some credit institutions) and significant supervised groups by the European Central Bank ("ECB") and (ii) the implementation of directive 2014/59/EU establishing a framework for the recovery and resolution of credit institutions and investment firms5 by the law of 18 December 2015 relating to the failure of credit institutions and certain investment firms, as amended.
As a consequence, the new version of Article 41 applies to all natural and legal persons that are subject to the prudential supervision of the Luxembourg Commission for the Supervision of the Financial Sector (Commission de Surveillance du Secteur financier or "CSSF") or those which are established in Luxembourg and subject to the prudential supervision of the ECB or a foreign supervisory authority, insofar as their activities fall within the scope of the 1993 Law. Moreover, the members of the management body, the directors, the employees and other persons who work for these natural or legal persons are also bound by banking secrecy.
The 2018 Law also confirms that banking secrecy continues to apply in case of reorganisation procedures, recovery procedures, winding-up procedures or insolvency procedures which can affect credit institutions and PFS and extends to the persons that are appointed, mandated or employed to act in such circumstances (including their employees).
III. EXTENSION OF THE EXCEPTIONS TO BANKING SECRECY
1. Outsourcing Agreements
The 2018 Law incorporated new rules in Article 41 in order to address the cases where credit institutions or PFS enter into outsourcing agreements with various types of third parties.6
The requirements imposed by this new provision vary according to the identity of the service providers7 and are generally stricter if the service provider in charge of the outsourced services is not supervised by the ECB or authorised in Luxembourg to perform activities of the financial sector or the insurance sector.
a. Outsourcing of services to specific regulated entities
Article 41(2a), first sub-paragraph, allows credit institutions and PFS to outsource activities to Luxembourg service providers supervised by the CSSF, the ECB or the Luxembourg insurance commission (Commissariat aux Assurances or "CAA"), subject to the following requirements8:
(i) the information that is communicated to the service provider is disclosed pursuant to a service contract;
(ii) the service provider is bound by rules of professional secrecy which are criminally sanctioned; and
(iii) the communication of information to these persons is carried out through a service contract.
b. Outsourcing of services to other entities
Article 41(2a), second sub-paragraph, provides for more stringent rules on banking secrecy, which are only disapplied where confidential information is disclosed to service providers not supervised by the CSSF, the ECB or the CAA, so long as the following requirements are complied with:
(i) in accordance with the law or the contractual conditions agreed between the parties9, the client has accepted the outsourcing of the relevant services, the type of information to be disclosed in this context and the country of establishment of the service provider(s); and
(ii) each of the service providers that have access to confidential information is subject to a professional secrecy obligation or bound by a confidentially agreement with the credit institution of the PFS.
Since the 2018 Law does not require customers to agree in writing to the disclosure of information, other forms of prior consent (e.g., orally or impliedly) would be valid but could be more problematic from an evidential perspective.
2. Disclosure of information to regulators
Article 41(3) has slightly amended the communication channels that can be used to disclose information to national and foreign regulators (including European regulators such as the ECB).
The conditions that were specified in the earlier version of Article 41(3) have been maintained, i.e. (i) the authorities requesting the information must act within their legal competences to supervise the financial sector (which now comprises operations carried out in the context of resolution proceedings), (ii) the information that is disclosed must be subject to the professional secrecy of the receiving authority, and (iii) the transfer of information must take place through the intermediary of the parent company or shareholder of the credit institution/PFS, which is itself subject to the prudential supervision of the authority requesting the information.
In order to facilitate the transfer of information, the 2018 Law specifies that when the information is requested by the ECB, the Single Resolution Board, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) or the European Insurance and Occupational Pensions Authority (EIOPA), each of them being empowered to make such a request according to the applicable laws and regulations, the Luxembourg credit institution/PFS can send the information directly to them.
3. Intra-group disclosure of information
Article 41(4), first sub-paragraph now contains more lenient rules for the disclosure of information to the parent company of, or shareholders having a qualifying holding in, a Luxembourg credit institution or a PFS.10
Accordingly, the information protected by banking secrecy can be communicated to these persons not only to ensure the sound and prudent management of the credit institution/PFS, but also to allow the risk assessment on a consolidated basis and the calculation of consolidated prudential ratios.11 However, the 2018 Law requires that any disclosure made in these circumstances be "strictly" necessary to the attainment of these purposes.12 Moreover, the 2018 Law has deleted the prohibition contained in the earlier version of Article 41(4), first sub-paragraph, according to which no information could be transmitted by credit institutions/PFS if it was relating to their obligations towards non-PFS customers (e.g., retail clients). Such a restriction is no longer applicable.
Furthermore, the 2018 Law has not amended the exception contained in Article 41(4), second sub-paragraph, regarding the disclosure of information to group's internal control bodies for the global management of legal and reputational risks relating to money laundering and terrorist financing.
IV. INTERACTIONS BETWEEN THE 2018 LAW AND THE LEGISLATION ON DATA PROTECTION
New Article 41(9) clarifies the idea that the rules on banking secrecy (and more particularly, the exceptions to this principle) are without prejudice to the law of 2 August 2002 on the protection of persons with regard to the processing of personal data, as amended (the "2002 Law").
The intent of the Chamber of Deputies behind the insertion of this paragraph in Article 41 was to recall that even if credit institutions or PFS outsource services to third parties according to Article 41(2bis), they still have to ensure that they do not act in breach of the 2002 Law.13
The protection of banking secrecy remains undisputed in Luxembourg. Nevertheless, the approach retained by Luxembourg law-maker has been to allow for more derogations to this principle over the recent years. While these exceptions were often required by European directives and legislation, the laws amending Article 41 have also gradually offered more flexibility to Luxembourg credit institutions and PFS in this context (and in particular regarding the outsourcing of their services).
1 Memorial A, No 150, 1 March 2018.
2 As defined in article 1, 28) of the 1993 Law. This term includes investment undertakings, specialised PFS and support PFS.
3 Article 30 of the 2009 Law.
4 Article 300 of the 2015 Law.
5 Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council
Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC,
2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012 of the European Parliament and of the Council (OJ L173, 12.6.2014, p. 190).
6 The 2018 Law also contains rules on the outsourcing of services by Luxembourg credit institutions and support PFS. In addition, some circulars have been either amended or published in light of the introduction of the exception to banking secrecy in case of outsourcing.
7 It is worth noting that the approach originally retained by the Chamber of Deputies was to differentiate intra-group outsourcing from the outsourcing of services to entities which do not belong to the same group as the credit institution or the PFS. This distinction was eventually not maintained (parliamentary document
No 7024/5, p. 24).
8 The earlier version of Article 41 already contained a narrower exception to the banking secrecy rules vis¬a-vis credit institutions and PFS activing as service providers under outsourcing agreements (see the previous version of Article 41 (5)).
9 According to the parliamentary history of the 2018 Law (Parliamentary document No 7024/5, p. 24), these contractual conditions include the general terms and conditions that can be imposed on a customer.
10 A qualifying holding is any direct or indirect holding representing at least 10% of an undertaking's share capital or voting rights or exercising a significant influence over the management of this undertaking. The shareholders having such a qualifying holding are taken into account when the relevant credit institution/PFS is authorised.
11 According to the earlier version of Article 41, the disclosure of information to shareholders having a qualifying holding was only possible if this was necessary for the sound and prudent management of the credit institution or the PSF.
12 According to the parliamentary history of the 2018 Law, albeit the Council of State suggested that the adverb "strictly" should not be included in the phrase "strictly necessary" in Article 41(4), first sub-paragraph, the Chamber of Deputies took the opposite view and eventually decided to maintain this restriction in the final text of the law (Parliamentary Document No 7024/2, p. 9; Parliamentary Document
No 7024/5, p. 36).
13 This paragraph was kept in the final text of the 2018 Law whilst the Council of State was of the opinion that credit institutions and PFS are in any case subject to the 2002 Law (which, according to the latest version of draft law No 7184, will be repealed further to the application of regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) since 25 May 2018).