Regulatory reporting deadlines
On 23 March 2020, the CSSF published a press release stressing the importance of timely regulatory reporting by supervised entities, especially given the current crisis.
The CSSF is however cognizant that certain supervised entities may experience operational difficulties in preparing or validating their CSSF reporting during the COVID-19 crisis. Accordingly, the CSSF has stated that, during the crisis, it will not apply a strict enforcement policy to supervised entities provided the reason for the delay is duly justified. One such reason could be the unavailability of staff who are working remotely without full access to all systems. Supervised entities facing a regulatory reporting delay should contact the CSSF promptly through the normal channels and as far in advance of the reporting deadline as possible.
The CSSF will closely coordinate any leeway it extends to supervised entities with national authorities, the European supervisory authorities and the European Central Bank.
Immediate review of organisational setup by supervised entities to enable working from home
In a communiqué released on 22 March 2020, the CSSF urges all supervised entities to immediately review their current organisational setup in order to ensure working from home.
The CSSF urges all supervised entities to review their current organisational setup immediately:
- So that working from the usual workplaces or backup sites is limited to vital functions “essential to maintain the critical mission of supervised entities for them to remain operational” and only to the extent these functions cannot be performed remotely;
- In order to implement virtual desktops and other remote-access solutions, cloud-based or not for employees who are not equipped with a mobile device.
The CSSF indicates that the financial sector needs to contribute to ensuring compliance with the lockdown measures in order to protect the public health system and that remote access from home should therefore be privileged.
New FAQ on swing pricing
In an FAQ of 20 March 2020, the CSSF provides clarification on the use of swing pricing by UCITS, Part II Funds and SIFs (the “UCIs”) as well as the conditions to be met in order to raise the swing factor above the level set out in the prospectus, even when this possibility is not provided for therein. UCIs can increase the swing factor up to the maximum level laid down in the prospectus without having to notify the CSSF in advance.
Under certain circumstances, UCIs can exceed the swing factor set out in the prospectus:
- If the prospectus expressly provides for this possibility
The management body can decide to increase the swing factor in accordance with the conditions and provisions of the prospectus. The decision must be duly justified and take into account the best interest of investors.
- If the prospectus does not provide for this possibility
Given the exceptional market circumstances caused by COVID-19, the CSSF will allow the management body of a UCI to exceed temporarily the swing factor beyond the maximum level mentioned in the prospectus, under certain conditions. This decision must be duly justified and take into account the best interest of investors. In addition, the prospectus must be updated as soon as possible to provide for this possibility.
In both cases, investors must be informed of the decision through the usual communication channels and a detailed notification, including an explanation of the reasons for the decision, must be submitted to the CSSF.
In order to raise the swing factor above the maximum level set out in the prospectus on a temporary basis:
- An appropriate communication must be made to investors through the usual communication channels;
- The revised swing factor must be based on a robust methodology (including analysis of market/transaction data) that provides for an accurate NAV, representative of prevailing market conditions.
Furthermore, the UCI can be requested to justify, on an ex-post basis, the swing factor applied and to provide documentary evidence that the factor was representative of prevailing market conditions at a given time.
Homeworking by support professionals of the financial sector (PFS)
In an FAQ of 18 March 2020, the CSSF clarified that its recommendation to financial institutions subject to its supervision to favour working from home in the framework of their business continuity plans, in the Covid-19 context, also applies to all support PFS.
Although prior authorisation by the CSSF is not required, the CSSF indicates that a support PFS must, as regards services provided to clients, request and receive authorisation from its client for any services provided from home by employees of the PFS which involves access to the client’s IT environment, including the implementation of security measures.
Deadline for submission of AML/CFT survey extended until 10 April
In a circular of 17 March 2020, the CSSF indicated that it is granting an extension for submission of the AML/CFT survey. The new deadline is close of business on 10 April 2020. The CSSF notes, however, that any professional that fails to submit the survey by the new deadline will be considered in breach of Article 5(1) of the Act of 12 November 2004 on the fight against money laundering and terrorist financing (the "AML/CFT Act"). As a result, the CSSF "will be in a position to apply the sanctions foreseen in Article 8-4 of the AML/CFT Act and also take into account previous breaches of the aforementioned obligation by the professional when determining the sanction".
Current CSSF operating model
In a press release of 17 March 2020, the CSSF indicates that funds and professionals should communicate with the CSSF either through the eDesk portal or by e-mail. All outgoing CSSF communications will be sent by e-mail from the @cssf.lu domain.
FAQ on minimum IT security requirements for remote access
On 17 March 2020, the CSSF issued an FAQ clarifying the rec-ommended minimum IT security requirements for remote access implemented to meet the demands of the exceptional situation created by Covid-19 and issuing minimum recommendations with respect to:
- High-privileged access: identification of user profiles with the highest risk levels (IT administrators, employees in charge of transactions/payments, etc.) and the implementation of proper security measures (strong authentication, access from a secure laptop, logging and review of sensitive ac-tions);
- Secure communication: encryption of communication channels (e.g. use of VPN with AES-256, RSA-2048 encryption);
- Connection monitoring: controls to ensure, at least, that remote connections are consistent with recourse to teleworking (i.e. access during office hours, geofencing);
- The duration of remote access: remote access introduced due to the exceptional Covid-19 situation should be temporary and disabled once the exceptional circumstances have passed.
The CSSF is further “urging financial institutions under its prudential supervision to favour working from home as part of their business continuity plans. As already mentioned in the communication of 2 March, satisfactory IT security conditions should be guaranteed and no prior authorisation is needed for such work arrangements.
Would you like to stay up to date of our publications regarding COVID-19? Register here. We will send you a weekly update with the latest publications.