One of the key principles of Luxembourg financial regulation is the obligation of professional secrecy (often referred to as the bank secrecy, the "Professional Secrecy Obligation") laid down in Article 41(1) of the law dated 5 April 1993 on the financial sector, as amended (the "Financial Sector Act"). Outsourcing arrangements and, in particular, IT outsourcing operations which can lead to the disclosure of confidential data and thus to a potential breach of the Professional Secrecy Obligation are subject to rather strict legal conditions.
Article 41(5) of the Financial Sector Act provides for an explicit exception to the Professional Secrecy Obligation with respect to the information communicated to credit institutions and duly authorised support financial sector professionals (the "Support PSF") under a service agreement. On the basis of this exception, outsourcing of financial services can in principle only be made to these two types of entities. Several circulars of the Commission de Surveillance du Secteur Financier (the Luxembourg financial sector regulator, the "CSSF") further complete the legal framework on outsourcing in the financial sector.
On 29 July 2016, the Minister of Finance introduced the draft law no. 7024 (the "Draft Law") which creates more possibilities to outsource activities to both external and intra-group undertakings. If voted, the Draft Law will allow regulated financial institutions to outsource activities to:
(i) Luxembourg-based regulated entities other than banks and Support PSF;
(ii) group entities (subject to a prior information of the client);
(iii) other entities (subject to the client's consent).
Please read more on this topic in our newsletter.