Advocaten / Avocats / Lawyers

Monday, 17 May 2021

The CSSF has published a circular on teleworking for supervised entities in a non-pandemic situation

On 9 April 2021, the Luxembourg's financial sector supervisory authority (Commission de Surveillance du Secteur Financier - "CSSF") published CSSF Circular 21/769 on “Governance and security requirements for Supervised Entities to perform tasks or activities through Telework” (the "CSSF Circular").

1. Scope and key concepts

The CSSF Circular defines governance and security requirements for the implementation and utilisation by entities under the supervision of the CSSF (e.g. credit institutions, investment firms, management companies, payment and electronic money institutions, specialised and supports PFS, etc.) (defined as "Supervised Entities") of work processes based on Telework solutions. More generally, the CSSF Circular applies to:

  • Supervised Entities and their branches, in Luxembourg or abroad (to the extent Telework is authorised in the countries where the branches are established and provided that they comply with national regulations);
  • Luxembourg branches of entities originating from:
    • outside of the European Economic Area ("EEA"); or
    • a member state of the EEA provided that (i) their home country authorises Telework and (ii) they ensure compliance with national rules and regulations applicable in the home Member State.

"Telework" is defined by the CSSF Circular as "a form of organising and/or carrying out work, using information and communication technologies within the framework of an employment contract authorising work, which would ordinarily be carried out in the employer's premises, to be performed outside the premises of the employer." The CSSF clarifies that, for a working relationship to fall under the qualification of Telework, work must be:

  1. delivered through information and communication technologies ("ICT") previously approved by the employer; AND
  2. performed on a regular or occasional and voluntary basis and within the defined working hours at a predetermined place different from the employer's premises (N.B.: Supervised Entities shall have documented rules in place to specify from where Telework is allowed).

Telework shall be organised under the ultimate responsibility of the management body of the Supervised Entity or any body that represents the Supervised Entity.

It is worth noting that no approval by the CSSF is required for a Supervised Entity to implement, maintain or extend Telework for its personnel.

Moreover, the CSSF Circular shall only apply under normal general working conditions. It shall not apply under pandemic situation (e.g. the ongoing COVID-19 pandemic) or any other exceptional circumstances having a comparable impact on general working conditions.

Finally, the CSSF Circular is limited to financial sector regulatory requirements. All contractual relations between Supervised Entities and their employees are out of the scope of the CSSF Circular. It does not create any precedence for rights or obligations on whether entities may implement Telework under the supervision of the CSSF. Furthermore, it does not interfere in any legal provisions that are part of Luxembourg's mandatory public policy provisions (règles d'ordre public) or part of the Luxembourg Labour Code.

2. Key requirements

The CSSF Circular sets out a number of (i) baseline, (ii) internal organisation and control, and (iii) security requirements for Supervised Entities willing to implement Telework.

Baseline requirements:

The CSSF Circular insists on the necessity for Supervised Entities implementing Telework to maintain at all times a robust central administration in the Grand Duchy of Luxembourg which shall consist of a "decision-making centre" and "administrative centre" benefiting from sufficient and appropriate staff and infrastructure required to exercise the Supervised Entity's activities. Staff members shall also be able to return to the Supervised Entity's premises within short notice in case of need.

The CSSF Circular further enumerates several specific baseline criteria to be respected in the context of the implementation, use or extension of Telework:

  • the number of staff members authorised to Telework at the same time must comply with central administration requirements;
  • the amount of (normal working) time each staff member is allowed to Telework shall be limited;
  • in principle and taking into account the proportionality principle, at least one authorised manager shall be on-site at the head office at all times, and the Supervised Entities shall ensure sufficient representation of critical functions in their premises to guarantee the adequate functioning of activities and controls as well as proper decision-taking;
  • the head office shall at all time remain the "decision-making centre" as part of the central administration of the Supervised Entity (and the entity shall be able to demonstrate so); and
  • the ongoing performance of critical activities shall be guaranteed.

Internal organisation and internal control framework

In addition to baseline requirements, the CSSF Circular provides for a framework relating to internal organisation and internal control, including the necessity for Supervised Entities to:

  • perform an analysis in order to identify the inherent risks in implementing Telework (e.g. operational risks, including legal, ICT, compliance and reputational risks) and implement adequate mitigating controls and measures;
  • implement and regularly review (at least annually) a Telework policy defining the relating framework and limits;
  • maintain sufficient evidence enabling the monitoring of the compliance with the Telework policy (e.g. record the name, function and department/unit of each staff member teleworking) and the CSSF Circular to allow CSSF monitoring; and
  • involve internal control functions (e.g. compliance, internal audit, risk management etc.) in the implementation of Telework.

ICT and security requirements

The CSSF Circular finally provides for some ICT and security requirements to be applied by Supervised Entities in proportion to the risks to which they are (or could) be exposed in order to protect the confidentiality, integrity and availability of their data, information and ICT systems. Supervised Entities shall, in particular:

  • define the high-level principles and rules applicable in the context of Telework either in their general security policy or in the Telework policy;
  • ensure that their staff members are aware of Telework-related risks and best practices;
  • align their access rights management procedures and accesses granted for Telework with their risk assessment and Telework security policy;
  • maintain control over the security of the devices used to connect to their ICT systems remotely (e.g. by favouring corporate-owned devices, ensuring encryption of data or using virtual desktop infrastructures (VDI));
  • maintain a high level of security and availability of the Telework infrastructure; and
  • implement 2-factor authentication (2-FA) for remote connections to their systems – authentication mechanism may be adapted (principle of proportionality), but robust dynamic 2-FA procedures (e.g. one-time password tokens) shall be required for access to critical activities.

Safe exceptional circumstances, the CSSF Circular will enter into force on 30 September 2021.

The CSSF will monitor its application within the first 12 months of its entry into force and will thereafter proceed with a review of the circular in order to address any potential abuse, shortcoming or deficiency.

 

For any questions, please contact your trusted advisor at Tiberghien Luxembourg or any of the authors of this publication.

Thomas Roberdeau – Counsel (thomas.roberdeau@tiberghien.com)

Andréas Molter – Associate (andreas.molter@tiberghien.com)

Tiberghien Brussels

Tour & Taxis

Havenlaan|Avenue du Port 86C B.419
BE-1000 Brussels
T +32 2 773 40 00
F +32 2 773 40 55

info@tiberghien.com

Tiberghien Antwerp

Grotesteenweg 214 B.4
BE-2600 Antwerp
T +32 3 443 20 00
F +32 3 443 20 20

info@tiberghien.com

Tiberghien Ghent

Esplanade Oscar Van de Voorde 1
BE-9000 Gent
T +32 9 265 95 51

info@tiberghien.com

Tiberghien Hasselt

Koningin Astridlaan 35
BE-3500 Hasselt
T +32 11 57 00 13

info@tiberghien.com

Tiberghien Luxembourg

23, Boulevard Joseph II
LU-1840 Luxembourg
T +352 27 47 51 11
F +352 27 47 51 10

info@tiberghien.com