1. Scope and key concepts
The CSSF Circular defines governance and security requirements for the implementation and utilisation by entities under the supervision of the CSSF (e.g. credit institutions, investment firms, management companies, payment and electronic money institutions, specialised and supports PFS, etc.) (defined as "Supervised Entities") of work processes based on Telework solutions. More generally, the CSSF Circular applies to:
- Supervised Entities and their branches, in Luxembourg or abroad (to the extent Telework is authorised in the countries where the branches are established and provided that they comply with national regulations);
- Luxembourg branches of entities originating from:
- outside of the European Economic Area ("EEA"); or
- a member state of the EEA provided that (i) their home country authorises Telework and (ii) they ensure compliance with national rules and regulations applicable in the home Member State.
"Telework" is defined by the CSSF Circular as "a form of organising and/or carrying out work, using information and communication technologies within the framework of an employment contract authorising work, which would ordinarily be carried out in the employer's premises, to be performed outside the premises of the employer." The CSSF clarifies that, for a working relationship to fall under the qualification of Telework, work must be:
- delivered through information and communication technologies ("ICT") previously approved by the employer; AND
- performed on a regular or occasional and voluntary basis and within the defined working hours at a predetermined place different from the employer's premises (N.B.: Supervised Entities shall have documented rules in place to specify from where Telework is allowed).
Telework shall be organised under the ultimate responsibility of the management body of the Supervised Entity or any body that represents the Supervised Entity.
It is worth noting that no approval by the CSSF is required for a Supervised Entity to implement, maintain or extend Telework for its personnel.
Moreover, the CSSF Circular shall only apply under normal general working conditions. It shall not apply under pandemic situation (e.g. the ongoing COVID-19 pandemic) or any other exceptional circumstances having a comparable impact on general working conditions.
Finally, the CSSF Circular is limited to financial sector regulatory requirements. All contractual relations between Supervised Entities and their employees are out of the scope of the CSSF Circular. It does not create any precedence for rights or obligations on whether entities may implement Telework under the supervision of the CSSF. Furthermore, it does not interfere in any legal provisions that are part of Luxembourg's mandatory public policy provisions (règles d'ordre public) or part of the Luxembourg Labour Code.
2. Key requirements
The CSSF Circular sets out a number of (i) baseline, (ii) internal organisation and control, and (iii) security requirements for Supervised Entities willing to implement Telework.
The CSSF Circular insists on the necessity for Supervised Entities implementing Telework to maintain at all times a robust central administration in the Grand Duchy of Luxembourg which shall consist of a "decision-making centre" and "administrative centre" benefiting from sufficient and appropriate staff and infrastructure required to exercise the Supervised Entity's activities. Staff members shall also be able to return to the Supervised Entity's premises within short notice in case of need.
The CSSF Circular further enumerates several specific baseline criteria to be respected in the context of the implementation, use or extension of Telework:
- the number of staff members authorised to Telework at the same time must comply with central administration requirements;
- the amount of (normal working) time each staff member is allowed to Telework shall be limited;
- in principle and taking into account the proportionality principle, at least one authorised manager shall be on-site at the head office at all times, and the Supervised Entities shall ensure sufficient representation of critical functions in their premises to guarantee the adequate functioning of activities and controls as well as proper decision-taking;
- the head office shall at all time remain the "decision-making centre" as part of the central administration of the Supervised Entity (and the entity shall be able to demonstrate so); and
- the ongoing performance of critical activities shall be guaranteed.
Internal organisation and internal control framework
In addition to baseline requirements, the CSSF Circular provides for a framework relating to internal organisation and internal control, including the necessity for Supervised Entities to:
- perform an analysis in order to identify the inherent risks in implementing Telework (e.g. operational risks, including legal, ICT, compliance and reputational risks) and implement adequate mitigating controls and measures;
- implement and regularly review (at least annually) a Telework policy defining the relating framework and limits;
- maintain sufficient evidence enabling the monitoring of the compliance with the Telework policy (e.g. record the name, function and department/unit of each staff member teleworking) and the CSSF Circular to allow CSSF monitoring; and
- involve internal control functions (e.g. compliance, internal audit, risk management etc.) in the implementation of Telework.
ICT and security requirements
The CSSF Circular finally provides for some ICT and security requirements to be applied by Supervised Entities in proportion to the risks to which they are (or could) be exposed in order to protect the confidentiality, integrity and availability of their data, information and ICT systems. Supervised Entities shall, in particular:
- define the high-level principles and rules applicable in the context of Telework either in their general security policy or in the Telework policy;
- ensure that their staff members are aware of Telework-related risks and best practices;
- align their access rights management procedures and accesses granted for Telework with their risk assessment and Telework security policy;
- maintain control over the security of the devices used to connect to their ICT systems remotely (e.g. by favouring corporate-owned devices, ensuring encryption of data or using virtual desktop infrastructures (VDI));
- maintain a high level of security and availability of the Telework infrastructure; and
- implement 2-factor authentication (2-FA) for remote connections to their systems – authentication mechanism may be adapted (principle of proportionality), but robust dynamic 2-FA procedures (e.g. one-time password tokens) shall be required for access to critical activities.
Safe exceptional circumstances, the CSSF Circular will enter into force on 30 September 2021.
The CSSF will monitor its application within the first 12 months of its entry into force and will thereafter proceed with a review of the circular in order to address any potential abuse, shortcoming or deficiency.
For any questions, please contact your trusted advisor at Tiberghien Luxembourg or any of the authors of this publication.
Thomas Roberdeau – Counsel (firstname.lastname@example.org)
Andréas Molter – Associate (email@example.com)