On 9 April 2021, the CSSF published Circular CSSF 21/769 regarding governance and security requirements for Supervised Entities (as defined below) to perform tasks or activities through Telework (as defined below) (“Circular 21/769”).
Scope of Circular 21/769
Following the significant increase in Teleworking over the past year in Luxembourg (the number of resident teleworkers in Luxembourg doubled from 3 to 6.1%. Source: STATEC) and the observation that telework is here to stay, the CSSF has come up with detailed governance and security requirements in relation to Teleworking in Supervised Entities. The resulting Circular 21/769 applies under general working conditions but does not apply in case of a pandemic (for example COVID-19) or in other exceptional circumstances similarly impacting general working conditions (“Exceptional Circumstances”).
Circular 21/769 focuses on financial sector regulatory requirements, while contractual relations between Supervised Entities and their employees remain out of its scope. Furthermore, the CSSF stresses that Circular 21/769 does not create any entitlements or precedence for employees and other personnel of Supervised Entities to claim a right to telework and emphasises that the use of Teleworking shall not contravene mandatory public policy and shall comply with Luxembourg Labour Code provisions.
Who is concerned?
Circular 21/769 introduces Telework-related governance and security requirements for a wide range of professionals of the Luxembourg financial sector, including credit institutions, alternative investment funds managers licensed under the law of 12 July 2013, investment funds, authorized securitization undertakings, payment and electronic money institutions, as well as any other entity supervised by the CSSF.
More specifically, it applies to the following entities:
all entities supervised by the CSSF (“Supervised Entities”), including their branches in Luxembourg or abroad, to the extent that Telework is authorised in the countries where the branches are established and they comply with national regulations;
Luxembourg branches of entities originating from outside the European Economic Area (“EEA”); and/or
Luxembourg branches of entities originating from a Member State of the EEA, which may also use Telework in accordance with the requirements provided for in Circular 21/769, as long as teleworking is authorised in their home country and they comply with all national rules and regulations applicable in the Home Member State.
What exactly is considered to be “Telework”?
“Telework” in the context of Circular 21/769 is the organisation of work based on information and communication technology (ICT) tools. It requires the employer’s prior approval and it must be performed on either regular or an occasional and, in each case, voluntary basis within the defined working hours at a predetermined place, different from the employer’s premises. Supervised Entities shall have rules in place to define from where Telework is allowed.
No approval by the CSSF is required in order to implement, maintain or extend Telework solutions for staff in a Supervised Entity.
Main governance and security requirements for Supervised Entities as set out in Circular 21/769
Circular 21/769 provides governance and security requirements to be followed when implementing Telework for employees of Supervised Entities. These requirements can be summarized in prudent management, proper organisation and preservation of information security:
Robust central administration: Supervised Entities, when resorting to Telework, are required to maintain, at all times a robust central administration in Luxembourg and sufficient substance at their premises. A robust central administration consists of a "decision-making centre" and an "administrative centre" equipped with sufficient and skilled personnel as well as with the technical and administrative infrastructure required to exercise a Supervised Entity’s activity. In order to comply with this requirement, staff members working remotely shall be able to return to the Supervised Entity’s premises on short notice in case of need. The board of directors or any other body representing the Supervised Entity should assess to what extent Teleworking can be used without compromising the above requirements.
Internal organisation framework: Supervised Entities are required to perform a risk analysis to identify risks arising in the context of Teleworking and implement all necessary mitigating controls and measures. Risk identification and mitigation measures should be adequately formalised and regularly reviewed. The board of directors or any other body representing the Supervised Entity shall define a telework policy determining which activities can be performed remotely and which shall always be performed on site, the minimum number of employees required to work at the same time at the entity’s premises in Luxembourg, tele-working hours, control procedures, minimum physical meetings as well as measures to be taken in order to ensure that risks remain contained, including compliance with confidentiality and data protection regulations. The telework policy shall be reviewed annually based on the updated risk analysis.
Internal control framework and reporting requirements: Internal control functions shall include the review of the telework policy, process flows and compliance with legal and regulatory requirements in their respective pluri-annual work program and report any issues or findings to the CSSF in their respective annual summary reports, along with any significant operational incidents that might have occurred and short statistics on the use of Telework during the year.
Requirements related to ICT and security risks: Finally, Circular 21/769 imposes a number of security measures to be implemented by the Supervised Entities, in a proportionate manner, in order to ensure confidentiality, integrity and availability of entities’ data and information and ICT systems. Thus, Supervised Entities are required inter alia to include in their security policy high level principles applicable to Teleworking, raise awareness on Teleworking-related risks, align access rights with their risk assessment and telework security policy, keep control over the security of the devices used by the staff working remotely and maintain a high level of security and availability of the Telework infrastructure.
The CSSF will monitor compliance with Circular 21/769, which will enter into force on 30 September 2021, safe Exceptional Circumstances.