​Standing in between provisions implementing the Multi-Interchange Regulation¹ and other reformatting and errata regarding various Luxembourg laws of the financial sector, article 14 of the bill of law n°7024² (the Bill of Law 7024) brings substantial changes to the existing provisions of article 41 of the Luxembourg act of 5 April 1993 on the financial sector, as amended (the Banking Act 1993), setting out the scope of the professional secrecy obligation bearing on credit institutions and other professionals of the financial sector (PFS and together with credit institutions, professionals of the financial sector) established in the Grand Duchy of Luxembourg (Luxembourg)³.

While the principles and scope remain unchanged, new exceptions are introduced and others are extended.

The Bill of Law 7024 aims at taking into consideration the recent evolutions, be they technological (Fintech, etc.) or related to new requirements in terms of intragroup governance and control. Thus, the amendments to article 41 purport to facilitate intragroup co-operation, outsourcing arrangements and the management of the risks associated with it.

Four salient features emerge from this amended version of article 41: (1) the former existing exception under article 41(5) has been adapted and extended to allow communication of confidential information to any professional of the financial sector or insurance professional⁴ acting as service provider of another professional of the financial sector, (2) intragroup outsourcing arrangements now clearly benefit from an exception as regards professional secrecy, (3) conditions for communication of confidential information in extra-group outsourcing arrangements are now legally foreseen and (4) intragroup co-operation is facilitated in the framework and for the purpose of a sound and prudent management of Luxembourg professionals of the financial sector.

Although this goes without saying, it is also worth noting that Article 41 will now expressly specify that the professional secrecy obligation applies to Luxembourg entities subject to the direct supervision of the European Central Bank (ECB) and is extended to professionals of the financial sector subject to reorganisation measures, resolution measures, liquidation or bankruptcy and any person employed, designated or appointed in the context of such procedures as well as any person assisting these natural or legal persons.

The new flexibility offered in the amended version of article 41 of the Banking Act 1993 is without prejudice to the conditions stemming from the regime applicable under the Luxembourg act of 2 August 2002 on the protection of personal data, as amended.

The Bill of Law 7024 is still subject to comments from various public and institutional bodies, notably the Conseil d’Etat, and its content may still evolve accordingly.

1. Extension of the scope of article 51(5) exception

In the current version of the Banking Act 1993, article 41(5) provides that “the obligation to secrecy does not cover credit institutions and support PFS where the information communicated to those professionals is provided under an agreement for the provision of services.”

Article 41(5) was inserted into the Banking Act 1993 in 2003 by the Luxembourg act of 2 August 2003. The purpose of this exception was to allow professionals of the financial sector to outsource certain of their activities/functions entailing access to confidential information to certain specific regulated service providers (the support PFS, created under the same act) subject to the same professional secrecy obligations as them. This article was further amended in July 2007 by the MiFID act⁵ so as to include credit institutions as entities to whom information covered by professional secrecy could be provided in the context of outsourcing arrangements.

Pursuant to the Bill of Law 7024, article 41(5) will be deleted and replaced by a new article 41(2a)⁶. The new article 41(2a) contains the same exception provided for in article 41(5) and extends its scope by allowing access to confidential data to any professional of the financial sector or insurance professional established in Luxembourg and under the supervision of the CSSF⁷, the ECB or the CAA⁸ acting as service provider under an outsourcing arrangement. This means that the exception to professional secrecy that is currently in place under article 41(5) of the Banking Act 1993 (currently applying only vis-à-vis support PFS and credit institutions) will now apply vis-à-vis any professional of the financial sector or insurance professional.

The Luxembourg legislator, however, goes one step further in providing additional flexibility to outsourcing arrangements.

2. New flexibility in intragroup outsourcing arrangements

In addition to the extension of the existing article 41(5) exception, the proposed new article 41(2a) will now provide for a new exception to the professional secrecy obligation bearing on professionals of the financial sector, in order to ease the implementation of intragroup outsourcing strategies.

Professionals of the financial sector in Luxembourg will be able to outsource certain of their activities/functions involving the communication of confidential information to intragroup entities as the professional secrecy obligation will no longer exist in relation to these intragroup entities.

Such exception is however subject to the following conditions:

• the service provider must be an entity belonging to the same group to which the Luxembourg professional of the financial sector (subject to the professional secrecy obligation) belongs; and

• the service(s) to be provided must be entirely outsourced within the group; and

• the person protected by professional secrecy (that is, the client) must have received prior written information on the outsourcing, the type of information communicated in the framework of the outsourcing and the country of establishment of those group entities; and

• the group entities having access to confidential information must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement entered into by the relevant group entity and the Luxembourg professional of the financial sector.

Subject to compliance with the above conditions, sub-delegation of outsourced services will also benefit from the exception set out in article 41(2a) of the Banking Act 1993.

3. More legal certainty around the client's waiver

Currently, in situations where article 41(5) of the Banking Act 1993 is not applicable, the CSSF Circular 12/552⁹ provides that confidential information may be transferred to a third-party service provider to the extent that the transferee has obtained the explicit consent of the person protected (that is, the client) on the basis of an informed decision on the purpose of this outsourcing, its specific nature and final goal, the content of the information provided, and the recipient and location as well as the sustainability of the outsourcing¹⁰.

The second sub-paragraph of article 41(2a) of the Bill of Law 7024 now legally establishes that, in any cases other than those foreseen in the first sub-paragraph of article 41(2a) (that is, in situations other than intragroup outsourcing or outsourcing with professionals of the financial sector or insurance professionals established in Luxembourg), the professional secrecy obligation does not exist towards extra-group service providers if the following requirements are complied with:

• the protected person has given its prior written consent to the outsourcing of the relevant services, the type of information communicated in the framework of the outsourcing and the country of establishment of the outsourcee; and

• the outsourcee having access to confidential information must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement entered into by the outsourcee and the Luxembourg professional of the financial sector.

As it is foreseen under CSSF Circular 12/552, confidentiality must still be guaranteed at all times in outsourcing arrangements, however the new article 41(2a), third sub-paragraph, gives more legal certainty for professionals of the financial sector when relying on the client consent (instruction) to transfer confidential data to third parties in the context of outsourcing arrangements.

4. Easing of intragroup cooperation for prudential purposes

The new paragraph (4) of article 41 in the Bill of Law 7024 finally grants more flexibility for qualified shareholders of a Luxembourg professional of the financial sector, facilitating the intragroup co-operation for prudential purposes.

The new article 41(4), first sub-paragraph, relating to the communication of confidential information to qualified shareholders extends the exception to professional secrecy in two ways:

•it provides that the professional secrecy obligation does not exist as regards the communication of confidential information to the shareholders which is strictly necessary not only for the sound and prudent management of a Luxembourg professional of the financial sector but also for the risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis; and

•it removes the prohibition to disclose information on the assets held by the clients¹¹ (such as deposits) to qualified shareholders in this context.

The second sub-paragraph of article 41(4) of the Banking Act 1993 regarding the disclosure of information to the group’s internal control bodies to manage legal risks and reputational risks linked to money laundering or terrorism financing substantially remains unchanged.

1. Regulation (EU) N° 2015/751 relating to multi-interchange fees for payment transactions linked to credit cards.
 2. Deposited with the Luxembourg parliament by the Ministry of Finance on 29 July 2016.
 3. It is however interesting to note that the Bill of Law 7024 does not amend the equivalent provision in the law of 10 November 2009 on payment services and on the activity of electronic money institutions which applies to e-money institutions and payment institutions (Article 30).
 4. The Bill of Law 7024 refers to persons subject to the supervision of the Commissariat aux assurances.
 5. The Luxembourg act of 13 July 2007 on market in financial instruments, as amended.
 6. Article 41(2bis) in the French version of the Bill of Law 7024).
 7. The Commission de surveillance du secteur financier.
 8. The Commissariat aux assurances.
 9. CSSF Circular 12/552 on central administration, internal governance and risk management, as amended.
 10. Section 7.4.1 of the CSSF Circular 12/552, point 182.
 11. Except if the client was itself a professional of the financial sector, in which case disclosure of information on clients' assets was already possible.