Due to the COVID-19 pandemic and the restrictions to movement and contact with other people, the financial market rapidly had to adapt its method of working. During the pandemic, the CSSF allowed for a degree of flexibility and leniency. Although the world is still recovering from the effects of the pandemic most financial institutions have adopted telework as the new normal. Staff have become accustomed to the flexibility and many CEOs were positively surprised at how smoothly the somewhat forced transition was.
Noticing this trend in the market, the Commission de Surveillance du Secteur Financier (the “CSSF”) took the initiative and decided to address potential abuse and other shortcomings or deficiencies of remote working and published a Circular with rules applying across the Luxembourg financial sector. The new rules will apply as of 1 July 2022.
The Circular provides the framework of governance and security requirements for supervised entities regarding the implementation and use of work processes based on telework solutions. It is addressed to all entities supervised by the CSSF, including their branches in Luxembourg or abroad. The aim of these requirements is to help the supervised entities to adapt to the new work trends while maintaining a prudent management and adequate governance and preserving the information security, which is crucial for the sector and its clients.
Concerned financial institutions who wish to resort to remote working will therefore need to ensure that they have a dedicated policy in place by the end of June. No prior approval by the CSSF is required in order to implement, maintain or extend telework solutions for staff in a supervised entity.
What is telework?
Telework is defined in the Circular as “a form of organising and/or carrying out work, using information and communication technologies within the framework of an employment contract authorising work, which would ordinarily be carried out on the employer’s premises, to be performed outside the premises of the employer.”
As key points included in the definition of this concept, the CSSF clarifies that telework can be performed either on a regular or on an occasional basis and must be voluntary, always within the number of working hours settled between the supervised entity and the employee and at a predetermined place that is different from the employer’s premises. The employee will therefore need to indicate to their employer the precise address from which they intend to make use of this flexibility.
Furthermore, it is explained in the Circular that other forms of remote working such as, for example, during a business trip or when attending conferences or professional training, are not within scope.
The Circular stresses the fact that the implementation of the telework regime should not jeopardise the regular operational functioning of a supervised entity, which should maintain, at all times, a robust central administration in Luxembourg and to maintain sufficient substance on its premises. This means ensuring the maintenance of the “decision making centre”, which must include sufficient staff with the necessary skills, knowledge and expertise as well as the technical and administrative infrastructure, to exercise the function or activity. Staff members are also required to be able to return to the supervised entity’s premises on short notice in case of need. This is an an important factor to be taken into account when the employee chooses his remote working location. More strict rules apply to authorised management and employees with key functions.
Internal organisation and internal control framework
The telework policy is the responsibility of the Board of Directors which is charged with paying particular attention to risk management and identifying the inherent risks, such as operational risks, legal, Information and Communication Technology (ICT), compliance and reputational risks. The Board will also need to develop mitigating controls and measures to keep the residual risks within the acceptable limits, according to the entities’ risk appetite.
Ongoing monitoring of the use of telework and compliance with the internal policy will become an additional point for the internal audit.
Compliance with other legal provisions
The CSSF clarifies that it is expected that supervised entities do not attempt to circumvent provisions of the Luxembourg Labour Code and take into account the relevant legal provisions, especially laws and regulations relating to tax (domestic, foreign and international), companies, professional secrecy, data protection and social security while implementing the telework policy. The local legislation will also need to be taken into account for any branches located outside the Grand Duchy.
New opportunities: how will the Circular impact employees and employers?
The flexibility that the Circular will continue to allow for shows the commitment of the CSSF and the Luxembourg financial sector to create a more efficient and attractive work ecosystem in Luxembourg, which is aligned with the current expectations of workers in the technological age we are living.
Many financial institutions have already put in place policies around remote working and will need to verify that they meet the standards of the CSSF. For the business with a global footprint it will be important to verify the local rules where staff may be employed by branches. Employees of supervised entities will be able to benefit from the flexibility of working from home and the initiative can be considered a starting point of the adaptation of work policies, to a more a more remote working scenario, which is likely to swiftly evolve in the coming years.