New rules on professional secrecy facilitating outsourcing

The Law of 27 February 2018 on interchange fees and amending several laws relating to financial services was published on 1 March 2018. It modifies, among other things, the rules governing professional secrecy laid down by article 41 of the Law of 5 April 1993 on the financial sector.

As a reminder, the professional secrecy obligation requires credit institutions and other professionals of the financial sector to keep secret any information confided to them in the context of their professional activities.

Outsourcing arrangements, which can lead to the disclosure of confidential information, can potentially entail a breach of the professional secrecy obligation. In order to facilitate outsourcing inside a same group or to external service providers, the Law of 27 February 2018 extends the scope of existing exceptions to professional secrecy and introduces new ones.

As a result, client data may now be transferred to a service provider acting under an outsourcing arrangement and that is (i) established in Luxembourg, (ii) supervised by the CSSF, the European Central Bank (“ECB”) or the Commissariat aux Assurances (“CAA”), and (iii) bound by a criminally- sanctioned professional secrecy obligation.

When an outsourcing arrangement does not fall within the scope of the above-mentioned exemption, the Law of 27 February 2018 provides that the professional secrecy obligation does not exist towards a service provider where: (i) the client has agreed, in accordance with the law or the contractual conditions agreed between the parties, to the outsourcing of services, the type of information to be disclosed in the context of such an outsourcing, and the country of establishment of the service provider. (ii) Moreover, the service provider, having access to confidential information, must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement.