Luxembourg CSSF Publication of Guidance on Teleworking

On 9 April 2021, Luxembourg’s financial regulator, the Commission de Surveillance du Secteur Financier ("CSSF"), issued Circular 21/769¹ on teleworking.  It will enter into force on 30 September 2021 assuming working conditions have returned to normal.

Purpose and Scope

The circular clarifies the governance and security requirements applicable in the context of remote working and applies only in normal working conditions.  It will not apply in pandemic situations (e.g. during COVID-19) or under other exceptional circumstances which have a comparable impact on normal working conditions.

It applies to all entities supervised by the CSSF, e.g. credit institutions, alternative investment fund managers, investment firms, specialised and support PFS, etc. ("Supervised Entities").  It also applies to branches of Supervised Entities irrespective of whether such branches are located in Luxembourg or abroad, and provided remote working is permitted in those other jurisdictions; Luxembourg branches of entities originating outside of the European Economic Area ("EEA"); and Luxembourg branches of entities from a member country of the EEA, provided that remote working is permitted in such other EEA member state.

The CSSF also confirms that the circular does not create any precedence for employees to claim a right to remote working, and contractual relationships between Supervised Entities and their employees do not fall within the scope of the circular.  In addition, the CSSF points out that remote working arrangements must comply with the provisions of the Luxembourg Labour Code and must not contravene any mandatory public policy provisions.

Key Principles

Central Administration

Where remote working arrangements are implemented, they must not violate the requirement imposed on Supervised Entities to have a robust central administration in Luxembourg and sufficient substance at their premises.  As such, employees must be able to return to the Supervised Entities′ premises on short notice and the board of directors (or other governing body) of each Supervised Entity must define the extent to which remote working may be used. 

Internal Organisation and Internal Control Framework

Supervised Entities must perform a risk analysis to identify the risks inherent in remote working, and ensure that mitigating controls and measures are implemented.  The risk analysis and mitigation controls and measures must be documented and regularly reviewed.  In addition, Supervised Entitles must establish and implement a remote working policy (the "Policy") in order to set the framework and the limits under which remote working will be permitted.  They must also monitor and provide evidence of compliance with the Policy and the circular.

Furthermore, the internal control functions of Supervised Entities must review the Policy, process flows and compliance with applicable legal and regulatory requirements in their multi-year programmes.  These functions must include the following in their annual summary reports to CSSF:

1. any issues or findings related to their review;
2. any significant operational incidents in relation to remote working that occurred during the year; and
3. (short) statistics on the use of remote working.

ICT and Security

Supervised Entities must have regard to the principle of proportionality and the ICT and security measures set out in the circular when employees work remotely.  These measures include, without limitation, the implementation of a remote working security policy (or the inclusion of remote working related principles and rules within a general security policy), raising employee awareness with respect to risks and best practices, access rights, remote working infrastructure and security of connections.

CSSF Approval

The prior approval of the CSSF is not required in order to offer or implement remote working arrangements.  However, the CSSF will monitor compliance with the circular.

Print Ready Version

Further Information