LUXEMBOURG Law and Practice Contributed by: Andreas Heinzmann, Valerio Scollo and Angela Permunian, GSK Stockmann
The CSSF The CSSF is the competent authority of the prudential supervision of credit institutions, professionals of the financial sector, alternative investment fund manag - ers, undertakings for collective investment, author - ised securitisation undertakings, regulated markets, payment institutions, electronic money institutions and other entities operating in the financial sector. In addition, the CSSF is also the competent authority to ensure that such supervised entities comply with the laws protecting financial consumers and with AML laws. The CAA The CAA is the competent supervisory authority for the insurance sector in Luxembourg, which mainly includes insurance undertakings, reinsurance under - takings, certain pension funds, insurance profession - als and insurance intermediaries. The CNDP The National Commission for Data Protection ( Com- mission Nationale pour la Protection des Données or CNDP) is the national authority for verifying the legal - ity of the processing of personal data, and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy. The CNDP is the supervisory authority for Regulation (EU) 2016/679 on data protection (the “General Data Pro - tection Regulation” or GDPR). European Regulators In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Luxembourg. Significant credit institutions incorporated in Luxembourg are directly supervised by the European Central Bank (ECB). 2.7 No-Action Letters The practice of issuing “no-action” letters does not currently exist in Luxembourg. The CSSF may pro - vide guidance, FAQs and clarifications and may con - duct public consultations on regulatory compliance in the financial sector; however, these are not typically referred to as “no-action” letters.
At European level, the EBA and ESMA do issue “no- action” letters from time to time, although these letters are intended to provide guidance to market partici - pants and are not legally binding. 2.8 Outsourcing of Regulated Functions Authorised financial institutions may outsource their activities subject to certain restrictions. Most impor - tantly, strategic or core functions cannot be out - sourced, and the institution needs to retain the nec - essary expertise to efficiently monitor such services and to manage the associated risks. Outsourcing must comply with the detailed guidance outlined in CSSF Circular 22/806 published in April 2022. In addition, banks should take into considera - tion specific requirements set out in CSSF Circular 12/552, as amended. Owing to the need to ensure the continuity of out - sourced activities, certain provisions must be included in the relevant written contracts. Among others, out - sourcing agreements must set out specific clauses relating to termination and the right of the entity to monitor the service provider’s performance on an ongoing basis. In addition, specific contractual claus - es are required if an outsourced IT activity relies on a cloud computing infrastructure. Furthermore, DORA introduced new rules governing the outsourcing func - tions to ICT service providers, ensuring that opera - tions remain reliable and secure. 2.9 Gatekeeper Liability The extent to which fintech providers may be deemed to be “gatekeepers” depends on the business model of the company. In general, fintech entities may be deemed liable for activities on their platforms in rela - tion to AML obligations if the activities are within the scope of the AML Law. In addition, gatekeeper liability may come into question if the fintech entity is involved in a transaction that falls under the scope of Direc - tive (EU) 2018/822 on mandatory automatic exchange of information (DAC 6) as a reportable cross-border transaction. 2.10 Significant Enforcement Actions As the supervisory authority, the CSSF has broad powers to impose sanctions on entities subject to its
517 CHAMBERS.COM
Powered by FlippingBook