Fintech 2025

LUXEMBOURG Law and Practice Contributed by: Andreas Heinzmann, Valerio Scollo and Angela Permunian, GSK Stockmann

that such supervised entities comply with the laws protecting financial consumers and with anti-money laundering laws. The CAA The CAA is the competent supervisory authority for the insurance sector in Luxembourg, which includes mainly insurance undertakings, rein - surance undertakings, certain pension funds, insurance professionals and insurance interme - diaries. The CNDP The National Commission for Data Protection ( Commission Nationale pour la Protection des Données or CNDP) is the national authority to verify the legality of the processing of personal data and ensures the respect of personal free - doms and fundamental rights with regard to data protection and privacy. The CNDP is the super - visory authority for Regulation (EU) 2016/679 on In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Luxembourg. Significant credit institu - tions incorporated in Luxembourg are directly supervised by the European Central Bank (ECB). 2.7 No-Action Letters The practice of issuing “no-action” letters does not currently exist in Luxembourg. The CSSF may provide guidance, FAQs, clarifications and conduct public consultations on regulatory com - pliance in the financial sector, however, these are not typically referred to as “no-action” letters. data protection (GDPR). European Regulators

At European level, the European Banking Authority (EBA) and ESMA do issue “no-action” letters from time to time although these letters are intended to provide guidance to market par - ticipants and are not legally binding. 2.8 Outsourcing of Regulated Functions Authorised financial institutions may outsource their activities subject to certain restrictions. Most importantly, strategic or core functions cannot be outsourced, and the institution needs to retain the necessary expertise to efficiently monitor such services and to manage the asso - ciated risks. Outsourcing must comply with the detailed guid - ance outlined in the CSSF Circular 22/806 pub - lished in April 2022. In addition, banks should take into consideration specific requirements set out in the CSSF Circular 12/552, as amended. Due to the need to ensure the continuity of out - sourced activities, certain provisions must be included in the relevant written contracts. Among others, outsourcing agreements must set out specific clauses relating to termination and the right of the entity to monitor the service provid - er’s performance on an ongoing basis. In addi - tion, specific contractual clauses are required in case an outsourced IT activity relies on a cloud computing infrastructure. Furthermore, Regula - tion (EU) 2022/2554 on digital operational resil - ience for the financial sector (DORA) introduced new rules governing the outsourcing functions to ICT service providers, ensuring that operations

remain reliable and secure. 2.9 Gatekeeper Liability

The extent to which fintech providers may be deemed to be “gatekeepers” depends on the business model of the company. In general, fin - tech entities may be deemed liable for activities

507 CHAMBERS.COM

Powered by