Banking Regulation 2025

LUXEMBOURG Trends and Developments Contributed by: Baptiste Aubry, Carole Schmidt and Adam Obadia, A&O Shearman

these guidelines, which was further confirmed in the annual report for 2023. Digital transformation is also key to supporting ongoing transaction monitoring and identifica - tion of suspicious activities. In its white paper “Artificial Intelligence – Opportunities, risks and recommendations for the financial sector” of December 2018, the CSSF noted that AI had already been successfully used to assist with AML/CTF compliance tasks, enabling more effi - cient KYC checks and facilitating real-time fraud detection, among other things. The increasing reliance on AI tools by supervised entities for that purpose has been confirmed more recently in May 2023 in the report on “Thematic review on the use of Artificial Intelligence in the Lux - embourg Financial sector”. Despite these advancements, the CSSF has emphasised the importance of maintaining a balance between automation and human oversight, as completely relying on algorithms could introduce errors or biases. Risks associated with the reliance on third- party service providers Digitalisation often necessitates the use of third- party service providers. Following the issuance of the last EBA guidelines on outsourcing arrange - ments, the CSSF decided to overhaul the Lux - embourg outsourcing regime with the issuance of a new CSSF Circular 22/806 on outsourcing arrangements. Interestingly, the scope of appli - cation of the Luxembourg outsourcing regime is not limited to credit institutions, investment firms and payment institutions, but also extends to investment funds and their managers as well as specialised and support professionals in the financial sector (PFS). It therefore goes beyond the scope of application of the EBA guidelines, evidencing the willingness of the CSSF to ensure

a harmonisation of the rules applicable in that respect for all entities under its supervision. This CSSF Circular 22/806 provides rules appli - cable to any type of outsourcing arrangement but also specific rules in its part II for information and communication technology (ICT) outsourc - ing arrangements, which aim at addressing the risks associated with the increased use of exter - nal service providers. Considering these new specific rules as well as the specific form which has been issued by the CSSF on 17 February 2023 for financial institutions to notify critical or important ICT outsourcing arrangements, one of the key points of focus for the regulator is data governance and the protection of data used in the context of ICT outsourcing arrangements. To that effect, the CSSF expects, among oth - ers, that supervised entities ensure strong data encryption and implement secure data handling practices and adequately monitor their service providers to avoid data breaches (including through regular audits). The CSSF’s focus on third-party service pro - vider risks is also evidenced through the CSSF supervisory practice. As part of its “corporate governance” on-site inspections, the CSSF also reviews the proper governance of outsourced activities and functions. Common deficiencies identified during the regulator’s inspections in 2022 and 2023 pertain to: • prior identification of risks associated with outsourced activities and external services providers and, subsequently, lack of review of the risk assessments; • assessment of the criticality of the outsourc - ing; • reporting of information to the management bodies;

343 CHAMBERS.COM

Powered by