CSSF clarifies the regulatory requirements for remote working post COVID-19
The Luxembourg supervisory authority for the financial sector, the Commission de Surveillance du Secteur Financier (CSSF), has clarified the requirements to be fulfilled by Luxembourg management companies, AIFMs, investment firms and other financial service providers such as fund administrators (the Supervised Entities) when staff members (which includes employees, seconded staff and authorized management) are working remotely (telework) following the COVID-19 pandemic. Anticipating that remote working will be used more widely than before the outbreak of COVID-19, the CSSF has set out in circular 21/769 (the Circular)1 the fundamental governance and security requirements that Supervised Entities are to comply with when allowing their staff members to regularly work remotely/ telework.
The Circular does not apply in exceptional circumstances such as during pandemics or in situations that have a comparable impact on the general working conditions. Working remotely in specific situations, e.g. when traveling, also does not fall within the scope of the Circular. The Circular will become effective on September 30, 2021, giving Supervised Entities some time to prepare to comply with its requirements.
The Circular reiterates2 that Supervised Entities must maintain a robust central administration and have sufficient substance in Luxembourg. When working remotely, the Supervised Entity must continue to act efficiently and ensure that all actions are secure.
If a Supervised Entity decides to permit remote working, it must establish a policy that sets out the circumstances under which such remote working is allowed (the Remote Working Policy). The Supervised Entity must also integrate the use of remote working into its risk management process and identify and monitor the operational risk, the information and communication technology (ICT)-related risks as well as the legal, compliance and reputational risks inherent in the use of remote working.
Staff members must be made aware of the Remote Working Policy and the risks and best practices associated with working remotely. Compliance and internal audit teams must review the adequacy of the Remote Working Policy and assess whether staff members are both aware of and comply with the requirements of the Remote Working Policy.
Supervised Entities - taking into account their size and organizational structure as well as the nature, scale and complexity of their activities - must determine which departments and functions may work remotely and put in place appropriate conditions and limits on such remote working.
Supervised Entities must be able to demonstrate at any time that the decision-making center remains at the head office and that the ongoing performance of critical activities is guaranteed. A disruption of the remote connection of a staff member carrying out a critical function when working remotely must not have a substantial impact on the capacity of the Supervised Entity to carry out its activities. In this context, the Remote Working Policy must set a maximum limit on the number of staff who may work remotely at any one time and set a maximum limit on the amount of working time an individual staff member is allowed to work remotely. When setting these limits, the Supervised Entity must ensure that during every business day at least one authorized or conducting person is on site at the head office and that a sufficient number of staff members carrying out key functions are at the premises of the Supervised Entity. Larger Supervised Entities may find it easier to fulfill these requirements than Supervised Entities with fewer staff members. In any case, staff members working remotely must be able to return to the head office on short notice should the need arise.
In addition to setting out rules on remote working and establishing the Remote Working Policy, the Supervised Entity’s security policy must ensure that there are adequate rules and processes in place to protect confidentiality, integrity and availability of data and ICT systems when staff members are working remotely. The Supervised Entity must keep control of the security of the devices used when connecting remotely. The Circular recommends using company-owned devices. Permitting the use of privately owned devices must be considered carefully and be assessed through a specific risk analysis. The set of security and non-security criteria and requirements must be put in place before allowing a staff member working remotely to access the internal systems. Data in transit must be secured and a 2‑Factor Authentication process (2-FA) must be implemented when connecting remotely. For critical activities the CSSF expects the Supervised Entity to have in place a strong 2-FA procedure with one of the factors being dynamic. Finally, the communication chain security must be subject to review by an independent security control function which may either be performed by the information security officer, the internal auditor or a specialist external third party.
The scope of the Circular is limited to regulatory requirements of remote working. Labor law requirements and the potential impact of remote working on the individual tax situation of staff members when living outside of Luxembourg will need to be assessed in addition to the requirements set out in the Circular.
No specific approval by the CSSF is required to implement or adjust to remote working. Supervised Entities should however check the extent to which the implementation of a remote working framework could materially impact the infrastructure of the Supervised Entity as approved by the CSSF.
Finally, it is important to note that remote working and the associated policies and procedures put in place to monitor such working arrangements will form part of the CSSF’s review of Supervised Entities when performing regular on-site visits.
Footnotes
1) The Circular is available here.
2) Please see CSSF Circular 18/698 of August 23, 2018 on authorization and organisation of investment fund managers incorporated under Luxembourg law; Specific provisions on the fight against money laundering and terrorist financing applicable to investment fund managers and entities carrying out the activity of registrar agent and CSSF Circular 20/757 of December 7, 2020 on central administration, internal governance and risk management, and repeal of Circular CSSF 12/552 for investment firms (as amended by Circulars CSSF 13/563, 14/597, 16/642, 16/647, 17/655 et 20/750) on central administration, internal governance and risk management.