Few doubt the pandemic has changed for good the lives of the near half of the Luxembourg workforce who are able to work from home. The financial services regulator has clarified rules on governance, substance and security requirements for remote working.
‘Governance and security requirements for supervised entities performing tasks or activities through telework,’ are detailed in CSSF Circular 21/769 published on 9 April 2021. In other words, this is about ensuring that systems are in place to ensure that businesses will run as they should and data will be safe, even when managers and staff are working remotely.
Governance and IT best practice
‘It’s a question of substance,’ said Cécile Liégeois, regulatory & audit partner at PwC Luxembourg. ‘In terms of governance, it’s about ensuring that the necessary managers and function holders for key activities are in place and are accessible, and that the organisation has the right level of substance every day.’ This reference to substance is in relation to governance procedures and not to tax considerations.
‘It is very complete regarding what companies can do and cannot do,’ said Koen Maris (photo), cyber-security leader also at PwC Luxembourg. ‘Yet the question I ask myself is “shouldn’t companies be doing this already?” Because apart from a few aspects, I didn’t see anything much that was not obvious that you should be doing anyway when facilitating remote work.’
Be seen to do the right thing
In short, it is not a revolutionary regulation, but more an assertion of best practice. ‘No approval by the CSSF is required in order to implement, maintain or extend telework solutions’ says the circular. Yet these steps need to be thought through, appropriate measures put in place, with these procedures being well documented. It was also specified that these regulations do not relate to business trips, when visiting clients, when attending conferences or professional training, and so on. Connections from the employer’s premises to systems not hosted at the employer’s offices are not in scope either.
There are no specific rules around cross-border processes other than the usual good governance practices which should be in place. Thus if an employee can prove they have sufficient remote access to perform their functions, even from abroad, this is permitted.
Thus the circular asks that ‘supervised entities are required to maintain at all times a robust central administration in Luxembourg…to allow them to deal with emergencies and other time-critical issues in due time’ For Liégeois this means: ‘for the board of directors there needs to be a policy detailing the controls put in place, ensuring that standard compliance procedures are maintained. This is a question of policies and procedures that detail the modus operandi of teleworking. There’s also data protection considerations, both in terms of security around the information and the question of behaviour.’
Additional awareness
On the measures related to ICT links ‘I think the good thing is it creates an additional layer of awareness,’ said Maris. However, he is concerned that some of these aspects were relatively obvious and should have been done already if one were following best practice.
For example, he notes: ‘they give clear advice on the use of virtual desktop infrastructure (VDI), that means that if you connect with your own PC, you must connect to infrastructure which is fully controlled by the organisation. It won’t allow you to print locally, it will not allow you to transfer files from your device, to the VDI environment, and vice versa.’ As well, use of workers’ own devices is only tolerated for low-risk activities. The circular discourages data from being stored, but otherwise it should be encrypted, ideally with 2-Factor Authentication adding to security.
Could the CSSF have gone further? ‘They could have discussed more what the ideal setup must be, such as with an example architecture that would fit any organisation. Some things are a little open for interpretation,’ Maris said. But he understands the motivation was to not add to regulatory burden unnecessarily.
‘In terms of sanctions, there are no specific add-ons,’ Liégeois said. This means the working-from-home regulations are now part of the overall audit process and just another factor that towards general compliance on which the CSSF takes a view. The circular enters into force on 30 September 2021, and will be reviewed at the latest 12 months after its entry into force to address potential abuses or any other shortcomings.