Skip to content

Changes to Luxembourg professional secrecy regime

The professional secrecy regime applicable to Luxembourg credit institutions, investment firms and other professionals of the financial sector has been amended. The amended regime is good news for those regulated entities, as it eases intragroup co-operation for prudential purposes and defines clear rules for transmitting client data in the context of outsourcing arrangements. Similar changes also apply to payment institutions, e-money institutions and regulated entities in the insurance/reinsurance sector.

Easing of intragroup co operation for prudential purposes

An existing exemption relating to the communication of client data to qualified shareholders by credit institutions, investment firms and other professionals of the financial sector (together, the Regulated Entities), is expanded in two ways:

  • The communication of client data to qualified shareholders is no longer allowed only when it is strictly necessary for the sound and prudent management of the Regulated Entity. Now such communication is also possible for the purpose of risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis.
  • Client data may now also include information on the assets held by the clients (such as deposits).
  • Outsourcing arrangements

There was already a professional secrecy exemption where client data is transmitted to Luxembourg credit institutions and support professionals of the financial sector in the context of a service agreement. The scope of this exemption has been extended to encompass the communication of client data, in the context of a service agreement, to any person established in Luxembourg who:

  • is subject to the prudential supervision of the Commission de Surveillance du Secteur Financier, the European Central Bank  or the Commissariat aux Assurances; and
  • is bound by a criminally sanctioned professional secrecy obligation.

For all other outsourcing arrangements which do not fall within the scope of the amended exemption, a new exemption applies to the communication of client data to a service provider where:

  • the client has accepted, in accordance with the law or under the information arrangement agreed with the Regulated Entity, the outsourcing of services, the type of information
  • to be transmitted in the framework of the outsourcing and the country of establishment of the service provider; and
  • the service provider, having access to client data, must be subject by law to a professional secrecy obligation or be bound by a confidentiality agreement.

This new exemption applies irrespective of the fact that the service provider belongs or not to the same group and irrespective of the jurisdiction in which it is established (in Luxembourg, in the EU or outside the EU). The Regulated Entity must, however, comply with applicable data protection legislation.

Note that there are also new organisational requirements with which Regulated Entities must comply when entering into an outsourcing arrangement. No similar new organisational requirements have been introduced for payment institutions and e-money institutions.

Insurance and reinsurance sector

Similar changes relating to intragroup data transfers and outsourcing arrangements have been made for the insurance sector.

Further information

This article is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication.  For more information please contact Karen Birch –, or tel +44 20 3088 3710.

Legal and Regulatory Risk Note