Teleworking in the financial sector

In April 2021, CSSF released circular 21/769 ('the Circular’), which contains some guidance on telework organisation in supervised entities that will have to be implemented by 30 September 2021 (unless still pandemic time).

Scope

The Circular applies to:

  • all supervised entities, including their branches in Luxembourg or abroad;
  • Luxembourg branches of non-EU entities;
  • Luxembourg branches of EU entities in case telework is authorised in their home country.

Definition

To qualify as telework in the meaning of the Circular, the following criteria shall be met:

  • work is performed by means of information and communication technologies with prior approval from the employer; and
  • work is performed on a regular or occasional and voluntary basis, within defined working hours and at a predetermined place different from the employer’s premises.

As a consequence to the above, working remotely on occasions such as a business trip, while attending a conference, etc. is not within the scope of the Circular.

Main principles

  • The Board of Directors (or equivalent representative body as the case may be) is responsible for the organisation of telework and shall take into account the size and organisation of the entity as well as the nature, scale and complexity of its activities;
  • sufficient substance in the premises shall be maintained at all times;
  • confidentiality, integrity and availability of the entity’s data and information systems shall be protected at all times when teleworking;
  • staff members shall be able to return to the premises on short notice in case of need (and same goes for the staff working in branches outside of Luxembourg);
  • the entity shall perform a risk analysis in order to identify the inherent risks in implementing telework and shall ensure the implementation of the necessary mitigating controls and measures;
  • the ongoing performance of critical activities shall be guaranteed at all times and not jeopardized by teleworking (e.g. connection disruption);
  • key functions shall be represented every day in the premises;
  • at least one authorised manager shall be in the premises at all times;
  • a record shall be maintained, containing names, function and department of each staff member teleworking.

What to include in the policy

    • Number of staff who can be teleworking at the same time;
    • working hours within which teleworking is allowed;
    • location from where the staff members are allowed to telework;
    • business units that may use telework and activities or functions that may be performed via telework;
    • functions or activities that shall always be performed on site;
    • control procedures in order to monitor the proper execution of the work performed via telework;
    • minimum physical meeting that should be held at the head office in Luxembourg;
    • measures to mitigate the risks inherent to telework;
    • operational framework enabling the authorised management to monitor the number of staff effectively working.

    The policy shall be reviewed every year based on the update risk analysis and, inter alia, lessons learned and emerging threats such as cybercrime.

    Such reviews shall be done by the Board of Director (or equivalent representative body as the case may be) and by internal control functions.