Twenty years is a significant milestone in everyone’s life and specifically in the life of support Professional of Financial Sector (PFS) companies. On August 2, 2003, the law of April 5, 1993, relating to the financial sector, was supplemented, among other things, by introducing new statuses for service providers carrying out activities related or complementary to the financial sector. These statutes included customer communication agents, administrative agents, and IT systems and communication network operators (i.e., articles 29-1, 29-2, and 29-3). This profound change opened a new era for financial service companies in Luxembourg.
This newly created situation allowed the financial sector to outsource some of its non-core activities to experienced professionals supervised by the CSSF. This unique situation worldwide took into account the professional secrecy obligations in Luxembourg. It also considered implementing strict processes to deliver quality services while ensuring the sustainability of banking professions under regulators’ demanding oversight.
This new framework also allowed Luxembourg service providers to enhance their skills in services provided to banks and other actors in the financial sector.
Introducing an internal audit framework and additional external audits specific to support PFSs also allowed them to enhance their skills in their internal organizations and operations. The entire local Luxembourg ecosystem grew thanks to this profound change. However, this new framework failed to enable Luxembourg companies to export this value beyond our borders. I will come back to this point.
It is also essential to notice that this framework has only sometimes been well understood or utilized by all support PFS actors and their clients under the most favorable conditions.
The situation remained generally stable until 2017, and the paradigm shift brought about by Bill of Law 7024 proposing specific updates to Article 41 on the obligation of professional secrecy.
Indeed, the world has undergone significant changes over nearly 15 years. Additionally, Luxembourg was subject to considerable international pressure regarding the lack of transparency of information and financial data held by banks in Luxembourg. Undoubtedly, the government of the time had to find a solution. These proposed updates had the effect of an earthquake on the local market and generated numerous heated reactions. Since then, market players have reacted and adapted.
This period was also an eye-opener for support PFSs. It was time to reflect and reassess.
In this regard, FTL surveyed its members to understand their sentiments regarding the status and desirable evolutions, considering all possibilities. During this same period, under the proposal of the Minister of Finance, Pierre Gramegna, via the High Committee for the Financial Place, our association was encouraged to propose avenues for modernizing the status.
Based on our survey and the responses of our members, FTL created four working groups:
- Global strategy to reflect on support PFSs’ strategic vision and positioning.
- Demystification: explaining the philosophy and values behind support PFSs.
- Mutualization: identifying which services can be mutualized by financial institutions and what responses we can provide.
- Status mapping: analyzing and comparing existing authorizations and standards. How can support PFS workload be reduced? How can we align with these standards and enhance the value of this status abroad?
These past four years have seen the emergence of new requirements from the EBA (European Banking Authority) on several fundamental points: cloud computing, IT and cybersecurity risk management, and outsourcing. CSSF implemented these new requirements through circulars 17/654, 20/750, and 22/806.
Indirectly, we find some key elements that were at the basis of the creation of support PFSs and their supervision. Does this mean Luxembourg was 15 years ahead? In any case, the paths of European regulation and Luxembourg now intersect and converge.
Let’s go back to the working groups: after the initial meetings, we realized that it was necessary to prioritize the study of status mapping before moving forward. Indeed, without market awareness abroad of our obligations related to the CSSF circulars, exporting our skills and expertise is, at the very least, challenging.
After analysis within the working groups, we chose to transcribe Circular 20/750 concerning IT and cybersecurity risk management into an ISAE 3000 framework. This approach allows for more effective control of regulatory requirements while ensuring deliverables that can be shared with our clients. KPMG helped us complete this work after being selected via an RFI/RFP process. It is now essential for our members that the CSSF and all auditors accompany us in this process. This support is a crucial expectation of our members.
There are still many topics to be addressed as regulations increase. DORA is coming soon… And the other working groups will resume their service.
FTL takes this anniversary as an opportunity to thank its members again for their active participation in the association’s activities.
FTL also wishes to thank the Ministry of Finance, represented by Minister Yuriko Backes and her team, and the CSSF for their attentive ears to market feedback and for promoting an acceleration of the reform of support PFSs, which is necessary for the sector’s future.
It is also essential for the Board of Directors of Finance & Technology Luxembourg to highlight all the work provided by support PSFs over the past 20 years to ensure the sustainability of financial services in the industry.
For now, FTL wishes a happy anniversary to support PFSs and another 20 years of high-value-added service to clients.