Marc Mouton in a portrait taken for Delano by Mike Zenari
Could thousands of IT jobs be at risk if draft law 7024 increases the ability of financial sector firms to outsource? Or does this just bring the law into line with on-going practice?
Financial sector trade unions have predicted law 7024 could cause as many as 5,000 or even 13,000 jobs to be lost. Thierry Seignert, president of the IT employers’ organisation Finance & Technology Luxembourg, called the move “premature and risky”. Worrying comments, but do they match with reality?
“The provisions of draft law 7024 regarding outsourcing are not entirely new,” said Marc Mouton, a partner with the law firm Arendt & Medernach. “Already in 2003, the CSSF [Luxembourg’s financial regulator] published analysis according to which data may be transferred to third parties if there is customer consent, so this change is largely about the law catching up with reality,” he added.
He was not in a position to make a guess about the impact of this change other than to challenge talk of a revolution.
Opening up competition
Draft law 7024 features a range of measures around reforming professional secrecy rules, with this including novelties regarding IT outsourcing. Firstly, data could be transferred to almost any regulated financial entity in Luxembourg in the context of a service agreement, not just to the support Financial Sector Professional firms, as specified in the 2003 IT outsourcing law, or to banks.
However, the main changes regard the ability to transfer customer data in the context of outsourcing arrangements, either inside the same financial group or to a third party. Whilst for intra-group outsourcing schemes, the prior information of clients would be sufficient, the consent of clients would need to be sought where third-party service providers are used.
In both cases, there would have to be legal or contractual safeguards against data being used for other purposes by the recipients of the customer data.
This change is not as radical as it might appear, Mouton argued. “We are only talking about reducing professional secrecy restrictions here, whilst data protection and regulatory requirements will still remain in force and continue to apply to outsourcing arrangements.” He believes the latter will remain a significant constraint on full-blown outsourcing.
Businesses will need sufficient experts in Luxembourg to reassure the CSSF that there is a sufficient level of IT governance, that crisis management procedures are workable, and that outsourced processes are being properly monitored.
Financial businesses have been seeking this legal certainty for some time, arguing that Luxembourg risks making itself uncompetitive if it persists with a stance that some see as protectionist. Better to risk losing some jobs to help preserve the majority, goes the argument. Moreover, there is a lack of skilled IT staff in the country.
Some see the potential for a net win if others follow the likes of the banks Pictet and Julius Baer, which manage their group data from Luxembourg.
There are currently around 5,000 people working for support PFS firms, so it would seem unlikely that all these jobs would disappear even in the most extreme scenario. Mouton sees no rush to outsource on the back of this reform, but nor is it likely that this change will have no effect. But with several banks struggling to be profitable, it is a risk the government is willing to take.