CSSF Circular 13/554 for banks and PSFs - 11/01/2013


DOWNLOAD  

Updated rules on the usage and control of certain IT tools

On 7 January 2013, the CSSF issued Circular 13/554 entitled "Evolution of the usage and control of the resources access tools". IT tools in scope of the circular are those allowing companies to manage access rights to the IT resources connected to their network and/or to centrally register and administer most of those resources (user accounts, printers, computers, services, etc.).

Applicable immediately to credit institutions and other professionals of the financial sector, the objectives of the new circular are:

  • To recognise that certain international financial institutions consolidate IT resources access tools at a Group level (e.g. shared Windows Active Directory), and
  • To reinstate that banks and PSFs in Luxembourg must have full and permanent control over the IT resources under their responsibility.

Thus, Circular 13/554 describes in detail the requirements to be observed when banks and PSFs use the global resources access tools of their Parent Group. In this case, banks and PSFs in Luxembourg must:

  1. Introduce a formal and detailed authorisation request to CSSF,
  2. Implement certain organisational and technical controls, and
  3. Conduct yearly audits to ensure controls operating effectiveness.

Those high-level requirements are further detailed below.  

Common questions and concerns

  • Which controls are required to ensure CSSF compliance?
  • Are we sufficiently isolated as a segment of our parent group resources access tool?
  • Did we detail sufficiently our “Approved AT policy” documentation?
  • What set-up can we use to ensure the configuration of our IT resources remains aligned with locally approved policy?
  • Do we have the right safeguards to meet current compliance regulations?

How can Deloitte help?

Deloitte assists organisations in addressing compliance of existing (or projected) global “resources access tools” implementations by in-depth analysis of IT regulatory issues and proposition of pragmatic technical and organisational solutions:

  • Compliance analysis: gap analysis of existing (or projected) global “resources access tools” implementations against regulatory requirements
  • Practical recommendations to achieve and sustain IT compliance
  • Assistance in communications with the Regulator: preparation or quality review of CSSF application files and participation in meetings with the Regulator
  • Yearly audits to ensure the preventive controls associated to the implementation operate effectively (i.e. at technical and organisational levels, including all documentation)

Summary of the requirements introduced by Circular 13/554

High level requirements Summary of requirements
1. Introduce a formal and detailed authorisation request to CSSF The authorisation request document needs to demonstrate that the obligation of a permanent full control by the entity over the resources under its responsibility and over the corresponding accesses to these resources is always fulfilled.
2. Implement certain organisational and technical controls

In order to achieve full and permanent control over the IT resources under their responsibility, banks and PSFs are required to:

  • Isolate the Luxembourg entity as a “segment” of the access tool (e.g. dedicated Active Directory domain for the Luxembourg entity)
  • Enforce a policy management procedure whereby the bank or PSF approves and continuously controls the access tool policy enforced in the bank or PSF’s “segment” of the access tool
  • Implement a software tool allowing to automate preventive controls over policy changes
  • Plan for corrective controls allowing to identify unauthorised access or policy change which may have occurred during unavailability of the solution enforcing preventive controls
3. Conduct yearly audits to ensure controls operating effectiveness

The solution enforcing preventive controls must be yearly audited at a technical and an organisational level including all documentation, e.g.:

  • Suitability of access to the software tool
  • Documentation of the solution
  • Suitability of the policy management procedure
  • Logging of access and changes
  • Monitoring of the proper functioning of the tool
  • Etc.

Download our flyer on CSSF Circular 13/554.

Page Last Updated