The Board comprises seven members appointed by the Grand-Duke on the proposal of the Government in Council for a period of five years.
Article 5 of the law of 23 December 1998 establishing the CSSF, lays down the powers conferred upon the Board, namely the annual adoption of the CSSF's budget and the approval of the financial statements and of the report of the CSSF's Executive Board, which are submitted to the Board before their presentation to the Government for approval. It shall also set the general policy as well as the annual and long-term investment programmes which are submitted to it by the Executive Board before being submitted for approval to the Minister responsible for the CSSF. The internal rules set out the meeting and decision-making processes of the Board. The Board is not competent to intervene in the CSSF's prudential supervisory matters.
The Executive Board
The senior executive authority of the CSSF is the Executive Board, composed of a Director General and between two and four Directors, appointed by the Grand Duke on the proposal of the Government in Council for a period of five years.
In accordance with article 9 of the law of 23 December 1998, the Executive Board works out measures and takes the decisions it deems useful and necessary for the fulfilment of the CSSF's mission and for its organisation. Moreover, it sets up a five-year "targets contract" with the Minister responsible for the CSSF. The Executive Board is responsible for the reports and proposals it is obliged to address to the Board and the Government.
The decision-making process
According to its internal rules, the Executive Board must meet collectively at least once a week to take the decisions required to accomplish the mission of the CSSF, as conferred upon it by the law of 23 December 1998. The Executive Board is responsible collectively even if each individual member runs one or several departments.
The decisions taken collectively by the Executive Board, which in practice meets on a daily basis, are countersigned by all members of the Board and are recorded in a register.The decisions shall, in principle, be taken on a consensual basis. Where a consensus cannot be reached or where at least two members who had not taken part in the decision-making process request the decision to be reconsidered, a voting is required for which at least three members shall be present or contacted and at least three members shall agree, unless unanimity is expressly stipulated, as for decisions on the CSSF organisation chart structure. When a matter requires an urgent decision and it is impossible to contact the other members in due time, a single member may validly take a decision by invoking exceptional circumstances and is responsible for submitting the matter to the other members of the Executive Board as soon as possible.
All documents binding the Commission must bear the signature of at least one member of the Executive Board.
Means of redress
The decisions taken in the context of the CSSF's mission may be referred to the Administrative Court, which decides as trial judge. These recourses must be instituted, under penalty of foreclosure, within a month from the notification of the decision.
Drawing-up of regulations
The legislative framework applicable to the financial sector is complemented by circulars issued by the CSSF specifying how the legal provisions should be applied, publishing prudential regulations specific to certain areas of activity and issuing recommendations on conducting activities in the financial sector.
After having identified the subjects that need to be regulated by means of a circular, the CSSF departments prepare a draft text. Following the example of international forums and counterpart authorities, the CSSF has established a broad consultation procedure, which involves, during the stage of drawing-up of regulations, the professionals of the financial sector, as well as any other person concerned. In order to obtain advice as to whether projects are relevant considering the real situation of the market and whether they are consistent with the general legislative and regulatory framework, the CSSF has appointed various internal consultative committees which bring together specialists in the areas concerned. The members of these committees represent the undertakings subject to the CSSF's prudential supervision, professional associations representing various segments of the financial sector and external auditors and legal consultants working in the financial area. Every draft is submitted to the appropriate internal committee(s) for its (their) opinion.
Having considered the opinion of the internal committees, the draft project, amended where appropriate, is submitted to the Comité consultatif de la réglementation prudentielle (Consultative Committee for Prudential Regulation). The Government may seek the advice of the Consultative committee, established by the Law of 23 December 1998 creating the CSSF concerning any draft bill or grand ducal regulation as regards requirements in the area of the supervision of the financial sector falling within the competence of the CSSF. In practice, the Executive Board of the CSSF seeks the advice of the Committee with respect to any draft regulation relating to the financial sector. If the Committee considers that a particular project should not be adopted it may inform the Government accordingly.
Furthermore, the CSSF has the power to make regulations within the limits of its competence and mission, in accordance with article 9(2) of the law of 23 December 1998 creating the CSSF. These regulations shall be published in the Mémorial.
Co-operation with the national authorities
Under article 44 of the law of 5 April 1993 on the financial sector and article 32 of the law of 13 July 2007 on markets in financial instruments, the CSSF co-operates and exchanges information with the other national authorities relating to the financial and legal areas. Co-operation takes place on an informal basis and consists in the participation of CSSF representatives in the internal committees set up by these authorities and vice versa. Co-operation also takes place in accordance with the provisions of international memoranda of understanding stipulating co-operation at national level, such as the "Memorandum of understanding on co-operation between payment systems overseers and banking supervisors in stage three of economic and monetary union".
The CSSF shall, in accordance with article 3-1 of the law of 23 December 1998 creating the CSSF, cooperate with the Government, the Banque centrale du Luxembourg and the other authorities responsible for prudential supervision at national, Community and international level, in order to contribute to ensuring financial stability, in particular within the committees set up for such purpose. It takes into account the Community and international dimension of prudential supervision and financial stability.
Internal functioning of the CSSF departments
In order to ensure optimal co-operation between the different departments of the CSSF, a weekly meeting involving both the Executive Board and the staff responsible for all the Commission's departments and supporting functions allows to present and discuss important decisions and events and to discuss any matter of common concern relating to the missions and proper functioning of the CSSF.
The functioning of each CSSF department is set out in an internal procedures manual updated in the light of the developments of the methods of supervision and resources in place. The procedure manual describes all the tasks to be performed by CSSF staff, acts as a guide to carry out such tasks and also allows to standardise and ensure coherence in the prudential approach adopted. Aspects relating to the organisational structure and internal functioning concerning all the CSSF staff are regulated by means of internal memos.
Every decision taken is appropriately documented at department level, thus allowing to track the facts and considerations underlying decisions at any time (audit trail).
The Internal audit of the CSSF, which enjoys the appropriate independence and reports directly to the Executive Board, ensures the development of and compliance with internal procedures. Internal audit missions are documented in an audit report submitted to the Executive Board. The report, may recommend the implementation of measures to be imposed by the Executive Board.
The financing of the CSSF
Article 24 of the law of 23 December 1998 creating the CSSF provides that the CSSF is authorised to levy taxes on supervised persons and undertakings to cover its staff, financial and operating costs. The Grand-ducal regulation of 29 September 2012 (being updated), lays down the amounts applicable and guarantees full financing of the operating costs.
In accordance with Article 22(2) of the law of 23 December 1998 establishing a financial sector supervisory commission, the balance sheet and the profit and loss account is published in the Mémorial. The balance sheet and the profit and loss account (only in French) of the CSSF for the financial year 2012 is published in Mémorial B - N°60 of 14 June 2013.
Auditing of the CSSF's accounts
The Government shall appoint a réviseur d’entreprises agréé (approved statutory auditor) on a proposal from the board of the CSSF. The réviseur d'entreprises (statutory auditor) shall fulfill the requirements to carry out the profession of réviseur d’entreprises agréé (approved statutory auditor). He shall be appointed for a term of 3 years, which appointment shall be renewable. The réviseur d’entreprises agréé (approved statutory auditor) shall be responsible for verifying and certifying the accuracy and completeness of the CSSF’s accounts. He shall draw up a detailed report on the CSSF’s accounts at the close of the financial year for the board and the Government. The board may request him to carry out specific verifications. The fees of the réviseur d’entreprises agréé (approved statutory auditor) shall be paid by the CSSF.
The CSSF shall be subject to the control of the Cour des comptes (Court of Auditors) for the compliant use of the public financial participation it receives.
For the exercice 2011-2013, Deloitte S.A. is the external auditor of the CSSF.
Regulations applicable to the CSSF staff
The CSSF agents enjoy the same status as civil servant, i.e. laws and regulations that apply to civil servants also apply to CSSF agents, subject to the provisions of the law of 23 December 1998 creating the CSSF.
All the persons carrying out or having carried out a task for the CSSF are bound by the professional secrecy by virtue of article 16 of the aforementioned law. The professional secrecy implies that confidential information they receive in a professional capacity may not be revealed to any person or authority, except in summary or aggregated form, so that no professional of the financial sector may be identified, without prejudice to the cases falling under criminal law. However, the professional secrecy does not prohibit the exchange of information between authorities as stipulated in article 44 of the law of 5 April 1993 on the financial sector.
An internal conduct code (only available in French), issued by the CSSF and directed at all the persons employed by the CSSF, lays down the principles and rules that the staff must abide by in the particular context of their financial transactions. These principles and rules help staff to comply with legal provisions and contribute to avoid any breach thereof due to negligence, erroneous interpretation of texts or misjudgment of situations. They protect against unjustified reproaches of abuse of insider information or reproaches that the action of the CSSF might be influenced by the personal interests of staff members.
Security of CSSF IT systems
The CSSF very extensively exchanges files with the supervised entities of the Luxembourg financial centre. The CSSF receives up to 2000 data files a day in the context of daily (transactions on financial assets) and monthly (bank and UCI reporting) reporting. The same number of files is returned to the supervised entities containing the result of the processing. Depending on the type of reporting, the files are routed through three different channels, i.e. the interbank network LIBRAC, the server of the Luxembourg Stock Exchange or the direct transmission via the connection server. The files are encrypted before being sent through a public and private key system in order to ensure data confidentiality. The CSSF has its own PKI (Public Key Infrastructure) to manage the keys distributed to each supervised entity. Before arriving on the internal production servers, the data pass through two firewalls from different manufacturers in order to avoid any unauthorised access. The format being perfectly known, it is easy to filter the content of the files.
A separate infrastructure with two firewalls and an Intrusion Detection System (IDS) has been set up in order to monitor the Internet access (consultation of Internet webpages, sending and receiving of e-mails). All the Internet traffic passes through an anti-virus programme and an access control, which filters potentially dangerous files. The database containing the signatures of the known viruses is automatically updated. The IDS analyses the information packets circulating on the network and blocks, where applicable, any suspect packets. Tracking files are controlled manually on a regular basis.
Data on the different servers within the CSSF internal network are secured by access controls.
A backup of the main servers and the security infrastructure are installed in the backup premise of the CSSF, thus enabling the CSSF to remain operational even in case of failure or unavailability of the entire or part of the IT infrastructure.
The function Systems security, which is directly reporting to the executive board, is responsible for the definition of the internal IT security policy and procedures relating to the systems and the supervision of their installation, as well as the security relating to the CSSF building and its installations. The agent responsible for the systems security closely collaborates with the IT department to define, set up and monitor the entire security infrastructure. It is also in charge of the technology watch.