CSSF Circular 13/554

Solutions

CSSF Circular 13/554

Usage and control of resources access tools

On January 7, 2013, the CSSF issued circular 13/554 entitled “Evolution of the usage and control of the resources access tools”.

Your challenge

Applicable immediately to credit institutions and other professionals of the financial sector, the objectives of the new circular are (i) to recognise that certain international financial institutions consolidate IT resources access tools at a Group level (e.g. shared Windows Active Directory), and (ii) to reinstate that banks and PSFs in Luxembourg must have full and permanent control over the IT resources under their responsibility.

Thus, Circular 13/554 describes in detail the requirements to be observed when banks and PSFs use the global resources access tools of their Parent Group. In this case, banks and PSFs in Luxembourg must:

  • Introduce a formal and detailed authorisation request to CSSF,
  • Implement certain organisational and technical controls,
  • Conduct yearly audits to ensure controls operating effectiveness.
Your challenge

Our solution

Deloitte assists organisations in addressing compliance of existing (or projected) global “resources access tools” implementations by in-depth analysis of IT regulatory issues and proposition of pragmatic technical and organisational solutions:

  • Compliance analysis: gap analysis of existing (or projected) global “resources access tools” implementations against regulatory requirements
  • Practical recommendations to achieve and sustain IT compliance
  • Assistance in communications with the Regulator: preparation or quality review of CSSF application files and participation in meetings with the Regulator
  • Yearly audits to ensure the preventive controls associated to the implementation operate effectively (i.e. at technical and organisational levels, including all documentation) 
Our solution

Contacts

Roland Bastin

Roland Bastin

Partner | Information & Technology Risk

Roland is a partner within the advisory and consulting department and joined the Risk Advisory practice of Deloitte in 2001. He is responsible for IT audit, IT security, IT regulatory compliance, Data... More

Maxime Verac

Maxime Verac

Senior Manager | Information & Technology Risk

Maxime Verac is a Senior Manager within Deloitte’s Information & Technology Risk services in Luxembourg. He has 10 years of experience in Information Security. During the last 10 years, as a consultan... More