CSSF Circular 13/554
Usage and control of resources access tools
On January 7, 2013, the CSSF issued circular 13/554 entitled “Evolution of the usage and control of the resources access tools”.
Applicable immediately to credit institutions and other professionals of the financial sector, the objectives of the new circular are (i) to recognise that certain international financial institutions consolidate IT resources access tools at a Group level (e.g. shared Windows Active Directory), and (ii) to reinstate that banks and PSFs in Luxembourg must have full and permanent control over the IT resources under their responsibility.
Thus, Circular 13/554 describes in detail the requirements to be observed when banks and PSFs use the global resources access tools of their Parent Group. In this case, banks and PSFs in Luxembourg must:
- Introduce a formal and detailed authorisation request to CSSF,
- Implement certain organisational and technical controls,
- Conduct yearly audits to ensure controls operating effectiveness.
Deloitte assists organisations in addressing compliance of existing (or projected) global “resources access tools” implementations by in-depth analysis of IT regulatory issues and proposition of pragmatic technical and organisational solutions:
- Compliance analysis: gap analysis of existing (or projected) global “resources access tools” implementations against regulatory requirements
- Practical recommendations to achieve and sustain IT compliance
- Assistance in communications with the Regulator: preparation or quality review of CSSF application files and participation in meetings with the Regulator
- Yearly audits to ensure the preventive controls associated to the implementation operate effectively (i.e. at technical and organisational levels, including all documentation)