There has been a change in the professional secrecy that applies to all of Luxembourg’s insurance professionals, under the Law of 27 February 2018, to align itself with the country’s banking secrecy system.

It will now take greater account of the developments linked to the digitalisation and structuring of groups located in different jurisdictions.

This change was welcomed given the sector’s increasing digitalisation, as well as to ensure strict confidentiality and meet customers’ needs.


Why professional secrecy?

Professional secrecy is based on the same principle as medical secrecy, where the patient discloses confidential information to his/her confidant in complete trust. Similarly, customers have to reveal confidential financial information to their confident, be it their banker or insurer.

Professional secrecy was therefore developed for banks and insurance companies to guarantee confidentiality and gain  customers’ trust in their key insurance partner.

Secrecy is also essential because of the intrinsic features of insurance contracts, especially when drawing up the beneficiary clause of which the beneficiaries may or may not be aware.

On the other hand, due to the sector’s digitalisation, it proved necessary to adjust secrecy in order to address new customer needs, for which OneLife already provides solutions (aggregators, digital onboarding, electronic documents and signing, etc).


What is professional secrecy?

Under Article 300 of the Law of 7 December 2015 on the insurance sector, professional secrecy in insurance is such that all insurance industry professionals “are required to maintain the confidentiality of the information entrusted to them during the exercise of their mandate or as part of their professional duties”.

This means that all conversations, documents, personal data and secrets disclosed by the policyholder, the insured life, the beneficiaries or any other person acting on the customer’s side of the insurance relationship, must be kept secret and strictly confidential by the professional receiving the information.


What if these professional secrets are revealed?

Any disclosure of information covered by secrecy – with the exceptions specifically provided for by law – may result in the penalties applicable under Article 458 of the Luxembourg Criminal Code. For medical secrecy, as set out in Criminal Code, the penalty is imprisonment from 8 days to 6 months and a fine of between €500 to €5000.

These penalties are relatively strict in order to deter anyone from betraying one of the most fundamental requirements of the insurance industry.


Who is professional secrecy for?

There are various individuals who are subject to insurance secrecy, as it applies to all professionals in the insurance relationship, including:

  • All natural or legal persons established in Luxembourg and subject to the control of the CAA (Commissariat aux Assurances) or of a foreign authority for insurance activities conducted from Luxembourg

This broad category naturally includes insurance companies, but also insurance brokers, insurance agents, branches of foreign insurance companies, etc.

  • Directors and members of governing and supervisory bodies
  • Managers and employees of the above-mentioned natural and legal persons
  • Insurance industry professionals experiencing difficulties and the individuals appointed to address them


Professional secrecy, geographical and temporal scope?

Secrecy applies to all insurance activities carried out either from the Grand Duchy of Luxembourg, or with the freedom to provide services from the same location.

In other words, an employee of an insurance company going to meet a customer or partner abroad for example is also subject to secrecy.

Moreover, Article 300(10) of the Law of 27 February 2018 establishes that “the violation of secrecy remains punishable after the termination of the mandate, employment relationship or exercise of the profession”, i.e. any disclosure of information even after the end of the person’s employment is still punishable!


Professional secrecy, exceptions prior to 27 February 2018

The exceptions laid down in the 1991 law were maintained unaltered in the 2015 law on the insurance sector, namely the following cases:

  1. Where the disclosure of information is authorised or required by a legal provision (e.g. reporting under the Common Reporting Standard or NCD – ‘Norme Commune de Déclaration’)
  2. To fulfil the commitments under the insurance contract in good faith
  3. To prevent or control fraud (e.g. reporting suspicions to tackle money laundering)
  4. To provide information to the sector’s regulatory authorities in the European Union where there are similar local professional secrecy laws to Luxembourg.
  5. To provide information to the insurance company’ shareholders and partners to ensure it is “sound and prudent management”
  6. To provide information between insurance companies, individuals working in the role of Insurance Sector Professionals (PSA – ‘Professionnels du Secteur des Assurances’), Luxembourg branches of foreign PSAs and individuals operating as Financial Sector Professionals (PFS – ‘Professionnels du Secteur Financier’) if said information is provided as part of a service contract (e.g. a business contract between a PSA and an insurance company)
  7. To provide information to reinsurers and co-insurers
  8. To provide information between entities in a financial conglomerate, although this is limited to information which must be subject to further reporting to the supervisory authorities
  9. To provide information to approved brokers in Luxembourg, for customer data where the broker has acted as an intermediary.


New provisions and exceptions applying to professional secrecy

New exceptions are emerging, while others are being reformulated to:

  • align professional secrecy in insurance with banking secrecy
  • enable outsourcing within financial groups
  • meet new customer needs in relation to digitalisation

while maintaining confidentiality and the trust placed in the insurer, broker or PSA in Luxembourg as the customer’s confidant.

The new exceptions are:

  1. A new exception which applies to reinsurers, pension funds and their employees and managers
  2. A broader exception for insurers, PSAs and PSFs. Now all entities located in Luxembourg and regulated by the CAA, CSSF or ECB fall within the scope of exception, provided that there is a service contract between the two entities
  3. Subcontractors of services provided by a regulated Luxembourg entity, provided that the customer has accepted the subcontracting, type of information transmitted and the country of establishment of the subcontractors, and that the provider is bound by professional secrecy or by a confidentiality agreement
  4. A clarification in relation to the provision of information between entities in a financial conglomerate, in view of reporting to European authorities
  5. The ability to provide information within a group to assess consolidated risks or to calculate consolidated prudential ratios

The law also provides that the provisions of Article 300 on professional secrecy are “without prejudice to the amended law of 2 August 2002 on the protection of individuals with regard to the processing of personal data”.

That is to say, the information provided is subject to professional secrecy AND to personal data protection, which is changing as of 25 May 2018 following the entry into force of the General Data Protection Regulation (GDPR).

The exception set out in point 3 is the most interesting, but also likely to be the most highly controlled. This exception makes it possible to meet the new needs of customers while ensuring – through professional secrecy at local level or a confidentiality agreement – that their information is kept confidential and used in complete trust by the subcontractor.

OneLife listens to all of its partners’ and customers’ questions about their obligations and rights in relation to professional secrecy and data confidentiality.


Article by LinkedIn_logo_Small Jean-Nicolas Grandhaye, Corporate Counsel at OneLife