How to ensure compliance with ‘Central Electronic Data Retrieval System’ (CEDRS)?

5 hints to help you navigate through the CSSF Circular 20/747

The Luxembourg Law of 25 March 2020 and the CSSF Circular 20/747 define a new framework where each Luxembourg bank needs to make available required data in relation to the accounts and safe-deposit boxes held in their books in a defined format, using a specific protocol, on a daily basis and through a system that is permanently available (24 hours/7 days a week). The data to be shared is defined by the CSSF and needs to be up to date, true and accurate.

The following steps need to be performed to ensure compliance with the “Central Electronic Data Retrieval System” requirements:

1. Gather and centralise all required information on accounts and safe-deposit boxes stored across several systems (if not yet available in a central location/system)
2. Prepare the output file in the expected format
3. Build the required OpenAPI implementation for file retrieval by the CSSF
4. Prepare the enrolment with the CSSF via a secured channel and plan the testing phase
5. Process result notifications returned by the CSSF and handle errors
6. Operate and maintain this infrastructure over time and keep the file up to date for the daily retrieval by the regulator

As a financial services professional that is in scope of the regulation, you may request a “MFT access” from the regulator that will enable you to receive the enrolment procedure details and related technical documentation. Once the access to the MFT account has been granted, you will be able to access the following documents and information:

• your own RSA key pair
• the IP addresses used by the CSSF to connect to your API
• the CSSF’s public RSA key
• the Chain file and CA of the CSSF’s public RSA keys
• the CSSF’s public API URL

After access has been provided to the above information, if you are a regulated entity in scope, you must expose an API to the CSSF to send your “HTTP” identifiers which will be used to identify yourself with the CSSF. Professionals’ PGP public keys, which are used to sign the files sent and to decrypt files received, are made available by each professional through the CSSF’s enrolment API.

Separate testing and production environments have been made available by the CSSF, these are distinguished by specific RSA keys and passphrases provided to you.

The data shared with the Regulator daily should be structured in a JSON format. Around fifty fields are required – from IBAN number, account holder’s name, surname, date of birth, nationality, ID document type and number, validity information …, to additional information for legal entities. All data should respect the format defined by the CSSF per datafield, which ranged from free text to standardised ISO formats (such as ISO 3166-1 for country codes). To limit errors or incorrect data structure, the CSSF has provided Banks a JSON validator which is recommended to use prior to the first exchange.

For testing purpose, the file shared with the Regulator should be anonymised by the professional.

On a daily basis (7 days per week), between 6pm and 6 am, the professional must provide a file with the relevant data to the Regulator. The API process should be the following:

1. The professional notifies the CSSF that the file is ready (“Registry Ready”)
2. The CSSF downloads the file from the professional API (“Download Registry”)
3. The CSSF sends a feedback to the professional on content status (“feedback”)

The professional is responsible for the security of the file and can delete it after the CSSF download has been completed. If from one day to another, there is no change on the data file content, the file communicated the next day can be the same as the previous one. In the event of any change(s), a new file must be communicated within the next 24 hours with the updated information.

In addition, the file sent by the professional must be encrypted and compressed using PGP with a public key provided by the CSSF and signed with a private PGP key of the professional.

General rules:

• In case of error received on feedback, the professional must provide an updated file
• In case the CSSF does not take the file, the professional must notify the CSSF every 10 minutes

No file can be submitted manually outside of the process defined by the regulator.

As a bank, one option is to create the JSON file and manage all the API interactions with the regulator on your own, from the enrolment process to the management of the daily feedback. You will also be responsible for the data encryption. An in-house implementation enables banks to remain in full control of the setup but requires the use of internal resources, expertise, and you are responsible for maintenance processes. On the other hand, as a professional, you can also rely on a platform solution managed by a regulated external provider, such as Finologee, to handle the technical part of the enrolment process and the daily interactions with the regulator, as well as the data encryption (with a module that is deployed on premise). Opting for outsourcing is a way to save time and costs, benefit from market expertise and lower internal maintenance.