Patrick Terazzi, Partner – Audit, BDO Luxembourg. (picture: Maison Moderne)

Patrick Terazzi, Partner – Audit, BDO Luxembourg. (picture: Maison Moderne)

More and more common within the entities of the financial sector, the outsourcing of certain functions offers them numerous advantages. However, it also presents risks that need to be mitigated, as the CSSF (Commission de surveillance du secteur financier) has reminded us through the issuance of a recent circular, the main objective of which is to consolidate and harmonise the current regulations. Certain weaknesses in this area have also been noted by the regulator through its 2021 annual activity report.

Entrusting certain functions of a financial sector entity to external actors is far from new in Luxembourg. In recent years, however, this trend has accelerated, becoming more widely accepted and prevalent in many areas of the industry. “While outsourcing was already widely practised in the banking sector, especially for support functions, it has now been extended to many other players, such as alternative investment fund managers, for example,” explains Patrick Terazzi, a partner in BDO's audit department, who is responsible for the development of all financial sector activities within the group. “This phenomenon will certainly continue to grow with the increased use of remote work and the increased digitalisation of the sector.”      

Outsourcing can take on different faces, however. A financial sector entity can outsource functions such as human resources, portfolio management or risk management function to subsidiaries within the same group, or let providers entirely external to the structure manage accounting or IT infrastructure and environments, for example. “Furthermore, outsourcing can be entrusted to players based in Luxembourg or abroad, including outside Europe, continues Patrick Terazzi. In the end, it all depends on the strategic thinking of the entity or group that outsources.”

A risk of dependency and failure

The success of outsourcing in the financial sector is obviously due to the many advantages of this practice, the most important of which is cost rationalisation. “Moreover, considering the difficulty of recruiting certain profiles in Luxembourg, the use of subcontractors also allows access to expertise that cannot always be found here,” says the BDO partner, who also points out the risks that accompany these advantages. “First of all, you can find yourself dependent on a third party, no longer in control of the entire process. Secondly, you can fall victim to the incompetence, or even the failure, of the service provider, which can lead to major problems for the outsourcing entity.”

Aware of these dangers, the CSSF has just issued a circular on outsourcing aimed at harmonising, clarifying and reinforcing the regulations in force. “This CSSF circular 22/806 (which transposes the EBA guidelines (EBA/GL/2019/902)) targets the vast majority of regulated actors in Luxembourg: banks, payment institutions, GFIAs (in some cases), PFS, etc. Then, it introduces the concept of ‘ criticality or importance ’  which replaces the concept of ‘ materiality’ : entities must now assess all the activities they outsource and determine their level of criticality in order to know which ones will require special treatment. This analysis must be formally documented, which must also be the case for the entity's outsourcing policy. The CSSF will then be notified of this list of critical activities,” Patrick Terazzi explains.

In addition, a register of these functions will have to be kept up to date and an exit plan will have to be provided for each outsourcing contract of a critical function. Other requirements clarified by the CSSF include the impossibility to completely outsource the control functions or the management body and its responsibilities. However, the operational tasks of the internal control functions may be outsourced.

If this circular came into force on June 30, 2022, entities have until December 31, 2022 to comply with certain requirements. “There is no time to lose, says Patrick Terazzi. BDO is a partner of choice to help entities analyse the situation and implement the necessary measures. In recent years, in addition to our traditional activities, our group has strengthened its capabilities in assisting entities in the financial sector, whether it is to perform internal audits, assess the entity's regulatory compliance or offer our assistance for risk management functions, for example.” 

Would you like to know more about BDO Luxembourg's support services? Go to our