The Commission de surveillance du secteur financier (CSSF) has introduced a notification mechanism for outsourcing projects of supervised financial entities. (Photo: Romain Gamba/Maison Moderne)

The Commission de surveillance du secteur financier (CSSF) has introduced a notification mechanism for outsourcing projects of supervised financial entities. (Photo: Romain Gamba/Maison Moderne)

The newly published CSSF circular 22/806 provides an updated regulatory basis in Luxembourg for the outsourcing of functions of supervised financial entities.

The Commission de surveillance du secteur financier, Luxembourg’s financial sector regulator, on 22 April published a circular on outsourcing. The document not only provides a framework for outsourcing arrangements, but also addresses information and communication technology (ICT) requirements. This is a change, as ICT requirements were until now broken down in different CSSF circulars. "This circular has the advantage of putting everything in one single document. It is a good point of reference, as there is now only one circular to refer to,” said David Hagen, founder of Hagen Advisory, a consultancy firm in the field of IT compliance.

Read also

The CSSF circular 22/806 is part of the European convergence in financial supervision. In February 2019, the European Banking Authority (EBA) issued its recommendations on outsourcing arrangements (EBA/GL/2019/02). Circular CSSF 22/806 therefore follows the Luxembourg regulator’s study of the EBA’s recommendations, integrating them into its administrative practice and regulatory approach.

This circular has the advantage of putting everything in one single document. It is a good point of reference, as there is now only one circular to refer to.
David Hagen

David HagenfounderHagen Advisory

In its 2019 recommendations, the EBA noted that financial institutions are showing increasing interest in outsourcing some of their activities for reasons of cost, flexibility and efficiency. As the financial services industry becomes more digital, more and more players are adapting their business models, increasing the use of fintech solutions.

The first European guidelines on outsourcing date back to 2006, applying to credit institutions only. The new and updated rules now aim at a more harmonised framework for all financial institutions supervised by the EBA, i.e. credit institutions, but also investment firms and payment and e-money institutions.

No delegation of responsibility

However, as stated in the circular, the Luxembourg regulator considered it useful “to extend the scope (...) in order to promote convergence at national level”. CSSF Circular 22/806 therefore also includes financial services professionals (PS) and Post Luxembourg.

In the case of outsourcing of IT services, the circular also applies, as a whole, to fund managers, central counterparties, trading market operators and clearing houses. “Management companies and funds are only affected in the case of IT outsourcing,” says Hagen.

Management companies and funds are only affected in the case of IT outsourcing
David Hagen

David HagenFounderHagen Advisory

In this way, the regulatory text modifies the internal governance framework of supervised entities, notably by identifying “critical or important functions”. They will thus be subject to stricter requirements, basing outsourcing agreements on a risk-based approach. Regulated entities will therefore have to keep a register of all outsourcing arrangements which can be used by supervisors in the course of their supervision.

One of the pillars of the circular is that the responsibility of the management body of the supervised entity cannot be outsourced. This is also the case when a sub-contractor is used, the circular notes: “The in-scope entity remains fully responsible for compliance with regulatory requirements, including in the case of sub-outsourcing, as sub-outsourcing can change the risk and reliability of outsourcing arrangements.”

Assessment of critical functions

Among the changes brought by the circular, the notion of material outsourcing is replaced by the notion of “outsourcing of critical or important functions,” explains the CSSF. The document provides some objective indicators to serve as guidance in order to identify them. “We are no longer talking about the materiality of the function that is outsourced, but about its criticality,” says Hagen, who then asks “to what extent is the assessment relevant for the regulator”. Because “the principle of proportionality leaves open the possibility of modulating the evaluation of criticality.”

There is therefore an issue of alignment between the regulator’s expectations in terms of proportionality and the elements indicated in the circular. This may leave the door open to many discussions on the interpretation of materiality. “In my opinion, this will force us to return to risk analysis in order to assess proportionality,” says Hagen. The aim of the approach is to be able to argue with the regulator “in order to avoid any subjective element on what is critical and what is not.”

The principle of proportionality leaves open the possibility of modulating the evaluation of criticality
David Hagen

David HagenFounderHagen Advisory

Supervised entities are therefore expected to determine “whether outsourcing is allowed and to adapt their internal governance”. They must also adapt their risk management framework.

The CSSF expects regulated entities to limit operational risks when entering into outsourcing agreements. “The risks to be taken into account are in particular those related to the relationship with the service provider, the risk related to sub-outsourcing, the concentration risk posed by multiple outsourcing agreements with the same service provider and/or the concentration risk posed by the outsourcing of critical or important functions to a limited number of service providers,” underlines the circular.

Entities must therefore pay particular attention to operational risks, from the point of view of concentration and dependence, but also from a control point of view: “Outsourcing must not undermine the quality and independence of the entities’ internal controls.”

Prior notification

Circular 22/806 is applicable from 30 June 2022 to all outsourcing arrangements entered into or modified as from that date. Therefore, regulated entities will have to notify the CSSF at least three months in advance of their outsourcing projects. “The prior authorisation previously applicable to ‘non-ICT physical outsourcing’ is now replaced by a simple prior notification of ‘outsourcing of critical or important non-ICT functions’ as from 30 June 2022,” says the CSSF.

The regulatory text introduces another new subtlety, says the CSSF: “The prior notification with the possibility to object to ‘material ICT outsourcing’, introduced in 2021, is also replaced by a simple prior notification of ‘critical or important ICT outsourcing’.”

In contrast to non-ICT outsourcing, the simple notification procedure came into force from the date of publication of the circular. A retroactive application has thus been put in place for ICT outsourcing files already notified to the CSSF.

This story was first published in French on . It has been translated and edited for Delano.