The new updates on the regulatory framework of the outsourcing

Process design linked to business strategy (Photo : @geralt)

Process design linked to business strategy (Photo : @geralt)

The CSSF released a new Circular (CSSF Circular 21/785) for financial institutions operating in Luxembourg. The Circular became effective on  15 October 2021 and updates the regulatory framework applying to the outsourcing of Material IT outsourcing[1]  and Cloud outsourcing[2].

This new Circular has been issued in response to many challenges faced by financial institutions operating in Luxembourg regarding the implementation of their outsourcing projects. The CSSF seeks through this Circular to facilitate compliant Material IT and Cloud outsourcing.

Who is affected by the new provisions of Circular 21/758?

The new Circular applies to all credit institutions, professionals of the financial sector ("PFS"), payment institutions and electronic money institutions as well as all investment fund managers who are subject to CSSF Circulars 12/552, 17/656, 20/758 and CSSF Circular 18/698 respectively (a “Supervised Entity”).

What are the changes brought by the new Circular 21/758?

1-     replacing the prior authorisation obligation with a prior notification obligation.

Under previous CSSF circulars[3], any financial institution operating in Luxembourg  which intends to rely on a material IT outsourcing  or to use a cloud computing infrastructure outsourcing for a material activity needed to apply for a prior authorization of the CSSF before implementing its outsourcing project.

The CSSF has been receiving an increasing number of applications from these entities in relation to their outsourcing projects. As a result, the CSSF was coming under increasing pressure to deliver on time the requested authorisations.

From 15 October 2021, a Supervised Entity may submit a simple CSSF notification.

The notification must be submitted, by using one of the template available on the CSSF’s website, in advance of the implementation of the project, in particular:

·       one month in advance of implementation, in the case of outsourcing to a Luxembourg-based PFS that is subject to Articles 29-3 to 29-6 of the 1993 Law on the financial sector; or

·       three months in advance in all other cases.

2-     New changes regarding Group entities regarding cloud Outsourcing  

The outsourcing projects are usually implemented across the entire business organization and thus must comply with the requirements of several regulatory jurisdictions, including local Luxembourgish law and regulations. This has proven to be a complex challenge for Group entities, as to comply with the CSSF previous requirements, the Luxembourg affiliates are obliged to enter into a complex intra-group agreement with the group entity. This situation was creating confusion, consuming time and increasing costs.

Under Circular 21/758, and regarding the cloud computing infrastructure outsourcing for a material activity, If the outsourcing agreement is entered into by a group entity aiming at allowing the ISCR as well as other entities of the group to benefit from the Cloud Computing services, the CSSF does no longer require that the outsourcing agreement be governed by the Luxembourg laws and regulations. The outsourcing agreement with the Cloud Service provider may also be subjected to the law of the country of the signing group entity, including where this country is outside the European Union.

In addition, having a backup redundancy of the infrastructure of the cloud services in the European Union for resiliency is no longer a requirement but this should still be taken into account by a Supervised Entity when analysing the risks of the cloud computing infrastructure outsourcing for a material activity.

Easing this requirement does not mean easing the CSSF supervision on these entities regards outsourcing:

All Supervised Entities remain responsible for compliance with all applicable legal and regulatory provisions with respect to the notified Material IT outsourcing project,

The CSSF can ask for further information and notify the Supervised Entity that the CSSF partly or fully opposes the project. The CSSF can still intervene, during the term of the outsourcing, by (e.g.) conducting on-site inspections, and in case of any compliance shortcomings the CSSF may order the outsourcing agreement to be terminated.

In conclusion, we should precise that this new approach of the CCSF will be part of the continuity since a new outsourcing circular is in prospect and which will apply to all supervised entities under the FSA and the PSA (as well as to fund management companies) and extend the notification regime to all types of critical or important (i.e. material) outsourcing.

More information here.

[1] Material IT outsourcing concerns “critical or important functions” as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure of supply of the outsourced IT functions would materially impair the soundness and continuity of the entity’s services and activities as well as its regulatory compliance obligations.

[2] An outsourcing to a cloud computing infrastructure within the meaning of the Circular CSSF 17/654.

[3] Circulars CSSF 12/552, 17/656, 20/758 and 17/654.