FINANCE - FINTECH

IT outsourcing

Why the CSSF changed the rules 



With the digitisation of financial players, the number of authorisation requests has exploded. The CSSF is changing the rules of the game to save time. Photo: Shutterstock

With the digitisation of financial players, the number of authorisation requests has exploded. The CSSF is changing the rules of the game to save time. Photo: Shutterstock

Last week, the CSSF published a new circular on IT outsourcing. The idea is to stop blocking financial centre players, it explained on Wednesday 20 October in a press release.

Between 2019 and 2021, the number of requests for IT outsourcing authorisations increased by more than 40%, a sign that financial sector players are refocusing on their core business and leaving IT professionals to deal with IT services. The demand for cloud services has even doubled.

Of course, any request has to be examined by the experts of the Commission de Surveillance du Secteur Financier (CSSF), which means that decisions may take longer and that there may be timing issues for the companies submitting these authorisation requests.

For this reason, the financial watchdog last week replaced prior authorisation with prior notification in its circular 21/785 on IT outsourcing. This concerns “critical or important functions”. Failure to comply would undermine the soundness and continuity of the entity’s services and activities as well as the regulatory compliance to which it is bound.

“We wanted to review our approach, so that the analysis of these authorisation requests would not be a hindrance to the proper execution of the projects of the entities under the supervision of the CSSF,” said Cécile Gellenoncourt, head of the department in charge of the supervision of information systems and supporting PFS, in a rare explanatory press release.

Supervised entities must therefore first report their project at least three months before the planned outsourcing becomes effective, or at least one month in case of recourse to a support PFS.

“In practice, the notifications received will be treated differently depending on the risks associated with the outsourcing project. The analysis could be more or less in-depth and take place before the planned date of implementation of the project or afterwards in the context of ongoing monitoring or an on-site inspection,” she continued.

Behind this “gentleman’s agreement”, the CSSF nevertheless warns that its controls will not be lighter.

“The new circular does not in any way call into question the quality and depth of our supervision. Even on a file that has simply been notified to us, we could intervene in retrospect, through on-site controls for example, if we notice serious failures in the respect of professional obligations,” concluded Gellenoncourt.

This article was originally published in Paperjam. It has been translated and edited for Delano.