Revamped CSSF outsourcing guidance for the financial sector

Source: NautaDutilh
4 mai 2022 par
vanessa Icardi Serrami

On 22 April 2022, the Luxembourg financial regulator (the "CSSF") released Circular 22/806 on outsourcing arrangements (the "Circular"). By means of the Circular, the CSSF adopts and integrates the revised EBA Guidelines on outsourcing arrangements (EBA/GL/2019) (the "EBA Guidelines") and, as far as fund management is concerned, the ESMA Guidelines on outsourcing to cloud service providers (the "ESMA Guidelines"). In addition to incorporating the EBA and ESMA Guidelines into the Luxembourg regulatory framework, the CSSF complements the EBA Guidelines with detailed requirements applicable in Luxembourg and extends their scope of application to a wider range of financial institutions. Last but not least, Part II of the Circular sets out additional requirements for ICT outsourcing, with a specific chapter devoted to cloud-based arrangements. The gold-plating language in the Circular is indicated in italics and bold, thereby calling attention to the Luxembourg-specific requirements. 

This newsflash sheds light on the main changes for Luxembourg supervised entities.

Scope of application

While the EBA Guidelines were intended to apply only to credit, payment and electronic money institutions, the CSSF chose to extend their scope of application to other categories of supervised entities. The Circular thus applies in full to:

  • credit institutions and their branches;

  • investment firms and their branches;

  • payment institutions and electronic money institutions and their branches;

  • other professionals of the financial sector ("PFS") and their branches, even when they do not fall within the scope of the EBA Guidelines; and

  • POST Luxembourg, the government-owned mail and communications company. 

It should be noted that credit institutions and investment firms that are parent undertakings must ensure that the internal governance arrangements, processes and mechanisms of their subsidiaries are consistent, well integrated and appropriate for effective application of the Circular. 

The Circular also applies to the following entities, but only in the context of ICT outsourcing:

  • investment fund managers ("IFMs");

  • undertakings for collective investment in transferable securities subject to Part I ("UCITS") of the UCITS Act;

  • central counterparties ("CCPs") within the meaning of Article 2(1) EMIR;

  • approved public arrangements ("APAs") with a derogation and authorised reporting mechanisms ("ARMs") with a derogation within the meaning of the Financial Sector Act ("LFS");

  • market operators running a trading venue within the meaning of the LFS;

  • central securities depositories ("CSDs");

  • administrators of critical benchmarks within the meaning of Article 3(1)(25) of the Benchmark Regulation. 

The CSSF aims to achieve consistent regulation of ICT outsourcing arrangements for all supervised entities, through the application of both the EBA and ESMA Guidelines and key points of existing Luxembourg-specific regulations. 

The Circular will also apply to Luxembourg-based EEA branches of legal entities with their head office in a different EU member state if the branch outsources functions that fall within the scope of CSSF supervision. 

With regard to internal governance arrangements, the Circular should be read in conjunction with the applicable statutory provisions as well as the CSSF circulars on central administration, internal governance and risk management (Circulars 12/552 and 20/758, as amended). 

Consolidated guidance

The Circular consolidates the supervisory requirements for IT outsourcing, including cloud outsourcing, in a single document. 

Previously, ICT and cloud outsourcing guidelines were contained in multiple CSSF circulars, including Circular 17/655 updating the outsourcing provisions of Circular 12/552 and applicable to credit institutions and investment firms; Circular 17/656, as amended, applicable to FSPs, payment institutions and e-money institutions; Circular 17/654 on cloud outsourcing, as amended; and Circular 21/785, which, amongst other things, replaced the authorisation obligation for material IT outsourcing with a notification obligation. 

In order to align the applicable regulatory texts, the CSSF will amend, as of 30 June 2022, the relevant circulars on internal governance, including but not limited to Circulars 12/552 and 20/758, as amended. In addition, the CSSF has announced that it plans to amend other circulars applicable to the funds sector, such as Circulars 16/644, as amended, 18/697 and 18/698. Furthermore, the CSSF will repeal a number of circulars as of 30 June 2022, including:

  • Circular 13/554 on evolution of the usage and control of the tools for managing information technology resources and management of access to these resources on a group level (which required Luxembourg supervised entities to have full control over their technology resources even when these are organised at group level);

  • Circular 17/654, as amended;

  • Circular 17/656 on administrative and accounting organisation and IT outsourcing, as amended;

  • Circular 21/777 on implementation of the ESMA Guidelines; and

  • Circular 21/785 on replacement of the prior authorisation obligation. 

Certain questions regarding the interaction between the Circular and Circular 18/698 (applicable to IFMs) and the prior notification process are addressed in an FAQ. 

Effective date and transition period 

The Circular applies as from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after that date. Existing outsourcing agreements will be deemed to have been reviewed or amended, for example, when a financial institution implements new standard contractual clauses in its outsourcing agreements with a view to ensuring GDPR compliance of international personal data transfers. 

In addition, existing outsourcing arrangements must be reviewed in order to ensure compliance with the Circular. It is recommended to define a review schedule for all existing outsourcing arrangements. While no specific timeline is indicated, it is advisable to review critical or important outsourcing arrangements by 31 December 2022, having regard to the principle of proportionality. Where this is not possible, the CSSF must be informed accordingly. 

With regard to existing outsourcing arrangements, financial institutions must complete the applicable documentation in line with the Circular at the first renewal date of the arrangement and in any case no later than 31 December 2022. 

According to Circular 22/805, the notification obligation set out in the Circular will apply with immediate effect for ICT outsourcing only. 

Outsourcing: luxembourg-specific requirements

All outsourcing arrangements will have to comply with the general requirements laid down in Part I of the Circular while ICT outsourcing arrangements will also have to meet the specific requirements laid down in Part II. 

General outsourcing requirements (Part I of the Circular) 

The requirements applicable to any outsourcing arrangement include general rules and requirements intended to ensure sound governance of the arrangement and relate in particular to:

  • the assessment of outsourcing arrangements and critical and important functions,

  • sound governance arrangements,

  • the need for an outsourcing policy and business continuity plan,

  • the internal audit function,

  • documentation and notification requirements, such as maintaining an updated register of information on all outsourcing arrangements,

  • pre-outsourcing analyses,

  • contractual requirements,

  • oversight, and

  • exit plans. 

In many respects, these obligations are identical or similar to the requirements of the EBA Guidelines. 

For IFMs, the relevant provisions on outsourcing of Circular 18/698 will not apply in the case of ICT outsourcing arrangements. Part I of the Circular will apply to IFMs only in relation to certain ICT outsourcing arrangements, provided the requirements are relevant for the IFM. 

In Luxembourg, additional requirements will now apply to intra-group outsourcing and restrictions will apply to the outsourcing of internal audit or internal control functions as well as financial and accounting functions, for which only operational tasks may be outsourced. 

Furthermore, the CSSF now requires all entities covered by the Circular to appoint, for each outsourced activity, an employee responsible for managing the outsourcing relationship and access to confidential data. This requirement stems from Circular 12/552 on central administration, internal governance and risk management, as amended, and was previously only applicable to credit institutions and investment firms, the latter pursuant to Circular 20/758. 

For the outsourcing of critical or important functions, the register must include the date of prior notification to the competent authority. The outsourcing of critical or important functions is indeed subject to prior notification to the CSSF. For material ICT outsourcing arrangements, such an obligation was introduced by Circular 21/785. For other types of outsourcing arrangements, this obligation will enter into effect on 30 June 2022. The notification must be submitted at least three months prior to effective implementation of the planned outsourcing, except when relying on a Luxembourg support PFS governed by Articles 29-1 to 29-6 LFS, in which case this period is reduced to one month. Services subject to an authorisation requirement pursuant to Articles 29-1 to 29-6 LFS may only be outsourced if certain conditions are met. 

In addition to the EBA Guidelines, the CSSF imposes various contractual requirements for all types of outsourcing arrangements and entities that fall within the scope of the Circular. These requirements are generally applicable, meaning they do not apply only to the outsourcing of critical or important functions or to cloud outsourcing arrangements, with a few exceptions. For example:

  • guaranteed access, information and audit rights must be ensured not only for the supervised entity's internal audit function but also its statutory auditor and the CSSF itself, including the power to perform on-site inspections at the service provider; in practice, such requirements may be difficult to negotiate with certain ICT or cloud service providers;

  • the outsourcing agreement must not include a termination clause in the event of bankruptcy, controlled management, a suspension of payments, or a composition or arrangement with creditors aimed at preventing bankruptcy or similar proceedings;

  • the confidentiality and integrity of data and systems must be controlled throughout the outsourcing chain; data and systems should only be accessible on a "need to know" and "least privilege" basis, and professional secrecy rules and conditions must be complied with which, for LFS-regulated entities and payment/electronic money institutions, may require client consent. 

For the outsourcing of critical or important functions, certain requirements are more detailed and strict, in particular when it comes to audit rights and sub-outsourcing. 

According to the Circular, the outsourcing agreement must include a commitment by the service provider to erase the supervised entity's data and information within a reasonable period upon termination of the agreement and transfer of the outsourced function to another service provider. In Luxembourg, such a requirement previously existed only for cloud outsourcing arrangements. 

This requirement may have an impact on market practice, as contracts sometimes require the service provider to make information and data available to the financial institution for a certain period of time following termination of the agreement. 

Additional requirements for ICT outsourcing (Part II of the Circular) 

Part II of the Circular includes additional general guidance for ICT outsourcing arrangements as well as specific guidance exclusively for (i) non-cloud ICT outsourcing and (ii) cloud outsourcing. 

The requirements set out in Part II apply only to pure ICT outsourcing arrangements. Thus, they do not apply, for instance, to business outsourcing based on an ICT outsourcing arrangement (e.g., HR services relying on Salesforce SaaS solutions). This approach differs from the ESMA Guidelines and the EIOPA Guidelines in the insurance sector, endorsed by the CAA (Commissariat Aux Assurances) by means of CAA Circular 21/15 published on 5 August 2021, which apply to operational functions outsourced "to service providers that are not cloud service providers but that rely significantly on cloud infrastructure to deliver their services". 

ICT outsourcing means an arrangement of any kind between a supervised entity and a service provider “by which that service provider performs an ICT process, an ICT service or an ICT activity that would otherwise be undertaken” by the supervised entity itself, whereby the relevant question is of course which services are typically carried out by the entity itself, it being understood that the CSSF has consistently interpreted the term “outsourcing” arrangements broadly to include, for example, software development, which in some countries is not usually considered an “outsourced” activity. 

Specifically for ICT outsourcing that is not - and is unlikely to become - critical or important, the Circular allows supervised entities to justify the non-application of certain requirements applicable to all outsourcing arrangements, in particular those relating to: 

  • business continuity in the event of resolution or reorganisation or another procedure; and

  • a transfer of services whereby the continuity of the provision of services is threatened. 

  • Non-cloud-based ICT outsourcing 

Supervised entities may outsource: 

- ICT system management or operations:

  • in Luxembourg, solely to credit institutions or PFSs holding an authorisation in accordance with Article 29-3 LFS or a group entity that deals exclusively with group transactions in accordance with Article 1-1 (2)(c) LFS;

  • abroad, to any ICT service provider, including a group entity. 

- ICT services other than ICT management/operations (i.e., consulting, development, maintenance and hosting services) to any ICT service provider, including a group entity. 

Outsourcing arrangements must ensure that access to data and systems is in accordance with the principles of "need to know" and "least privilege". If the service provider is not allowed to access data due to professional secrecy, it shall not be granted access to readable confidential data unless it is monitored, throughout the performance of its tasks, by a person from the supervised entity in charge of ICT. 

Specific guidance is foreseen for support PFSs and their branches that wish to sub-outsource in whole or in part ICT operations services provided to clients or the management/operations services of their own ICT systems. 

Cloud outsourcing 

The main change with respect to cloud outsourcing arrangements is that they will be subject to all general outsourcing requirements (laid down in Part I of the Circular). The basic requirements for cloud-based ICT outsourcing are the same as for other types of outsourcing arrangements. Chapter 2 of Part II of the Circular includes additional requirements applicable only to cloud outsourcing arrangements. 

These requirements stem mostly from the old cloud circular. The definition of cloud computing remains the same and is still based on seven essential characteristics, i.e. the NIST criteria of “on-demand self-service”, “broad network access”, “resource pooling”, “rapid elasticity” and “measured service” plus two specific criteria, namely “no unmonitored/uncontrolled access to data by the cloud computing service provider” and “no manual interaction by the cloud computing service provider”. 

Compared to the old cloud circular, supervised entities have fewer possibilities to set aside certain requirements in the context of the outsourcing of non-critical or non-important functions. They can, for example, no longer justify non-application of the requirements relating to monitoring and audit rights. 

Under certain conditions, support PFSs and their branches authorised under Article 29-3 LFS may partially outsource resource operator services. 

The resource operator (which can be the supervised entity) must still designate from amongst its employees a "cloud officer" whose name will be provided to the supervised entity. The latter must be informed of any changes to the application functionality – other than those relating to corrective maintenance – prior to the implementation thereof and must also know at all times where its data and systems are located, be they production environments, replicas or backups. 

The old cloud circular was most recently amended by Circular 21/785, which gave more flexibility to group entities with respect to choice of law and resiliency of services within the EEA. These provisions have been incorporated into the Circular. 

Enforcement and sanctions

The Circular does not contain specific enforcement and sanctions rules for violation of its obligations. Although CSSF circulars are strictly speaking soft law, they are used by the CSSF to inform supervised entities of its interpretation of the applicable laws and may therefore be used to assess non-compliance by supervised entities. 

Supervised entities that are found to have violated the law may be subject to a warning, reprimand, fine of up to EUR 250,000, temporary or definitive ban on the conduct of certain activities, or other restrictions.

Conclusion 

As of 30 June 2022, financial sector entities will be obliged to notify the CSSF of all outsourcing arrangements that are deemed critical or important prior to the implementation thereof and to comply with other regulatory requirements. They will also have to review and amend their existing outsourcing arrangements, including any agreements they currently have in place, with a view to ensuring compliance with the Circular. 

For LFS-regulated entities and payment and e-money institutions, the Circular will not substantially change existing outsourcing compliance requirements. However, for other entities, including in particular those active in fund management, more significant compliance efforts will probably be required as, in general, their outsourcing arrangements were not previously subject to such strict rules and regulations.