CSSF releases its Outsourcing Circular

Deloitte expert podcast on the Outsourcing Circular

The long-awaited Outsourcing Circular which implements the EBA’s Guidelines on Outsourcing is published with a further extension of application.

Context

The European Banking Authority’s Guidelines on Outsourcing (EBA/GL/2019/02) specify the internal governance arrangements, including sound risk management, that institutions should implement when they outsource functions, in particular with regards to the outsourcing of critical or important functions. These Guidelines develop the expectation for governance on outsourcing arrangements as well as the requirements for each stage of the outsourcing arrangement’s lifecycle.

With a view to contribute to supervisory convergence at the European level, the CSSF has integrated the EBA’s Guidelines on Outsourcing arrangements (EBA/GL/2019/02) into its administrative practice and regulatory approach via the Circular 22/806.

The Circular specifies the requirements that supervised entities must observe when resorting to outsourcing arrangements. It contains in one single document the requirements related to business process and ICT outsourcing including the cloud outsourcing that were previously disseminated in individual circulars. The Circular represents the CSSF’s integrated framework on outsourcing arrangements and introduces a harmonized framework governing outsourcing arrangements in order to promote convergence at a national level.

While the EBA’s Guidelines apply to credit institutions and investment firms as well as payment and electronic money institutions, the Circular itself covers a wider scope of supervised entities (i.e. other PFS including their branches, POST Luxembourg). The Circular also applies to investment fund managers (IFMs), undertakings for collective investment in transferable securities (UCITS), central counter parties (CCPs), approved publication arrangements, market operators operating a trading venue, central securities depositories (CSDs), and administrators of critical benchmarks when performing ICT outsourcing only.

The Circular is complemented by i) the Circular 22/805 that amends or repeals certain circulars CSSF and ii) the FAQs in relation to the application of the Circular to IFMs and to the competent authority prior notification process. With the application of the Circular as of 30 June 2022, multiple circulars in relation to outsourcing will be either amended or repealed.

Further clarifications to the Guidelines and complementary local requirements

In addition to implementing the EBA’s Guidelines on Outsourcing arrangements, the new Circular clarifies certain conditions and reminds organizations of their local requirements. These include:

• Responsibility of the management body;
• Intragroup outsourcing;
• Compliance of branches;
• Respect of the professional secrecy and compliance with GDPR in outsourcing arrangements;
• Competent authorities’ rights;
• Outsourcing arrangements relating to internal control functions and financial and accounting functions;
• Storage of end-of-day accounting position data backup within the EEA;
• Service provider’s independence from the statutory auditor;
• Supervisory condition for outsourcing (e.g. notification of the competent authority, outsourcing to a service provider located in Luxembourg, etc.);
• Confidentiality and integrity of data and systems throughout the outsourcing chain, in particular respect of the principles of “need to know” and “least privilege”;
• Commitment of the service provider to erase the data and systems of the in-scope entity within a reasonable timeframe when the contract is terminated; and
• Outsourcing of ICT system management/operation service in Luxembourg and abroad.

Impact on IFM and interaction with the Circular CSSF 18/698

In 2021, the CSSF had already implemented the European Securities and Markets Authority (ESMA) Guidelines on outsourcing to cloud service providers through the Circular CSSF 21/777 by amending the scope of Circular CSSF 17/654. The new Circular applies to IFMs when performing ICT outsourcing. When an IFM outsources ICT, the Circular CSSF 18/698 applies as a baseline in relation to Chapter 4 (The bodies of IFM) and Chapter 5 (Arrangements regarding the central administration and internal governance) and is complemented by the new Circular in relation to outsourcing governance.

Amongst others, the main specific requirements that IFMs must respect when performing ICT outsourcing are the implementation of an outsourcing policy, documentation of the ICT outsourcing in the outsourcing register, and notification of the regulator for critical or important contemplated ICT outsourcing. The CSSF FAQs related to the Circular on outsourcing arrangements provide insightful clarifications on the application of the Circular to IFMs.

IFMs governed by Article 125-1 of Chapter 16 are not expected to comply with the new Circular, however Chapter 1 of part VI of Circular CSSF 18/698 applies.

Impact on Support PFS authorized under Articles 29-3, 29-5, and 29-6 LFS and their branches abroad

The new Circular clarifies the definition of “Own ICT systems” and “Client ICT systems” under the requirements applicable to support PFS. The latter corresponds to systems that support the services provided to their clients by the Support PFS irrespective of whether they belong to the client or to the support PFS. According to the Circular, under certain conditions, support PFS may partially outsource their ICT operator services, i.e. some of the management/operational services of client ICT systems. Amongst others, some of these conditions are:

• That the service provision is complementary;
• The prior approval of all concerned regulated financial sector clients is obtained;
• The prior consent of their regulated clients is obtained if the service provider may have access to data subject to professional secrecy;
• The competent authority is provided with a detailed oversight plan and exit plan on a yearly basis; and
• The prior approval of the relevant authority for such outsourcing is obtained.

Notifying the competent authority of outsourcing critical or important functions

In-scope entities will be required to perform a simple prior notification for all outsourcing arrangements of a critical or important function (including ICT outsourcing and business process outsourcing). This notification process applies to (a) planned new critical or important outsourcing arrangements, (b) material changes to existing critical or important outsourcing arrangements, and (c) changes to outsourcing arrangements that lead to an outsourced function becoming critical or important. Support PFS and their branches will, under certain circumstances, need to get the prior approval of the competent authority for their outsourcings.

The in-scope entities are expected to notify that the (planned) outsourcing arrangement complies with the new Circular. To do so, the notification template of the CSSF should be used and submitted at least three months before the planned outsourcing comes into effect. The notice period is reduced to one month when resorting to a Luxembourg-based support PFS governed by Articles 29-1 to 29-6 LFS.

In-scope entities may implement the outsourcing arrangement at the end of the notice period (three months or one month). They do not have to wait for the approval/non-objection of the authority to implement the planned outsourcing arrangements based on the information provided in the FAQs and, under the condition, that they reflect the potential concerns expressed by the relevant authority. The CSSF’s FAQs related to the Circular on outsourcing arrangements provide insightful clarifications on prior notification process.

Amendments or repeal of certain CSSF Circulars

As of 30 June 2022, CSSF will amend the Circulars CSSF 12/552 as amended, CSSF 20/758 as amended, IML 95/120, IML 96/126, IML 98/143 as amended, CSSF 04/155.

At a later date, CSSF will amend the Circulars CSSF 16/644 as amended, CSSF 18/697, CSSF 18/698.

As of 30 June 2022, CSSF will repeal the Circulars CSSF 13/554, CSSF 15/611, CSSF 17/654 as amended (Cloud Circular), CSSF 17/656 as amended, CSSF 19/714, CSSF 21/777, CSSF 21/785.

What does this mean for my organization?

30 June 2022 is now the definitive milestone for in-scope entities.

Entities must review and amend existing outsourcing arrangements to be compliant with the requirements of the Circular, complete the documentation of all existing outsourcing arrangements in line with this Circular following the first renewal date of each existing outsourcing arrangement—but by no later than 31 December 2022.

Where in-scope entities assess the review and amendment of outsourcing arrangements of critical or important functions existing prior to 30 June 2022 will not be finalized by 31 December 2022, they must inform their competent authority in a timely manner, including the measures planned to complete the review or the possible exit strategy.

With regards to ICT outsourcing notifications that were submitted before 22 April 2022, based on the information provided in the FAQs document, the CSSF will treat them according to the same supervisory approach meaning that the in-scope entity may implement the outsourcing arrangement as soon as the notice period has expired.

Next steps

While the Circular applies as from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after this date, the prior notification requirement for ICT outsourcing applies with immediate effect. Such a notification is to be submitted at least three months before the planned outsourcing comes into effect. When resorting to a Luxembourg-based support PFS governed by Articles 29-1 to 29-6 LFS, this notice period is reduced to one month.

In addition to revising existing outsourcing arrangements, in-scope entities must revise their outsourcing policy and governance as well as process to ensure that any new outsourcing arrangements will comply with new regulatory requirements.

How can Deloitte help?

Please contact us if you would like to discuss and plan how to best manage the impact of the Circular on your organization’s outsourcing governance framework and arrangements.

At Deloitte, our Risk Advisory services are designed to help operational (‘first line of defense’) and internal control functions (‘second and third line of defense’) in complying with regulatory requirements and applying best practices in the field of outsourcing governance framework, business process, and ICT and cloud outsourcing.

The Deloitte Regulatory Watch service helps you stay on top of regulatory news while preparing your organization for addressing future regulatory developments.

Contacts

Regulatory Watch Kaleidoscope service