On 22 April 2022, the Commission de Surveillance du Secteur Financier (the "CSSF") published a set of documents on outsourcing arrangements (the "OAs"), which (i) describes the rules governing the OAs, (ii) implements the EBA guidelines on OAs, (iii) integrates them into the CSSF's administrative practice and regulatory approach, and (iv) brings together the requirements for OAs relating to information and communication technologies (cloud and non-cloud, "ICT") that were previously disseminated in several circulars.
Circular CSSF 22/806 (the “Circular”) has a broad scope insofar as it applies in full to (i) credit institutions, (ii) payment institutions and electronic money institutions, (iii) investment firms, and (iv) financial sector professionals (“Full-scope Entities”). It also applies to the following entities when performing ICT outsourcing: (i) investment fund managers, (ii) Part I undertakings for collective investment in transferable securities, (iii) central counterparties, (iv) approved publication arrangements and authorised reporting mechanisms, (v) market operators operating a trading venue, (vi) central securities depositories and (vii) administrators of critical benchmarks (the "Limited Scope Entities" and together with the Full-scope Entities the “Entities”). The Entities when applying the provisions of the Circular shall have regard to the principle of proportionality. Implementing measures are therefore proportionate to the size and internal organisation of each Entity and to the nature, scale and complexity of its activities or services.
To prevent risks arising from outsourcing (including intra-group outsourcing), Entities shall conduct appropriate monitoring and auditing of the OAs, particularly in case of outsourcing of internal control functions and financial and accounting functions.
Entities that intend to outsource or amend an outsourcing arrangement regarding a critical or important function (including ICT outsourcing and business process outsourcing) notify in advance their plans to the competent authority. In this respect, details are provided in the FAQ of the CSSF, which, i.a., state that Entities do not have to wait for the approval/non-objection of the competent authority to implement the planned outsourcing arrangements at the end of the notice period.
The Circular describes the outsourcing process and the requirements imposed upon the Entities, such as (i) a pre-outsourcing analysis including a risk assessment and a due diligence on the Service Provider,(ii) the written content of the outsourcing agreement, and of the sub-outsourcing arrangement, (iii) the control on confidentiality and integrity of data and system (ICT) throughout the outsourcing chain, (iv) the access to the information relating to outsourced functions by the internal audit function, the statutory auditor and the competent authority and (v) exit plans. The Circular provides for contractual reasons for termination of the outsourcing arrangement and expressly excludes cases related to bankruptcy or any other BRRD proceedings.
More specifically, concerning requirements in the context of pure ICT outsourcing arrangements (cloud and non-cloud, the Circular repeats most of the requirements previously set out in relevant CSSF circular letters. In this context, CSSF circular letter 17/654 will be repealed as from 30 June 2022.
The Circular reminds that in all cases (including sub-outsourcing), the Entities (and their management bodies) remain fully responsible for compliance with applicable regulatory requirements.
The Circular is applicable from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after this date. The points on prior notification to the competent authority are, however, of immediate application for ICT outsourcing.
Entities must (i) review and amend existing outsourcing arrangements and (ii) complete the documentation of all existing outsourcing arrangements in accordance with the Circular following the first renewal of each existing outsourcing arrangement by no later than 31 December 2022.
Should you have any questions relating to the above, please do not hesitate to contact one of the experts of our regulatory and investment funds team.