CSSF Circular on outsourcing arrangements
Posted - 26.04.2022
On 22 April 2022, the Commission de Surveillance du Secteur Financier (the “CSSF”) issued:
- The Circular 22/805 on the revised EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) – Publication of Circular CSSF 22/806 on outsourcing arrangements –Repeal or amendments or certain circulars CSSF (the “Circular 22/805”);
- The Circular 22/806 on outsourcing arrangements (the “OS Circular”);
- The Circular 22/807 updating CSSF Circular 12/552 on central administration, internal governance and risk management, as amended; and
- CSSF FAQ – Circular CSSF 22/806 on outsourcing arrangements providing guidelines on the scope and application of the OS Circular (the “FAQ”).
- The OS Circular applies notably to credit institutions, investment firms, payment institutions, electronic money institutions and professionals of the financial sector and their branches and partially to investment fund managers (“IFM”), their branches and UCITS.
- All requirements detailed in the OS Circular relating to ICT outsourcing define the new ICT outsourcing framework for IFMs and their branches and therefore the OS Circular overrides to some extent section 5.1.2 “Clarifications on technical infrastructure, IT and business continuity” of CSSF Circular 18/698.
- The FAQ specifies that part of the OS Circular applies only to IFMs in relation to one or several specific ICT outsourcing and where the requirement is relevant for IFMs. Therefore for example, section 4.1.3 “Outsourcing arrangements relating to internal control” and section 4.1.4 “Outsourcing arrangements relating to the financial and accounting function” of the OS Circular do not apply to IFMs since those sections are not related to ICT.
2. Main practical impacts
- Outsourcing of “Critical or important” functions
In-scope entities shall assess whether the functions they are outsourcing are “critical or important” pursuant to criteria developed in the OS Circular.
- Outsourcing policy
In-scope entities shall establish an outsourcing policy covering the points developed in section 4.2.3 of the OS Circular. This was already required but in-scope entities shall review it to ensure the exhaustiveness of this policy and compliance with the new rules.
- Outsourcing register
In-scope entities shall maintain a register of information of all outsourcing arrangements which must distinguish between the outsourcing of critical or important functions and other outsourcing arrangements. The register will need to refer to a certain number of points as required by section 4.2.7 of OS Circular (additional information will be required for outsourcing of critical or important functions). The outsourcing register can be requested at any time by the CSSF.
- Required provisions for outsourcing arrangements
Section 4.3.2 of OS Circular requires a certain number of provisions to be included in outsourcing arrangements. The OS Circular goes beyond the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and requires all outsourcing arrangements to include these provisions and not only the critical and outsourcing ones.
One positive change: in-scope entities intending to outsource a critical or important function shall notify (rather than authorisation process) their plans to the CSSF at least three months before the planned outsourcing becomes effective (this delay is reduced to one month in case of outsourcing to a Luxembourg regulated support professional of the financial sector). No specific formalities are applicable to outsourcing of non-critical or non-important functions.
- Replacement of CSSF Circular 17/654 on cloud computing, as amended and simplification of cloud rules
Chapter 2 of Part II of the OS Circular replaces CSSF Circular 17/654 on cloud computing, as amended, which is repealed. The major principles, however, remain the same (e.g. requirement to identify a resource operator, appointment of a cloud officer…).
- The OS Circular is applicable from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after 30 June 2022.
- In-scope entities shall complete the documentation of all existing outsourcing arrangements in line with the OS Circular following the first renewal date of each existing arrangement, and by no later than 31 December 2022.
- In-scope entities which have not managed to review by 31 December 2022 outsourcing arrangements of critical or important functions existing prior to 30 June 2022 shall inform the CSSF.
WHAT TO DO NEXT?
- Implement an outsourcing register and review the outsourcing policy/procedure to ensure it complies with the OS Circular
- Set-up a plan to review and update existing outsourcing arrangements
- Make sure that all new outsourcing arrangements comply with the requirements of the OS Circular
We remain at your disposal for assistance to implement and/or enhance your outsourcing framework.