Effective 15 October 2021, financial institutions must notify the CSSF of any planned outsourcing of material IT activities. This notification obligation replaces the prior authorisation requirement.
On 14 October 2021, the Luxembourg financial regulatory authority, the Commission de Surveillance du Secteur Financier ("CSSF"), issued a new circular (Circular 21/785) replacing the prior authorisation obligation for material IT outsourcing with a prior notification obligation (the "Circular"). The Circular also modifies certain contractual requirements applicable to cloud outsourcing, which should allow for more flexibility within corporate groups.
It is furthermore expected that the CSSF will issue in the near future a new, overarching circular on outsourcing to implement the 2019 EBA guidelines on outsourcing arrangements, which are applicable to all supervised entities falling within the scope of the Financial Sector Act of 5 April 1993 (FSA) and the Payment Services Act of 10 November 2009 (PSA) (the "new outsourcing circular"). The provisions of the new outsourcing circular on IT-related outsourcing will also apply to investment fund management companies.
This newsflash briefly summarises the main changes introduced by the Circular.
Scope of the circular
The Circular is addressed to all credit institutions, financial sector professionals ("FSPs") and other FSA-regulated entities, payment institutions and e-money institutions within the meaning of the PSA, as well as investment fund managers subject to CSSF Circular 18/698.
The new notification obligation applies to material IT outsourcing and most cloud outsourcing arrangements. The Circular modifies
- CSSF Circular 12/552 on central administration, internal governance and risk management, as amended, applicable to credit institutions, as amended;
- CSSF Circular 17/656 on administrative and accounting organisation and IT outsourcing, applicable to FSPs, payment institutions and e-money institutions;
- CSSF Circular 20/758 on central administration, internal governance and risk management, applicable to investment firms; and
- CSSF Circular 17/654 on cloud outsourcing, as amended.
IT outsourcing means an arrangement of any form between a supervised entity and a service provider (including an affiliate) whereby the service provider is responsible for performing an IT process, service or activity that would otherwise be performed by the supervised entity itself. The covered processes, services and activities are exclusively IT related. The Circular applies only to pure IT outsourcing, thus not business process outsourcing.
For other material outsourcing arrangements, the prior authorisation obligation remains applicable for the time being. In the context of cloud outsourcing, support FSPs authorised under Article 29-3 or 29-4 of the FSA are still obliged to obtain a prior authorisation in certain circumstances, but the new outsourcing circular will probably extend the notification obligation to non-IT-related material outsourcing arrangements.
New notification obligation
Effective 15 October 2021, financial institutions need no longer obtain a prior authorisation for the outsourcing of a material IT activity. Instead, it is sufficient for the financial institution to notify the CSSF of its outsourcing project at least three months prior to the time at which it will become effective. This period is reduced to one month if the financial institution uses a support FSP within the meaning of Articles 29-3 to 29-6 of the FSA, i.e., primary IT systems operators, secondary IT systems and communications networks operators, dematerialisation service providers and conservation service providers within the meaning of the E-archiving Act of 25 July 2015.
In the absence of a response from the CSSF by the end of the abovementioned three- or one-month period, the institution can proceed with the outsourcing arrangement.
The notification form - available in English on the CSSF's website - must be submitted in an editable Word version as well as in pdf and covers:
- the identification of the project and details of the supervised entity;
- details of the IT service provider (including information on the resource operator for cloud outsourcing);
- a description of the IT outsourcing project, including a comparison of the current IT set-up (“as is”) and the planned IT set-up (“to be”) and information on data centre providers;
- outsourcing governance, including the name of the "cloud officer" in the case of cloud outsourcing;
- contractual arrangements;
- information security; and
- business continuity.
The CSSF has issued FAQ (last updated in March 2021) to help assess the materiality of an IT outsourcing arrangement. It should be noted that the new outsourcing circular will replace the concept of "material activity" with that of "critical or important function" in keeping with the 2019 EBA guidelines on outsourcing arrangements.
Additional changes for cloud outsourcing
With respect to the contractual requirements applicable to cloud outsourcing, the Circular provides more flexibility for corporate groups. Thus, if the outsourcing agreement is a group contract and also group entities outside the European Union will be able to benefit from the cloud computing services,
the contract may also be made subject to the law of the country of the signing (group) entity, even if this country is outside the European Union; and
resiliency of the cloud computing services within the European Union is no longer required, but should be considered in the institution's risk analysis.
Entry into force and transitional measures
The Circular entered into force on 15 October 2021. Thus, financial institutions can notify any planned material IT outsourcing as from this date.
Applications for the authorisation of the outsourcing of material IT activities submitted to the CSSF before 15 October 2021 are subject to transitional measures, set out in a separate communication.
Financial institutions that applied for an outsourcing authorisation before 31 August 2021 inclusive will receive from the CSSF feedback on their applications in the form of a request for additional information, a notice of no objection, a conditional notice of no objection or a refusal, in accordance with the procedures and deadlines in place before 15 October 2021.
For financial institutions that applied for an outsourcing authorisation between 1 September 2021 and 14 October 2021 inclusive, the following applies:
The CSSF may respond to the application (by way of a request for additional information or a partial or complete objection to the project) no later than 15 January 2022. In its response, the CSSF will provide the financial institution concerned with details of the follow-up of the application.
In the absence of a response from the CSSF to the application by 15 January 2022, the financial institution may proceed with the proposed outsourcing.
The Circular is intended to bridge the transition period until issuance of the new outsourcing circular. It is expected that the new outsourcing circular will apply to all supervised entities under the FSA and the PSA (as well as to fund management companies) and extend the notification regime to all types of critical or important (i.e. material) outsourcing.
A draft of the new outsourcing circular was sent to stakeholders for consultation and feedback last summer. It remains unclear, however, when the final version will be issued. In any event, it should be shortly, as the deadline for implementation of the 2019 EBA guidelines on outsourcing arrangements into the Luxembourg financial regulatory framework is 31 December 2021. We will be sure to keep you posted.