On 22 April 2022, the CSSF published Circular CSSF 22/806 on Outsourcing arrangements. It concerns banks, FSPs as well as various other financial sector entities (“In-Scope Entities”).
The complete Circular text (which is available only in English) at the following link: https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf.
These entities are required “to adopt robust internal governance arrangements, which shall include a clear organisational structure, adequate internal control mechanisms, including sound administrative and accounting procedures and practices allowing and promoting sound and effective risk management, as well as control and security mechanisms for their IT systems”. The Circular aims to complete this general framework of internal governance in the case the entity enters into outsourcing agreements, whether they be in IT or other matters. These rules are based on European Banking Authority’s latest outsourcing guidelines (EBA/GL/2019/02 on outsourcing arrangements).
In Part I, we find outsourcing definitions and general rules.
In particular, it is essential to identify the instances of outsourcing of a "critical or important" function (a concept that replaces the former concept of "material" outsourcing), pursuant to Section 4.1.2 of the Circular.
This term is defined under point 18 "Critical or important functions".
For these functions, prior notification to the authority is required for any outsourcing (unless if, for arrangements already in place, the outsourcing has already been authorised by or notified to the CSSF).
Subcontracting of ICT functions are dealt with in Part II of the Circular.
One chapter is dedicated to outsourcing agreements for cloud computing infrastructure.
One will note that the prior notification obligation applies to “cloud computing outsourcing arrangements”.
Part III
Finally, this part deals with the transitional provisions. Thus, it is incumbent upon the entities to review and amend the existing outsourcing agreements to ensure that they comply with the new rules.
See points 145 and 146 of the Circular:
“145. In-Scope Entities shall review and amend existing outsourcing arrangements with a view to ensuring that they are compliant with this Circular.
146. In-Scope Entities shall complete the documentation of all existing outsourcing arrangements in line with this Circular following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2022.
Where the In-Scope Entities assess that the review and amendment of outsourcing arrangements of critical or important functions existing prior to 30 June 2022 will not be finalised by 31 December 2022, they shall inform their competent authority in a timely manner of that fact, including the measures planned to complete the review or the possible exit strategy.”
