LexGo

Luxembourg financial regulator adopts new rules governing outsourcing arrangements
03/05/2022

On 22 April 2022, the Commission de Surveillance du Secteur Financier (the "CSSF") published a set of documents on outsourcing arrangements (the "OAs"), which (i) describes the rules governing the OAs, (ii) implements the EBA guidelines on OAs, (iii) integrates them into the CSSF's administrative practice and regulatory approach, and (iv) brings together the requirements for OAs relating to information and communication technologies (cloud and non-cloud, "ICT") that were previously disseminated in several circulars.

Circular CSSF 22/806 (the “Circular”) has a broad scope insofar as it applies in full to (i) credit institutions, (ii) payment institutions and electronic money institutions, (iii) investment firms, and (iv) financial sector professionals (“Full-scope Entities”). It also applies to the following entities when performing ICT outsourcing: (i) investment fund managers, (ii) Part I undertakings for collective investment in transferable securities, (iii) central counterparties, (iv) approved publication arrangements and authorised reporting mechanisms, (v) market operators operating a trading venue, (vi) central securities depositories and (vii) administrators of critical benchmarks (the "Limited Scope Entities" and together with the Full-scope Entities the “Entities”). The Entities when applying the provisions of the Circular shall have regard to the principle of proportionality. Implementing measures are therefore proportionate to the size and internal organisation of each Entity and to the nature, scale and complexity of its activities or services.

To prevent risks arising from outsourcing (including intra-group outsourcing), Entities shall conduct appropriate monitoring and auditing of the OAs, particularly in case of outsourcing of internal control functions and financial and accounting functions.

Entities that intend to outsource or amend an outsourcing arrangement regarding a critical or important function (including ICT outsourcing and business process outsourcing) notify in advance their plans to the competent authority. In this respect, details are provided in the FAQ of the CSSF, which, i.a., state that Entities do not have to wait for the approval/non-objection of the competent authority to implement the planned outsourcing arrangements at the end of the notice period.

The Circular describes the outsourcing process and the requirements imposed upon the Entities, such as (i) a pre-outsourcing analysis including a risk assessment and a due diligence on the Service Provider,(ii) the written content of the outsourcing agreement, and of the sub-outsourcing arrangement, (iii) the control on confidentiality and integrity of data and system (ICT) throughout the outsourcing chain, (iv) the access to the information relating to outsourced functions by the internal audit function, the statutory auditor and the competent authority and (v) exit plans. The Circular provides for contractual reasons for termination of the outsourcing arrangement and expressly excludes cases related to bankruptcy or any other BRRD proceedings. 

More specifically, concerning requirements in the context of pure ICT outsourcing arrangements (cloud and non-cloud, the Circular repeats most of the requirements previously set out in relevant CSSF circular letters. In this context, CSSF circular letter 17/654 will be repealed as from 30 June 2022.

The Circular reminds that in all cases (including sub-outsourcing), the Entities (and their management bodies) remain fully responsible for compliance with applicable regulatory requirements.

The Circular is applicable from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after this date. The points on prior notification to the competent authority are, however, of immediate application for ICT outsourcing.

Entities must (i) review and amend existing outsourcing arrangements and (ii) complete the documentation of all existing outsourcing arrangements in accordance with the Circular following the first renewal of each existing outsourcing arrangement by no later than 31 December 2022.

Should you have any questions relating to the above, please do not hesitate to contact one of the experts of our regulatory and investment funds team.

 

Aurélia Viémont - Partner | Avocat à la Cour

Aurélien Hollard  - Partner | Avocat à la Cour

Benjamin Bada - Partner | Avocat à la Cour

Mélanie Poirrier - Managing Associate

Sarah Hantscher - Managing Associate | Avocat

Related : CMS Luxembourg

[+ http://www.cms-db.com]


All articles Banking law

Lastest articles Banking law

CSSF AML/CFT reporting tool: first reporting period approaches
21/06/2022

Following the publication of three circular letters [1] in December 2021 introducing new prudential and AML...

Read more

Introduction of a New eDesk Module – ePassporting
21/06/2022

Following the publication on 12 May 2022 of CSSF Circular 22/810 on pre-marketing and cross-border marketing notification ...

Read more

EU debates how to apply travel rule to cryptoassets
21/06/2022

Electronic payment transactions in the EU generally need to be accompanied by information about the payer and payee. EU la...

EU debates how to apply travel rule to cryptoassets Read more

EBA guidelines on the role and responsibilities of the AML/CFT Compliance Officer
19/06/2022

On 14 June 2022, the European Banking Authority (“EBA”) released its guidelines on policies and procedures in ...

EBA guidelines on the role and responsibilities of the AML/CFT Compliance Officer Read more

LexGO Network