New CSSF outsourcing arrangement rules

On 22 April 2022, the CSSF published Circular CSSF 22/806 on Outsourcing arrangements. It concerns banks, FSPs as well as various other financial sector entities (“In-Scope Entities”).

The complete Circular text (which is available only in English) at the following link: https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf.

These entities are required “to adopt robust internal governance arrangements, which shall include a clear organisational structure, adequate internal control mechanisms, including sound administrative and accounting procedures and practices allowing and promoting sound and effective risk management, as well as control and security mechanisms for their IT systems”. The Circular aims to complete this general framework of internal governance in the case the entity enters into outsourcing agreements, whether they be in IT or other matters. These rules are based on European Banking Authority’s latest outsourcing guidelines (EBA/GL/2019/02 on outsourcing arrangements).

In Part I, we find outsourcing definitions and general rules.

In particular, it is essential to identify the instances of outsourcing of a "critical or important" function (a concept that replaces the former concept of "material" outsourcing), pursuant to Section 4.1.2 of the Circular.

This term is defined under point 18 "Critical or important functions".

For these functions, prior notification to the authority is required for any outsourcing  (unless if, for arrangements already in place, the outsourcing has already been authorised by or notified to the CSSF).

Subcontracting of ICT functions are dealt with in Part II of the Circular.

One chapter is dedicated to outsourcing agreements for cloud computing infrastructure.

One will note that the prior notification obligation applies to “cloud computing outsourcing arrangements”.

Part III

Finally, this part deals with the transitional provisions. Thus, it is incumbent upon the entities to review and amend the existing outsourcing agreements to ensure that they comply with the new rules.

See points 145 and 146 of the Circular:

“145. In-Scope Entities shall review and amend existing outsourcing arrangements with a view to ensuring that they are compliant with this Circular.

146. In-Scope Entities shall complete the documentation of all existing outsourcing arrangements in line with this Circular following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2022.

Where the In-Scope Entities assess that the review and amendment of outsourcing arrangements of critical or important functions existing prior to 30 June 2022 will not be finalised by 31 December 2022, they shall inform their competent authority in a timely manner of that fact, including the measures planned to complete the review or the possible exit strategy.”


Related : DSM Avocats à la Cour ( Mrs. Marie-Paule Gillen )

[+ http://www.dsm.legal]

Mrs. Marie-Paule Gillen Mrs. Marie-Paule Gillen
[email protected]

All articles Banking law

Lastest articles Banking law

Report on the extent of voluntary disclosure of PAI under SFDR

On 28 July 2022, the European Supervisory Authorities (ESAs) have published, through the Joint Committee (JC), a report (t...

Report on the extent of voluntary disclosure of PAI under SFDR Read more

ESG in the banking sector - CSSF press release on the integration of sustainability consideration...

The MiFID II framework was recently amended to integrate sustainability considerations into banks’ organisational re...

ESG in the banking sector - CSSF press release on the integration of sustainability considerations under MiFID II Read more

Crowdfunding Regulation | Latest legal and regulatory developments

Since the entry into force of Regulation (EU) 2020/1503 of 7 October 2020 on European crowdfunding service providers for b...

Crowdfunding Regulation | Latest legal and regulatory developments Read more

EU MiFID II: ESMA consults on product governance guidelines

ESMA proposes changes to reflect ESG enhancements and findings of good and bad practices

EU MiFID II: ESMA consults on product governance guidelines Read more

Lastest articles by Mrs. Marie-Paule Gillen

La d├ętection des comportements criminels au sein des entreprises via les m├ęcanismes de lutte co...

Les entreprises assujetties à la loi du 12 novembre 2004 relative à la lutte contre le blanchiment et le fin...

Read more

LexGO Network