10/02/20

CSSF Updates on IT Outsourcing by Supervised Institutions

New and Modified CSSF Templates for Authorisation Requests and Notifications

As regards IT outsourcing of material activities by credit institutions, investment firms and professionals performing lending operations under Circular CSSF 12/552 (as amended) and IT outsourcing by electronic money institutions, payment institutions and professionals of the financial sector ("PFS") other than investment firms, under Circular CSSF 17/656, the CSSF has published on 16 December 2019 a new form for authorisation requests.

As regards cloud computing outsourcing by support PFS, the CSSF published an update to the Form A, for the prior notification to be transmitted to the competent authority where a cloud computing infrastructure will be used for a material activity.

The CSSF announced these updates through a communiqué on its website.

FAQ on the assessment of IT outsourcing materiality

As regards the assessment of IT outsourcing materiality by credit institutions, investment firms, professionals performing lending operations, electronic money institutions, payment institutions and PFS other than investment firms, investment fund managers and entities carrying out the activity of registrar agent, the CSSF updated the related FAQ on 4 December 2019. The updated FAQ can be found here.

Firstly, the CSSF clarified that IT outsourcing means “An arrangement of any form between the institution and a service provider (including of the same group) by which that service provider performs an IT process, an IT service or an IT activity that would otherwise be undertaken by the institution itself.”

Secondly, the CSSF noted that there are two different ways to assess the materiality of IT outsourcing. You can look at it from a technical point of view which states that if a deficiency in outsourced IT operational functions, activities or services may disrupt the ability of the supervised entity to operate its material activities in a controlled manner; or you can look at it from a business point of view, which suggests that if the outsourced IT operational functions, activities or services support a material activity and in case of failure, there is a major impact on the business activity.

dotted_texture