IT Outsourcing Relying on Cloud Computing - CSSF Circular 17/654

On May 17th 2017, the Commission de Surveillance du Secteur Financier (“CSSF”) published four new circulars including Circular 17/654 (“Cloud Circular”) concerning IT outsourcing, which modify the existing regulatory framework, and relate to cloud computing infrastructure. The purpose of the Cloud Circular is to clarify the regulatory framework governing IT outsourcing relying on a cloud computing infrastructure provided by an external provider.

The Cloud Circular applies to all credit institutions and professionals of the Financial Sector (“PFS”) within the meaning of the Law of 5 April 1993 on the financial sector as well as to all payment institutions and electronic money institutions within the meaning of the Law of 10 November 2009 on payment services, and contributes to the sound and prudent management and the proper organisation of such entities.

Before the publication of the Cloud Circular, no dedicated regulatory requirements for IT outsourcing were applicable for cloud technology. It was established that cloud solutions were generally not allowed, due to potential risks regarding data protection, in particular clients’ data protection and internal controls’ transparency.

The Cloud Circular introduces a specific definition of “cloud computing” by establishing the following seven criteria:

  • on-demand self-service;
  • broad network access;
  • resources pooling;
  • rapid elasticity;
  • measured service;
  • apart from exceptional situations, the provider does not access the data and systems of the consumer (“ISCR”) without its prior consent and without monitoring mechanism available to the ISCR;
  • no manual interaction of the provider as regards the day-to-day management of resources.

Previously, two circulars were coexisting for IT outsourcing: (i) CSSF Circular 12/552 (sub-chap. 7.4), applicable for credit institutions and investment firms (“IF”) and (ii) CSSF Circular 05/178 applicable for payment institutions, e-money institutions and PFS other than IF, now abolished and replaced by Circular 17/654.

Since the publication of the Cloud Circular, if an IT outsourcing meets the seven criteria of the Cloud Circular, the Cloud Circular applies directly. If not, the CSSF Circulars 12/552 and 17/656 (ex 05/178) remain applicable respectively to the types of entities concerned.

The Cloud Circular also classifies four groups of cloud (private, community, public and hybrid cloud) and describes the different players’ roles in a cloud computing infrastructure based outsourcing model.

The Cloud Circular foresees governance requirements (no discharge of liability at the level of the ISCR), reaffirms existing requirements on outsourcing in the context of cloud computing (i.e., compliance with the ISCR’s formal outsourcing policy, clear documentation on respective roles and responsibilities, etc.), notification to or authorisation by the CSSF, risk management, continuity measures and the contractual clauses to be found in the contractual relationship with the Cloud computing service provider.

Finally, the Cloud Circular allows direct and indirect outsourcing by a provider (in Luxembourg or abroad):

  • direct outsourcing: the ISCR needs to appoint a cloud officer who will be responsible for the cloud computing services’ use and guarantees the competences of employees involved;
  • indirect outsourcing: the ISCR may use a support PFS or a non-regulated entity that may be located abroad (group or not) or in Luxembourg (group or not). In such a case, the support PFS or non-regulated entity appoint the cloud officer.

As a conclusion, the Cloud Circular today allows outsourcing abroad and outside a group, taking into account the Cloud Circular requirements.