CSSF Circular 18/698: impact on IT organisation and (cloud based) outsourcing for investment fund managers

IT is key. This is not the slogan of an IT service provider but one of the lessons to be drawn from the CSSF Circular 18/698. Investment fund managers subject to this circular have strengthened obligations regarding their IT infrastructures, outsourcing, internal governance and data protection. One of the highlights in this context is the applicability of the so-called CSSF Cloud Circular 17/654 to investment fund managers, entailing an important compliance burden when relying on outsourced services that are based on a cloud infrastructure.

General IT principles

General IT principles applicable to investment fund managers (“IFM”) have been slightly modified. In line with the previous and now repealed Circular 12/546, the IFM shall have in its premises a suitable technical and IT infrastructure for the activities it intends to perform. This infrastructure shall enable to safeguard the security, integrity and confidentiality of the IFM’s data. The recommended way to proceed to meet this requirement is for the IFM to have its own IT infrastructure supported by its IT department. The principle is thus that the IFM has, in its premises in Luxembourg, its own computers as well as relevant and duly documented computer programs. Furthermore, in order to ensure the continuity of its activities despite an unavailability of its IT system, the IFM shall implement a back-up solution in line with its business continuity plan.

One of the new obligations introduced by Circular 18/698 is that the IFM shall implement procedures to identify and manage IT risks which are linked to, inter alia, the breach of data confidentiality, integrity and accessibility, the business continuity and the IT system capacity of resilience, the IT outsourcing (as the case may be), IT fraud and cyberattacks. In addition, the CSSF recalled that the IFM shall also comply with Circular 11/504 regarding frauds and incidents due to external computer attacks, which lays down the reporting obligations in case of occurrence of such an attack.

IT Outsourcing

Despite the above-mentioned principles, the IFM may, under its own responsibility, have recourse to providers offering advice, programming, maintenance or management of IT systems. Providers shall be subject to initial due diligenceand ongoing monitoring. Within the context of performing due diligence, the IFM shall inter alia verify the quality of the provider’s IT systems and the measures implemented by the provider to ensure the protection of personal data, notably when it is situated outside of Luxembourg. Once the provider is selected, the IFM shall notify its choice to the CSSF and enter into a services agreement with the provider.  

The IFM may also rely on the IT infrastructure of a parent company or a subsidiary thereof provided that this entity is qualified and able to provide the relevant service. In such a case, the IFM may also rely on the back-up solution of this entity to the extent that the segregation of the IFM’s data is ensured.

Cloud computing

One of the most important changes for IFMs is the applicability of Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (“Cloud Circular”). This Circular was until now exclusively applicable to credit institutions, PFS, payment institutions and electronic money institutions. Since its entry into application in May 2017, the entities governed by this Circular have been facing difficulties with its complexity.

The CSSF declared this complex “Cloud Circular” applicable to IFMs having recourse to IT outsourcing based on cloud computing infrastructure with immediate effect. In paragraph 143 of its Circular 18/698, the CSSF only mentions the obligation for IFMs to designate among its employees a person, the “cloud officer”, who shall be responsible for the use of cloud services and shall guarantee the competences of the staff managing cloud computing resources. This designation is however only one of the numerous obligations laid down in the Cloud Circular.

In order to determine whether an IFM is subject to the Cloud Circular, it shall be verified whether the service offered fulfils the traditional definition of 'cloud computing' set out by international organisations (i.e. on demand self-service and broad network access, resource pooling, rapid elasticity and measured services) and meets the following two specific requirements: (i) access to the IFM’s data by the provider’s employees shall be exceptional and exclusively occur in the events specified by the circular; and (ii) the cloud services shall not involve the manual interaction of the provider in the daily management of the cloud resources used by the IFM. In the event these conditions are met, the requirements laid down in the Cloud Circular apply to the whole IT outsourcing chain even if only one or part of the IT outsourcing services meets the above-mentioned definition of cloud computing.

Once the IFM has confirmed that it is subject to the Cloud Circular, several obligations are applicable thereto. Such obligations are notably pertaining to resource operation, governance, client notification, management of outsourcing risks, business continuity, systems security and the right of audit. The IFM shall furthermore ensure that its services agreement with a cloud provider is compliant with the various contractual clauses imposed by the Cloud Circular.

Moreover, the IFM shall obtain the CSSF prior authorisation in the event the activities supported by the cloud infrastructure are material. A notification is nevertheless sufficient where the IFM is signatory to the cloud services agreement and the provider is an IT support PFS authorised under Articles 29-3 or 29-4 of the Law of 5 April 1993 on the financial sector, as amended (“LFS”), or when the activities supported by the cloud infrastructure are not material.

IT Governance

CSSF Circular 18/698 also highlights the fact that IT governance principles shall be embedded in the core functioning of the IFM. In this respect, the CSSF specified that whilst the IFM implements its internal governance in compliance with the “three lines of defence model”, the IT function shall be part of the second line of defence.

As such, it shall be appropriately supervised. To ensure such supervision, the IT function is one the specific areas of responsibility that shall be assigned to a conducting officer. Furthermore, internal audit shall inter alia review and assess whether the IT function is adequate and running efficiently. Such assessment of the IT function shall be part of the synthesis report of the IFM internal audit over a multi-year period.

Personal data

Within the context of the entry into application of the General Data Protection Regulation n°2016/679 (“GDPR”) last May, the CSSF is now adapting its framework. In its Circular 18/698, the CSSF outlined that IFMs must ensure that the protection of personal data is guaranteed at all times. This short sentence gives interesting guidance on the legal qualification of the IFM from a data protection perspective.

There are indeed debates in practice on the question whether the IFM acts as joint data controller with the fund, separate data controller or as data processor. The qualification depends on the concrete framework implemented and shall be assessed on a case by case basis. Nevertheless, the statement of Circular 18/698 may be interpreted as an argument in favour of IFMs qualifying as (joint) controllers with the fund since the obligation to ensure, at all times, the protection of personal data is primarily targeting data controllers. A data processor must also ensure the protection of personal data, however it shall do so within the limits of the instructions given by the data controller. The CSSF statement in this circular seems therefore to plead in favour of a qualification of the IFM as (joint) data controller.

IT and data protection were not necessarily the first points of attention of IFMs whilst assessing the impact of the CSSF Circular 18/698 on their activities. These aspects shall nevertheless not be set aside as they are key from a regulatory perspective and more generally from an operational and reputational point of view. This may be particularly burdensome as, contrary to entities that are subject to the LFS, such as credit institutions, which always have been subject to very strict IT outsourcing and banking secrecy rules, IFMs had more latitude in the organisation of their IT and for the recourse to cloud based solutions. Therefore, the application of Circular 18/698 in this respect represents a drastic change and will require some compliance effort for investment fund managers.