LexGo

New rules on material IT outsourcing in the financial sector
15/10/2021

Effective 15 October 2021, financial institutions must notify the CSSF of any planned outsourcing of material IT activities. This notification obligation replaces the prior authorisation requirement. 

On 14 October 2021, the Luxembourg financial regulatory authority, the Commission de Surveillance du Secteur Financier ("CSSF"), issued a new circular (Circular 21/785) replacing the prior authorisation obligation for material IT outsourcing with a prior notification obligation (the "Circular"). The Circular also modifies certain contractual requirements applicable to cloud outsourcing, which should allow for more flexibility within corporate groups. 

It is furthermore expected that the CSSF will issue in the near future a new, overarching circular on outsourcing to implement the 2019 EBA guidelines on outsourcing arrangements, which are applicable to all supervised entities falling within the scope of the Financial Sector Act of 5 April 1993 (FSA) and the Payment Services Act of 10 November 2009 (PSA) (the "new outsourcing circular"). The provisions of the new outsourcing circular on IT-related outsourcing will also apply to investment fund management companies. 

This newsflash briefly summarises the main changes introduced by the Circular.

Scope of the circular

The Circular is addressed to all credit institutions, financial sector professionals ("FSPs") and other FSA-regulated entities, payment institutions and e-money institutions within the meaning of the PSA, as well as investment fund managers subject to CSSF Circular 18/698. 

The new notification obligation applies to material IT outsourcing and most cloud outsourcing arrangements. The Circular modifies

  • CSSF Circular 12/552 on central administration, internal governance and risk management, as amended, applicable to credit institutions, as amended;
  • CSSF Circular 17/656 on administrative and accounting organisation and IT outsourcing, applicable to FSPs, payment institutions and e-money institutions;
  • CSSF Circular 20/758 on central administration, internal governance and risk management, applicable to investment firms; and
  • CSSF Circular 17/654 on cloud outsourcing, as amended. 

IT outsourcing means an arrangement of any form between a supervised entity and a service provider (including an affiliate) whereby the service provider is responsible for performing an IT process, service or activity that would otherwise be performed by the supervised entity itself. The covered processes, services and activities are exclusively IT related. The Circular applies only to pure IT outsourcing, thus not business process outsourcing. 

For other material outsourcing arrangements, the prior authorisation obligation remains applicable for the time being. In the context of cloud outsourcing, support FSPs authorised under Article 29-3 or 29-4 of the FSA are still obliged to obtain a prior authorisation in certain circumstances, but the new outsourcing circular will probably extend the notification obligation to non-IT-related material outsourcing arrangements. 

New notification obligation

Effective 15 October 2021, financial institutions need no longer obtain a prior authorisation for the outsourcing of a material IT activity. Instead, it is sufficient for the financial institution to notify the CSSF of its outsourcing project at least three months prior to the time at which it will become effective. This period is reduced to one month if the financial institution uses a support FSP within the meaning of Articles 29-3 to 29-6 of the FSA, i.e., primary IT systems operators, secondary IT systems and communications networks operators, dematerialisation service providers and conservation service providers within the meaning of the E-archiving Act of 25 July 2015. 

In the absence of a response from the CSSF by the end of the abovementioned three- or one-month period, the institution can proceed with the outsourcing arrangement. 

The notification form - available in English on the CSSF's website - must be submitted in an editable Word version as well as in pdf and covers:

  • the identification of the project and details of the supervised entity;
  • details of the IT service provider (including information on the resource operator for cloud outsourcing);
  • a description of the IT outsourcing project, including a comparison of the current IT set-up (“as is”) and the planned IT set-up (“to be”) and information on data centre providers;
  • outsourcing governance, including the name of the "cloud officer" in the case of cloud outsourcing;
  • contractual arrangements;
  • information security; and
  • business continuity. 

The CSSF has issued FAQ (last updated in March 2021) to help assess the materiality of an IT outsourcing arrangement. It should be noted that the new outsourcing circular will replace the concept of "material activity" with that of "critical or important function" in keeping with the 2019 EBA guidelines on outsourcing arrangements. 

Additional changes for cloud outsourcing 

With respect to the contractual requirements applicable to cloud outsourcing, the Circular provides more flexibility for corporate groups. Thus, if the outsourcing agreement is a group contract and also group entities outside the European Union will be able to benefit from the cloud computing services,

the contract may also be made subject to the law of the country of the signing (group) entity, even if this country is outside the European Union; and
resiliency of the cloud computing services within the European Union is no longer required, but should be considered in the institution's risk analysis. 

Entry into force and transitional measures 

The Circular entered into force on 15 October 2021. Thus, financial institutions can notify any planned material IT outsourcing as from this date. 

Applications for the authorisation of the outsourcing of material IT activities submitted to the CSSF before 15 October 2021 are subject to transitional measures, set out in a separate communication. 

Financial institutions that applied for an outsourcing authorisation before 31 August 2021 inclusive will receive from the CSSF feedback on their applications in the form of a request for additional information, a notice of no objection, a conditional notice of no objection or a refusal, in accordance with the procedures and deadlines in place before 15 October 2021. 

For financial institutions that applied for an outsourcing authorisation between 1 September 2021 and 14 October 2021 inclusive, the following applies: 

The CSSF may respond to the application (by way of a request for additional information or a partial or complete objection to the project) no later than 15 January 2022. In its response, the CSSF will provide the financial institution concerned with details of the follow-up of the application.
In the absence of a response from the CSSF to the application by 15 January 2022, the financial institution may proceed with the proposed outsourcing. 

Outlook 

The Circular is intended to bridge the transition period until issuance of the new outsourcing circular. It is expected that the new outsourcing circular will apply to all supervised entities under the FSA and the PSA (as well as to fund management companies) and extend the notification regime to all types of critical or important (i.e. material) outsourcing. 

A draft of the new outsourcing circular was sent to stakeholders for consultation and feedback last summer. It remains unclear, however, when the final version will be issued. In any event, it should be shortly, as the deadline for implementation of the 2019 EBA guidelines on outsourcing arrangements into the Luxembourg financial regulatory framework is 31 December 2021. We will be sure to keep you posted.

Zie ook : Nautadutilh Avocats Luxembourg Sàrl ( Mr. Vincent Wellens ,  Mrs. Josée Weydert ,  Ms. Carmen Schellekens ,  Mr. Luc Courtois )

[+ http://www.nautadutilh.com]

Mr. Vincent Wellens Mr. Vincent Wellens
Partner
[email protected]
Mrs. Josée Weydert Mrs. Josée Weydert
Managing Partner
[email protected]
Ms. Carmen Schellekens Ms. Carmen Schellekens
Counsel
[email protected]
Mr. Luc Courtois Mr. Luc Courtois
Partner
[email protected]

Laatste artikels van Mr. Vincent Wellens

Why all companies should care about the UN's cybersecurity & software update regulations – less...
26/10/2021

Not in the automotive sector? It doesn't matter: two Regulations adopted by UNECE (a United Nations body) on cybersecu...

Read more

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere
29/04/2021

On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specif...

Read more

Regulatory changes in the audiovisual media sector
16/04/2021

The Act of 26 February 2021 and certain grand ducal regulations have transposed into Luxembourg law the Audiovisual Media ...

Read more

New bill brings Luxembourg to the forefront of distributed ledger technology
17/03/2021

On 22 January 2021 Parliament approved Bill 7637, which modified:  the Law of 5 April 1993 on the financial sec...

Read more

Laatste artikels van Mrs. Josée Weydert

Applicability of law on financial collateral agreements to insolvency proceedings
17/06/2021

The law of 5 August 2005 on financial collateral agreements, as amended (the 2005 law), provides an attractive legal frame...

Read more

Bill amending the Luxembourg Securitisation Act published
28/05/2021

Bill No 7825 (the Bill), which aims, amongst other things, to amend the Act of 2 March 2004 on securitisation, as ame...

Read more

New bill brings Luxembourg to the forefront of distributed ledger technology
17/03/2021

On 22 January 2021 Parliament approved Bill 7637, which modified:  the Law of 5 April 1993 on the financial sec...

Read more

New CSSF platform for submission of prospectuses and related documents
09/03/2021

Submissions of documents under the EU Prospectus Regulation (2017/1129, as amended) and the Law of 16 July 2019 on prospec...

Read more

Laatste artikels van Ms. Carmen Schellekens

Europe proposes first-ever statutory framework for AI
07/06/2021

Following its White Paper on AI in 2020, the European Commission released in April of this year a proposal for a regulatio...

Read more

GDPR: CNPD Releases Black List of Processing Operations Subject to a Data Protection Impact Asse...
25/03/2019

Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a ...

Read more

Brexit and broadcasting: Luxembourg as the ideal gateway to provide audiovisual media services th...
23/01/2019

Since the UK Parliament has rejected the Withdrawal Agreement between the EU and the UK on 15 January 2019, a so-called &q...

Read more

Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processin...
12/10/2016

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regi...

Read more

Laatste artikels van Mr. Luc Courtois

CSSF communiqués of 29 November and 2 December 2021 - prepare for a green holiday season
07/12/2021

The EU Regulation on the establishment of a framework to facilitate sustainable investment (the "Taxonomy Regulation&...

Read more

Joint ESA supervisory statement provides guidance on SFDR application timelines
03/03/2021

On 25 February 2021, the European Supervisory Authorities (“ESAs”) published a joint supervisory statemen...

Read more

Investment funds and financial institutions: CSSF FAQ on minimum IT security requirements for rem...
19/03/2020

On 17 March 2020, the CSSF issued an FAQ clarifying the recommended minimum IT security requirements for remote access imp...

Read more

LexGO Network