David Maria of Pinsent Masons in Luxembourg said that the circular on outsourcing arrangements (60-page / 499KB PDF) issued by the CSSF implements the European Banking Authority’s outsourcing guidelines and European Securities and Markets Authority guidelines, while also reflecting the legal and regulatory specificities of the Luxembourg financial market.
The circular consolidates the essential rules on outsourcing arrangements in a single document,” said Maria. “It sets out the requirements in relation to outsourcing, including definitions, scope of application, general principles and applicable governance requirements. It also details specific requirements for ICT outsourcing – both in a cloud and non-cloud context. The harmonised framework is relevant to all outsourcings across business, internal control, financial and accounting functions.”
Maria said the scope of the rules set out in the circular has been extended so that the outsourcing requirements now apply to a broader set of entities supervised by the CSSF. Credit institutions, payment institutions and investment firms, including their branches, are among the firms subject to the new rules in respect of all outsourcing arrangements.
For other firms, the requirements stipulated in the circular only apply in the context of ICT outsourcing. This is the case for investment fund managers incorporated under Luxembourg law, certain undertakings for collective investment in transferable securities, and central securities depositories, for example.
Maria highlighted that the outsourcing rules also apply to other professionals of the financial sector, including their branches, and said intra-group outsourcing activity is also within the scope of the circular. He also said that the circular makes clear that entities within scope of the Luxembourg framework remain fully responsible for compliance with the regulatory requirements, even in the case of sub-outsourcing.
A specific outsourcing process has to be set up, with an operational risk assessment on each step – at the pre-outsourcing analysis, contractual phase – including around sub-outsourcing and security of data and systems etc, and in respect of oversight of outsourced functions and exit plans,” Maria said.
According to the CSSF, firms are expected to implement measures to mitigate the risks they identify. The measures must be proportionate to the firm’s size and their internal organisation as well as to the nature, scale and complexity of their activities or services, including their risks.
Written contracts are expected to be implemented for every outsourcing arrangement. The circular specifies minimum clauses that must be inserted into those contract, which include those that provide for audit and data access rights.
According to Maria, similar to with the EBA guidelines, the Luxembourg circular draws a distinction between outsourcings that are ‘critical or important’ and those that are not in terms of the requirements that must be met. Stricter requirements apply where the functions being outsourced are critical or important, as defined by the EU’s MiFID regime of regulation. In-scope entities must maintain a register for all outsourcing arrangements they enter into.
Maria said: “Where in-scope entities intend to enter into new critical or important outsourcing arrangements, make material changes to existing critical or important outsourcing arrangements, or where changes to an outsourcing arrangement would lead to an outsourced function becoming critical or important, the entities have to notify the CSSF in advance.”
Prior notification must happen at least three months before the planned outsourcing, though a one-month notice period applies to other professionals of the financial sector and material changes and/or severe events regarding the outsourcing that could have a material impact on the continuing provision of the business activities must be notified without delay,” he said.
The CSSF has developed template forms to support prior notification. Specific templates for business process outsourcing and ICT outsourcing apply, though Maria said the existing templates are likely to be updated by the regulator in due course.
Maria said: “We expect, based on guidance it has issued (12-page / 178KB PDF), the CSSF to take a risk-based approach to assessing planned outsourcings. In the event of non-compliance with the circular, the CSSF may formulate additional requirements, such as limiting or restricting the scope of the outsourced functions or requiring exit from one or more outsourcing arrangements. Even after implementation of the outsourcing arrangements, the CSSF could still address comments to the relevant entity.
Maria said the rules specific to ICT outsourcing differentiate between outsourcing relying on a cloud computing infrastructure and other types of ICT outsourcing. Where firms are intent on outsourcing to the cloud, they must appoint a cloud officer. That officer is responsible for the use of cloud services and for guaranteeing the competences of the staff managing cloud computing resources.