Vincent Wellens Josée Weydert Luc Courtois Sigrid Heirbrant May 10 2022 Revamped CSSF outsourcing guidance for Luxembourg financial sector NautaDutilh | Banking & Financial Services - Luxembourg Vincent Wellens, Josée Weydert, Luc Courtois, Sigrid Heirbrant Banking & Financial Services IntroductionScope of applicationConsolidated guidanceEffective date and transition period Outsourcing – Luxembourg-specific requirementsEnforcement and sanctionsCommentIntroductionOn 22 April 2022, the Luxembourg financial regulator (the CSSF) released Circular 22/806 on outsourcing arrangements (the Circular). Through the Circular, the CSSF adopted and integrated the revised European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019) (the EBA Guidelines) and the European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (the ESMA Guidelines), which concerns fund management. In addition to incorporating the EBA and ESMA Guidelines into the Luxembourg regulatory framework, the CSSF complements the EBA Guidelines with detailed requirements applicable in Luxembourg and extends their scope of application to a wider range of financial institutions.Further, Part II of the Circular sets out additional requirements for outsourcing of information and communications technology (ICT), with a specific chapter devoted to cloud-based arrangements. The gold-plating language in the Circular is indicated in italics and bold, thereby calling attention to the Luxembourg-specific requirements.This article sheds light on the main changes that this development brings for Luxembourg-supervised entities.Scope of applicationWhile the EBA Guidelines were intended to apply only to credit, payment and electronic money institutions, the CSSF chose to extend their scope of application to other categories of supervised entities. The Circular thus applies in full to:credit institutions and their branches;investment firms and their branches;payment institutions and electronic money institutions and their branches;other professionals of the financial sector (PFS) and their branches, even when they do not fall within the scope of the EBA Guidelines; andPost Luxembourg, the government-owned mail and communications company.Credit institutions and investment firms that are parent undertakings must ensure that the internal governance arrangements, processes and mechanisms of their subsidiaries are consistent, well integrated and appropriate for effective application of the Circular.The Circular also applies to the following entities, but only in the context of ICT outsourcing:investment fund managers (IFMs);undertakings for collective investment in transferable securities subject to Part I of the Undertakings for Collective Investment in Transferable Securities Act;central counterparties within the meaning of article 2(1) of the European Market Infrastructure Regulation;approved public arrangements with a derogation and authorised reporting mechanisms with a derogation within the meaning of the Financial Sector Act (LFS);market operators running a trading venue within the meaning of the LFS;central securities depositories; andadministrators of critical benchmarks within the meaning of article 3(1)(25) of the Benchmark Regulation.The CSSF aims to achieve consistent regulation of ICT outsourcing arrangements for all supervised entities, through the application of both the EBA and ESMA Guidelines and the key points of existing Luxembourg-specific regulations.The Circular will also apply to Luxembourg-based EEA branches of legal entities with their head office in a different EU member state if the branch outsources functions that fall within the scope of CSSF supervision.With regard to internal governance arrangements, the Circular should be read in conjunction with the applicable statutory provisions, as well as the CSSF circulars on central administration, internal governance and risk management (Circulars 12/552 and 20/758, as amended).Consolidated guidanceThe Circular consolidates the supervisory requirements for IT outsourcing, including cloud outsourcing, in a single document.Previously, ICT and cloud outsourcing guidelines were contained in multiple CSSF circulars, including:Circular 17/655, updating the outsourcing provisions of Circular 12/552 and applicable to credit institutions and investment firms;Circular 17/656, as amended, applicable to FSPs, payment institutions and e-money institutions;Circular 17/654 on cloud outsourcing, as amended; andCircular 21/785, which, among other things, replaced the authorisation obligation for material IT outsourcing with a notification obligation.In order to align the applicable regulatory texts, the CSSF will amend, as of 30 June 2022, the relevant circulars on internal governance, including but not limited to Circulars 12/552 and 20/758, as amended. In addition, the CSSF has announced that it plans to amend other circulars applicable to the funds sector, such as Circulars 16/644 (as amended), 18/697 and 18/698. Furthermore, the CSSF will repeal a number of circulars as of 30 June 2022, including:Circular 13/554 on evolution of the usage and control of the tools for managing information technology resources and management of access to these resources on a group level (which required Luxembourg supervised entities to have full control over their technology resources even when these are organised at group level);Circular 17/654, as amended;Circular 17/656 on administrative and accounting organisation and IT outsourcing, as amended;Circular 21/777 on implementation of the ESMA Guidelines; andCircular 21/785 on replacement of the prior authorisation obligation.Certain questions regarding the interaction between the Circular and Circular 18/698 (applicable to IFMs) and the prior notification process are addressed in a CSSF FAQ document.Effective date and transition period The Circular applies as from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after that date. Existing outsourcing agreements will be deemed to have been reviewed or amended, for example, when a financial institution implements new standard contractual clauses in its outsourcing agreements with a view to ensuring GDPR compliance of international personal data transfers.In addition, existing outsourcing arrangements must be reviewed in order to ensure compliance with the Circular. It is recommended to define a review schedule for all existing outsourcing arrangements. While no specific timeline is indicated, it is advisable to review critical or important outsourcing arrangements by 31 December 2022, having regard to the principle of proportionality. Where this is not possible, the CSSF must be informed accordingly.With regard to existing outsourcing arrangements, financial institutions must complete the applicable documentation in line with the Circular at the first renewal date of the arrangement and in any case no later than 31 December 2022.According to Circular 22/805, the notification obligation set out in the Circular will apply with immediate effect for ICT outsourcing only.Outsourcing – Luxembourg-specific requirementsAll outsourcing arrangements will have to comply with the general requirements laid down in Part I of the Circular, while ICT outsourcing arrangements will also have to meet the specific requirements laid down in Part II.General outsourcing requirements (Part I of the Circular) The requirements applicable to any outsourcing arrangement include general rules and requirements intended to ensure sound governance of the arrangement and relate in particular to:the assessment of outsourcing arrangements and critical and important functions;sound governance arrangements;the need for an outsourcing policy and business continuity plan;the internal audit function;documentation and notification requirements, such as maintaining an updated register of information on all outsourcing arrangements;pre-outsourcing analyses;contractual requirements;oversight; andexit plans.In many respects, these obligations are identical or similar to the requirements of the EBA Guidelines.For IFMs, the relevant provisions on outsourcing of Circular 18/698 will not apply in the case of ICT outsourcing arrangements. Part I of the Circular will apply to IFMs only in relation to certain ICT outsourcing arrangements, provided the requirements are relevant for the IFM.In Luxembourg, additional requirements will now apply to intra-group outsourcing, and restrictions will apply to the outsourcing of internal audit or internal control functions, as well as financial and accounting functions, for which only operational tasks may be outsourced.Furthermore, the CSSF now requires all entities covered by the Circular to appoint, for each outsourced activity, an employee responsible for managing the outsourcing relationship and access to confidential data. This requirement stems from Circular 12/552 on central administration, internal governance and risk management, as amended, and was previously only applicable to credit institutions and investment firms, the latter pursuant to Circular 20/758.For the outsourcing of critical or important functions, the register must include the date of prior notification to the competent authority. The outsourcing of critical or important functions is indeed subject to prior notification to the CSSF. For material ICT outsourcing arrangements, such an obligation was introduced by Circular 21/785. For other types of outsourcing arrangements, this obligation will enter into effect on 30 June 2022. The notification must be submitted at least three months prior to effective implementation of the planned outsourcing, except when relying on a Luxembourg support PFS, in which case this period is reduced to one month. Services subject to an authorisation requirement pursuant to articles 29-1 to 29-6 of the LFS may only be outsourced if certain conditions are met.In addition to the EBA Guidelines, the CSSF imposes various contractual requirements for all types of outsourcing arrangements and entities that fall within the scope of the Circular. These requirements are generally applicable, meaning they do not apply only to the outsourcing of critical or important functions or to cloud outsourcing arrangements, with a few exceptions. For example:guaranteed access, information and audit rights must be ensured not only for the supervised entity's internal audit function but also for its statutory auditor and the CSSF itself, including the power to perform on-site inspections at the service provider; in practice, such requirements may be difficult to negotiate with certain ICT or cloud service providers;the outsourcing agreement must not include a termination clause in the event of bankruptcy, controlled management, a suspension of payments, or a composition or arrangement with creditors aimed at preventing bankruptcy or similar proceedings; andthe confidentiality and integrity of data and systems must be controlled throughout the outsourcing chain; data and systems should only be accessible on a "need to know" and "least privilege" basis, and professional secrecy rules and conditions must be complied with which, for LFS-regulated entities and payment or electronic money institutions, may require client consent.For the outsourcing of critical or important functions, certain requirements are stricter and more detailed, in particular when it comes to audit rights and sub-outsourcing.According to the Circular, the outsourcing agreement must include a commitment by the service provider to erase the supervised entity's data and information within a reasonable period upon termination of the agreement and transfer of the outsourced function to another service provider. In Luxembourg, such a requirement previously existed only for cloud outsourcing arrangements.This requirement may have an impact on market practice, as contracts sometimes require the service provider to make information and data available to the financial institution for a certain period of time following termination of the agreement.Additional requirements for ICT outsourcing (Part II of the Circular) Part II of the Circular includes additional general guidance for ICT outsourcing arrangements as well as specific guidance exclusively for:non-cloud ICT outsourcing; andcloud outsourcing.The requirements set out in Part II apply only to pure ICT outsourcing arrangements. Thus, they do not apply, for instance, to business outsourcing based on an ICT outsourcing arrangement (eg, HR services that rely on Salesforce software-as-a-service solutions). This approach differs from the ESMA Guidelines and the European Insurance and Occupational Pensions Authority Guidelines in the insurance sector, endorsed by the Commissariat Aux Assurances (CAA) by means of CAA Circular 21/15 published on 5 August 2021, which apply to operational functions outsourced "to service providers that are not cloud service providers but that rely significantly on cloud infrastructure to deliver their services".ICT outsourcing means an arrangement of any kind between a supervised entity and a service provider "by which that service provider performs an ICT process, an ICT service or an ICT activity that would otherwise be undertaken" by the supervised entity itself. The relevant issue in this regard is to establish which services the entity typically carries out, as it is understood that the CSSF has consistently interpreted the term "outsourcing arrangements" broadly to include software development, which in some countries is not usually considered an "outsourced" activity.Specifically, for ICT outsourcing that is not – and is unlikely to become – critical or important, the Circular allows supervised entities to justify the non-application of certain requirements applicable to all outsourcing arrangements, in particular those relating to:business continuity in the event of resolution or reorganisation or another procedure; anda transfer of services whereby the continuity of the provision of services is threatened.Non-cloud-based ICT outsourcing Supervised entities may outsource:ICT system management or operations:in Luxembourg, solely to credit institutions or PFS holding an authorisation in accordance with article 29-3 of the LFS or a group entity that deals exclusively with group transactions in accordance with article 1-1 (2)(c) of the LFS; andabroad, to any ICT service provider, including a group entityp; andICT services other than ICT management or operations (ie, consulting, development, maintenance and hosting services) to any ICT service provider, including a group entity.Outsourcing arrangements must ensure that access to data and systems is in accordance with the principles of "need to know" and "least privilege". If the service provider is not allowed to access data due to professional secrecy, it will not be granted access to readable confidential data unless it is monitored, throughout the performance of its tasks, by a person from the supervised entity in charge of ICT.Specific guidance is foreseen for support PFS and their branches that wish to sub-outsource in whole or in part ICT operations services provided to clients or the management or operations services of their own ICT systems.Cloud outsourcing The main change with respect to cloud outsourcing arrangements is that they will be subject to all general outsourcing requirements (laid down in Part I of the Circular). The basic requirements for cloud-based ICT outsourcing are the same as for other types of outsourcing arrangements. Chapter 2 of Part II of the Circular includes additional requirements applicable only to cloud outsourcing arrangements.These requirements stem mostly from the old cloud circular. The definition of "cloud computing" remains the same and is still based on the following five essential characteristics:the National Institute of Standards and Technology criteria of "on-demand self-service";"broad network access";"resource pooling""rapid elasticity"; and"measured service".These are in addition to two further specific criteria – namely:"no unmonitored/uncontrolled access to data by the cloud computing service provider"; and"no manual interaction by the cloud computing service provider".Compared to the old cloud circular, supervised entities have fewer possibilities to set aside certain requirements in the context of the outsourcing of non-critical or non-important functions. They can, for example, no longer justify non-application of the requirements relating to monitoring and audit rights.Under certain conditions, support PFS and their branches authorised under article 29-3 LFS may partially outsource resource operator services.The resource operator (which can be the supervised entity) must still designate one of its employees as a "cloud officer", whose name will be provided to the supervised entity. The latter must be informed of any changes to the application functionality – other than those relating to corrective maintenance – prior to the implementation thereof and must always know where its data and systems are located, be they production environments, replicas or backups.The old cloud circular was most recently amended by Circular 21/785, which gave more flexibility to group entities with respect to choosing law and resiliency of services within the European Economic Area. These provisions have been incorporated into the Circular.Enforcement and sanctionsThe Circular does not contain specific enforcement and sanctions rules for violation of its obligations. Although CSSF circulars are strictly speaking soft law, they are used by the CSSF to inform supervised entities of its interpretation of the applicable laws and may therefore be used to assess non-compliance by supervised entities.Supervised entities that are found to have violated the law may be subject to:a warning;reprimand;a fine of up to €250,000;temporary or definitive ban on the conduct of certain activities; orother restrictions.CommentAs of 30 June 2022, financial sector entities will be obliged to notify the CSSF of all outsourcing arrangements that are deemed critical or important prior to the implementation thereof and to comply with other regulatory requirements. They will also have to review and amend their existing outsourcing arrangements, including any agreements they currently have in place, with a view to ensuring compliance with the Circular.For LFS-regulated entities and payment and e-money institutions, the Circular will not substantially change existing outsourcing compliance requirements. However, for other entities, including in particular those active in fund management, more significant compliance efforts will probably be required, as, in general, their outsourcing arrangements were not previously subject to such strict rules and regulations.For further information on this topic please contact Vincent Wellens, Josée Weydert, Luc Courtois or Sigrid Heirbrant at NautaDutilh Avocats Luxembourg by telephone (+352 26 12 29 1) or email ([email protected], [email protected], [email protected] or [email protected]). The NautaDutilh Avocats Luxembourg website can be accessed at www.nautadutilh.com.Carmen Schellekens, senior associate, assisted in the preparation of this article.