On 11 December 2012, the Luxembourg Financial Supervisory Authority (the CSSF) issued circular 12/552 on central administration, internal governance, and risk management (the Circular).
The Circular, which will enter into effect on 1 July 2013, brings together the guidelines relating to internal governance, which were disseminated in several circulars, and follows the European Banking Authority Guidelines on Internal Governance (GL 44) dated 27 September 2011 and the guidelines on the Internal Audit Function in Banks of 28 June 2012 of the Basel Committee on Banking Supervision.
Besides numerous rules relating to the internal governance of credit institutions and other financial sector entities governed by the 5 April 1993 Act on the financial sector (the Act), the Circular also provides guidelines for the outsourcing of IT services by credit institutions and other entities governed by the Act (Outsourcing Institutions).
The institution intending to outsource a material activity must obtain prior authorisation from the CSSF. Functions that are strategic or core to the credit institutions cannot be outsourced, and the Outsourcing Institutions must retain the necessary internal expertise to effectively monitor and assess the outsourced services or functions and manage the risks associated with the outsourcing.
The Outsourcing Institutions must ensure compliance with data protection rules and data confidentiality at all times unless explicit and informed consent has been obtained from the customer or owner of the data (or his or her proxy).
Furthermore, the outsourcing activity may not relieve the Outsourcing Institution from its legal and regulatory obligations or its responsibilities towards its customers, and it may not result in any delegation of the institution’s responsibility to the sub-contractor (except as regards the obligation of professional secrecy). A written contract must be entered into and must clearly specify the respective responsibilities of the parties as well as clear communication lines between the parties. The contract must also provide for an emergency plan and exit strategies.
The management of risks associated with the outsourcing should remain the responsibility of the day-to-day management of the Outsourcing Institution, and that Institution must assess whether or not the third parties concerned by the outsourcing (especially the customers) should be informed about potential risks.
Also, access to the outsourced information by the CSSF, the authorised auditor as well as of the persons ensuring the internal control functions within the Outsourcing Institution must be guaranteed so that they can assess the adequacy of the outsourcing in relation to the applicable rules. This means that they may verify the relevant data held by an external partner and, in some cases, they also have the power to perform on-site inspections of external partners. The monitoring requirements must be particularly reinforced when there are multiple sub-contractors.
The Circular also requires the Outsourcing Institution to carefully verify that the outsourced activity does not impact its central administration in Luxembourg and that the Outsourcing Institution does not become too dependent on the external service provider when the outsourced activity is done with a single third party for a long period of time.
The CSSF in addition requires the outsourcing relationship to be easily revocable. As regards the specific outsourcing of IT services, a continuity plan must be set up with the third party, and the Outsourcing Institution must ensure that there is no legal obstacle in accessing the systems developed by the third party.
The numerous guidelines provided by the CSSF are a useful and comprehensive tool for, inter alia¸ the outsourcing of IT activities, which should increase even more drastically in the coming years. Together with the bill on e-archiving, Luxembourg is hereby trying to position itself as a key player in the increasingly important IT sector. (NVH, JM)
The Circular can be found on http://www.cssf.lu