Last year, investment fund managers (IFMs) were caught by surprise with the immediate application of Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Cloud Circular), but every cloud has a silver lining. Circular 19/714, which amends the Cloud Circular, significantly reduces and clarifies the obligations of IFMs.
This eAlert aims at providing a reminder to IFMs of the rules applicable to them in relation to their cloud computing solutions exactly 6 months before the end of the grace period to establish their cloud outsourcing register (due by 27 March 2019).
On 27 March 2017, the CSSF issued a Circular 19/714 amending the Cloud Circular. The aim of this amendment was to reflect the CSSF’s experience with the practical application of the Cloud Circular and the inclusion of the European Banking Authority guidelines on outsourcing arrangements.
The Cloud Circular already provided for certain requirements that entities in scope must comply with for cloud outsourcings (i.e. outsourcing agreements, resource operation, governance, notification and consent of clients, management of outsourcing risks, business continuity, systems security and right of audit). Circular 19/714 now lightens certain requirements of the Cloud Circular and clarifies its scope.
What is a “real” cloud service?
As a reminder, the Cloud Circular only applies if the seven essential criteria set out in the Cloud Circular are fulfilled:
- On-demand self-service: The cloud client can unilaterally provision computing capabilities automatically without requiring human interaction with the cloud computing service provider (CSP).
- Broad network access: Capabilities are available over the network and accessed through standard mechanisms (e.g. browsers or specific applications)
- Resource pooling: The CSP’s computing resources are pooled to serve multiple clients using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to the client’s demand.
- Rapid elasticity: Capabilities can be elastically provisioned and released.
- Measured service: Cloud systems automatically control and optimise resource use and resource usage can be monitored, controlled and reported, providing transparency for both the provider and the client of the utilised service.
- No access by the CSP’s staff to the client’s data and systems: No access to the client’s data and systems without the prior and explicit consent of the client and without a monitoring mechanism to control access being available to the client. Such access must remain the exception. No manual interaction by the CSP regarding the daily management of the cloud computing resources used by the client: The resource operator (i.e. either the client itself or a third party other than the cloud computing service provider, that uses the client’s interface to manage the cloud computing resources) must manage the IT environment on the cloud computing infrastructure alone. The CSP may manually intervene in the global management of the IT systems supporting the cloud solution and in the context of a specific request from the client.
If all of the seven criteria are fulfilled, the Cloud Circular applies. If one criterion is not given, then only the Circular 18/698 (the Substance Circular) applies instead.
The above criteria have not been amended by CSSF Circular 19/714.
Changes introduced by circular 19/714
Inclusion of IFMs in the scope of the Cloud Circular
The Cloud Circular applies to credit institutions, professionals of the financial sector, payment institutions, and electronic money institutions and, since August 2018, to IFMs. Initially, the Cloud Circular did not apply to IFMs when it entered into force in May 2017. It is actually the Substance Circular that extended the scope of the Cloud Circular to IFMs. The Substance Circular simply states that the Cloud Circular applies to IFMs with immediate effect. It outlines one of the requirements of the Cloud Circular, i.e. to appoint a cloud officer in charge of the use of cloud services but fails to specify that many other obligations derive from the Cloud Circular. It is therefore helpful that CSSF Circular 19/714 amends the scope of the Cloud Circular to expressly include IFMs and specifies which requirements apply to them.
Optional requirements for non-material outsourcing
The amended Cloud Circular provides for the possibility not to apply certain of its obligations in case of an outsourcing of non-material activities. The Cloud Circular defines a “material activity” as any activity that, when not carried out in accordance with the rules, reduces the institution’s ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management. The IFMs will have to assess themselves whether a given activity is material or not and, if not, decide if they will apply some or all of the optional requirements to such activity, taking into consideration the nature, scale, complexity and risks of the outsourced activity. These optional requirements include the notification of changes of functionality by the CSP or the resource operator; maintaining continuity in case of resolution, reorganisation, bankruptcy or similar procedure; ensuring transfer of services in case the continuity is threatened; and monitoring of activities, contract under EU law, resiliency of the services in the EU and certain rights of audit. The CSSF released at the same time as CSSF Circular 19/714 a new FAQ to assess IT outsourcing materiality which notably explains that IFMs should assess the critical impact of the outsourced activities from a technical and business point of view. An IT outsourcing will be material if a deficiency of the outsourced activities has a major impact on the security and continuity of the IT infrastructure (technical aspect) and disrupt the business activity (business aspect).
New regime of authorisation and notification for material outsourcing
Before the Cloud Circular was amended on 27 March 2019, material outsourcing had to be authorised by the CSSF while non-material outsourcing had to be notified to the CSSF.
Under the amended Cloud Circular, the obligation to request a prior authorisation from the CSSF in case of material outsourcing (except if the CSP is a Luxembourg support professional of the financial sector (Support PFS), in which case a notification to the CSSF is sufficient) remains unchanged. However, the general obligation to notify non-material outsourcing has been removed. The CSSF has released updated notification and authorisation forms in that context. These new rules, which became applicable with immediate effect, only affect outsourcings occurring after 27 March 2019. Thismeans that any material outsourcing in place before 27 March 2019 does not need to be notified or authorised, as the case may be. However, there is an unfortunate overlap between these rules and point 138 of the Substance Circular which requires IFMs to notify the CSSF of any recourse to a third party specialised inter alia in the maintenance or management of IT systems. This may encompass cloud outsourcing and, if so, will subject non-material outsourcing to CSSF notification anyway. In addition, the Substance Circular imposes additional requirements in case IFMs use an external provider for cloud computing infrastructure in terms of initial and ongoing due diligences. These requirements are extensively described in Sub-chapter 6.2 of the Substance Circular
New register of cloud computing
IFMs will have to maintain a cloud computing register in the form published by the CSSF on its website (the Cloud Register) for any type of outsourcing, whether or not material. The Cloud Register contains inter alia information on the activities outsourced, the delegate, and, in respect of non-material outsourcing the risk analysis that led the IFM to apply, or not, certain requirements. In respect of the risk analysis, IFMs may for instance consider the risks listed in point 137 of the Substance Circular. This time, IFMs benefit from a longer transitional period than other supervised entities to set up the Cloud Register and have until 27 March 2020 to comply with this obligation.