Navigation
Search
Change language and content customisation
Find an advisor
Get in touch
Find an office
Search for:
Jump straight to:
Please enter a search term
We can use your selection to show you more of the content that you’re interested in.
Sign-up to follow topics, sectors, people and also have the option to receive a weekly update of lastest news across your areas of interest.
Got an account already?
Search for:
Please enter a search term
Out-Law Analysis | 18 Aug 2022 | 1:11 pm | 5 min. read
Financial institutions operating in Luxembourg have been advised to review their outsourcing arrangements after rules around outsourcing in the sector were updated by supervisory authority, the Commission de Surveillance du Secteur Financier (CSSF).
David Maria of Pinsent Masons in Luxembourg said that the circular on outsourcing arrangements (60-page / 499KB PDF) issued by the CSSF implements the European Banking Authority’s outsourcing guidelines and European Securities and Markets Authority guidelines, while also reflecting the legal and regulatory specificities of the Luxembourg financial market.
The circular consolidates the essential rules on outsourcing arrangements in a single document,” said Maria. “It sets out the requirements in relation to outsourcing, including definitions, scope of application, general principles and applicable governance requirements. It also details specific requirements for ICT outsourcing – both in a cloud and non-cloud context. The harmonised framework is relevant to all outsourcings across business, internal control, financial and accounting functions.”
Maria said the scope of the rules set out in the circular has been extended so that the outsourcing requirements now apply to a broader set of entities supervised by the CSSF. Credit institutions, payment institutions and investment firms, including their branches, are among the firms subject to the new rules in respect of all outsourcing arrangements.
For other firms, the requirements stipulated in the circular only apply in the context of ICT outsourcing. This is the case for investment fund managers incorporated under Luxembourg law, certain undertakings for collective investment in transferable securities, and central securities depositories, for example.
Maria highlighted that the outsourcing rules also apply to other professionals of the financial sector, including their branches, and said intra-group outsourcing activity is also within the scope of the circular. He also said that the circular makes clear that entities within scope of the Luxembourg framework remain fully responsible for compliance with the regulatory requirements, even in the case of sub-outsourcing.
A specific outsourcing process has to be set up, with an operational risk assessment on each step – at the pre-outsourcing analysis, contractual phase – including around sub-outsourcing and security of data and systems etc, and in respect of oversight of outsourced functions and exit plans,” Maria said.
According to the CSSF, firms are expected to implement measures to mitigate the risks they identify. The measures must be proportionate to the firm’s size and their internal organisation as well as to the nature, scale and complexity of their activities or services, including their risks.
Written contracts are expected to be implemented for every outsourcing arrangement. The circular specifies minimum clauses that must be inserted into those contract, which include those that provide for audit and data access rights.
According to Maria, similar to with the EBA guidelines, the Luxembourg circular draws a distinction between outsourcings that are ‘critical or important’ and those that are not in terms of the requirements that must be met. Stricter requirements apply where the functions being outsourced are critical or important, as defined by the EU’s MiFID regime of regulation. In-scope entities must maintain a register for all outsourcing arrangements they enter into.
Maria said: “Where in-scope entities intend to enter into new critical or important outsourcing arrangements, make material changes to existing critical or important outsourcing arrangements, or where changes to an outsourcing arrangement would lead to an outsourced function becoming critical or important, the entities have to notify the CSSF in advance.”
Prior notification must happen at least three months before the planned outsourcing, though a one-month notice period applies to other professionals of the financial sector and material changes and/or severe events regarding the outsourcing that could have a material impact on the continuing provision of the business activities must be notified without delay,” he said.
The CSSF has developed template forms to support prior notification. Specific templates for business process outsourcing and ICT outsourcing apply, though Maria said the existing templates are likely to be updated by the regulator in due course.
Maria said: “We expect, based on guidance it has issued (12-page / 178KB PDF), the CSSF to take a risk-based approach to assessing planned outsourcings. In the event of non-compliance with the circular, the CSSF may formulate additional requirements, such as limiting or restricting the scope of the outsourced functions or requiring exit from one or more outsourcing arrangements. Even after implementation of the outsourcing arrangements, the CSSF could still address comments to the relevant entity.
Maria said the rules specific to ICT outsourcing differentiate between outsourcing relying on a cloud computing infrastructure and other types of ICT outsourcing. Where firms are intent on outsourcing to the cloud, they must appoint a cloud officer. That officer is responsible for the use of cloud services and for guaranteeing the competences of the staff managing cloud computing resources.
David Maria
Partner
Maria said the entry into force of the CSSF circular on 30 June should spur a review by financial institutions in Luxembourg of their outsourcing arrangements.
“A review should be carried out of all outsourcing arrangements entered into, reviewed or amended on or after 30 June 2022,” Maria said. “A review should also be conducted of legacy outsourcing arrangements that pre-date 30 June to ensure those arrangements comply with the circular and other existing rules, such as around professional secrecy and data protection, in relation to the mechanisms for international data transfers.”
“In the case of ‘critical or important’ outsourcing arrangements, these have to be reviewed at the first renewal date of the arrangement or in any case no later than by 31 December 2022. In-scope entities that are unable to meet that deadline must inform the CSSF accordingly, including with measures planned to complete the review or the exit strategy described on the outsourcing policy,” he said.
Maria also advised financial institutions to be alert to changes to outsourcing arrangements which could lead those arrangements to qualify as outsourcing of critical or important functions, which would subject those arrangements to stiffer regulatory requirements.
The outsourcing requirements in Luxembourg have changed at a time in which significant reform to the way third party risk is managed across EU financial services is expected. MEPs are expected to vote next month on whether to approve the EU’s proposed new Digital Operational Resilience Act (DORA).
DORA would effectively codify the existing requirements around ICT security risk management and outsourcing that are contained in a suite of guidelines produced by EU authorities, enhancing requirements financial institutions face in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers.
DORA also envisages direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance. A similar regime impacting ‘critical third parties’, which is expected to impact cloud computing providers and other technology suppliers, is being provided for in the UK.
Yvonne Dunn and Luke Scanlon, also of Pinsent Masons, recently advised banks and insurers to develop a single control framework for managing third-party risk, regardless of whether the risks arise in the context of outsourcing arrangements or not. They said this reflects the evolving approach of UK financial regulators.
Written by
David Maria
Partner
Out-Law Analysis
01 Jun 2022
Out-Law News
21 Jul 2022
Sign-up to receive the latest news, insight and analysis direct to your e-mail inbox
Out-Law News
‘Critical third parties’ (CTPs) serving financial institutions will be subject to direct regulation by the UK’s financial regulators, the Treasury has said in a move expected to impact some cloud computing providers and other technology suppliers active in the UK financial services sector.
Out-Law News
UK financial regulators are to get new powers to bring some cloud service providers and other technology suppliers within their direct scope of regulation in a move designed to safeguard against the increasing dependency on those providers within the sector, Out-Law understands.
Out-Law Analysis
Emerging EU legislation will require financial services businesses to ensure artificial intelligence (AI) systems they use meet strict requirements for limiting risk as well as obligations on operational resilience.
Out-Law Analysis
Pensions disputes: managing member expectations paramount
Out-Law News
'Steps of court' settlement was not negligent, court rules
Out-Law News
Abu Dhabi Global Market opens consultation to update English law regulations
Out-Law Analysis
As EU Council decides fate of trade talks, what exactly has been agreed so far?
Out-Law News
BI insurance: FCA and courts pre-empt claims and Supreme Court ruling
Out-Law Analysis
BREXIT: Post-Brexit pensions regulation would require balancing of business burdens and consumer protections, says expert
Out-Law News
Bank of England corporate bond purchase 'must align with Paris Agreement goals'
Out-Law News
Business interruption insurance ruling favours Irish hospitality businesses
2022 Copyright Pinsent Masons LLP
We use cookies that are essential for our site to work. To improve our website, we would like to use additional cookies to help us understand how visitors use the site, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. Please visit our Cookie Policy for more information. To accept all cookies click 'Accept all'. To reject all optional cookies or choose which optional cookies to allow, click ‘Cookie settings’. This tool uses a cookie to remember your choices.
See our Cookie Policy for more information