3. Financial Institutions
  5. Luxembourg: Material IT outsourcing - the CSSF's new approach

Luxembourg: Material IT outsourcing - the CSSF's new approach

27 Oct 2021    4 minute read
Topics Banks, Financial Infrastructure Providers & Payments, Funds & Private Equity

In brief

On 14 October 2021, the Commission de Surveillance du Secteur Financier (CSSF) issued a new Circular CSSF 21/785, whose purpose is to replace the prior authorization requirement for any material IT outsourcing, including IT outsourcing relying on a cloud-computing infrastructure, by an obligation to notify the CSSF prior to the implementation of the outsourcing arrangement. Circular CSSF 21/785 has therefore amended Circular CSSF 12/552 as amended, Circular CSSF 17/656, Circular CSSF 20/758 and Circular CSSF 17/654 accordingly.

Circular CSSF 21/785, which entered into force as of 15 October 2021, applies to all credit, payment and electronic money institutions, professionals of the financial sector (PFS) companies and investment fund managers subject to Circular CSSF 18/698.

Contents

Simplified procedure

  • Outsourcing of material IT activities

In its communiqué dated 20 October 2021, the CSSF stated that "Material IT outsourcing concerns "critical or important functions" as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure would materially impair the soundness and continuity of the entity's services and activities as well as its regulatory compliance obligation."

The supervised entities may further refer to the CSSF Frequently Asked Questions on the assessment of IT outsourcing materiality to assess the materiality of their IT outsourcing projects.

  • Notification procedure

Prior to its implementation, any new material IT outsourcing arrangement must be communicated to the CSSF through a notification procedure using this notification template. The same notification template must be used to submit changes to existing outsourcing arrangements.

Such a notification form replaces the former (i) authorization form request for IT outsourcing of material activities; (ii) notification Form A, which was used in the case of cloud-computing outsourcing for a prior notification where a cloud-computing infrastructure was used for a material activity and provided by a Luxembourg-based eligible support PFS; and (iii) authorization Form B request for material activity on cloud computing not provided by a support PFS.

  • Notification period

The standard notification period is set to last at least three months before the planned outsourcing becomes effective.

The notification period is reduced to one month prior to the implementation of the outsourcing arrangement in the case of outsourcing to one of the following support PFS: IT systems and communication networks operators of the financial sector, or dematerialization or conversation service providers of the financial sector.

  • Assessment process

Within the respective three or one-month period of the outsourcing notification, the CSSF may respond in either of the following ways:

  • By requesting additional information or partially or totally reject the notified project, in which case the applicable notification period will be suspended
  • By not reacting at all, in which case the notified planned-outsourcing project could be implemented once the three- or one- month notification period, as applicable, has expired
  • Sanctions

Any material IT outsourcing whose notification does not comply with both conditions (utilization of the new notification template and compliance with the notification period) must be considered as not having been notified to the CSSF.

  • Transitional measures for pending authorization applications

In its communiqué accompanying Circular CSSF 21/785, the CSSF defined the transitional measures applicable to the supervised entities that have submitted authorization requests for material IT outsourcing prior to the entry into force of Circular CSSF 21/785, i.e., 15 October 2021:

Authorization application filed prior to 31 August 2021   Authorization application filed between 1 September and 14 October 2021
Procedures and deadlines in force prior to 15 October 2021 remain applicable.   Supervised entities can expect to receive comments from the CSSF within three months of the entry into force of Circular 21/785 (i.e., by 15 January 2022).
CSSF will in any event provide feedback (whether it requests additional information, or decides on non-objection, conditional non-objection or refusal). In the case of non-reaction from the CSSF within this three-month timeframe, the supervised entities may implement the outsourcing arrangement.

Confirmation of the CSSF's ongoing supervision

In its communiqué dated 20 October 2021, the CSSF emphasized that the prior notification process does not preclude the CSSF from its supervision powers and that the CSSF may continue to intervene through on-site inspections when it deems it necessary.

In more detail

Circular CSSF 21/785 also amends point 31 "Contractual clauses" of Circular CSSF 17/654 as amended on IT outsourcing relying on a cloud-computing infrastructure to specify the following:

  • The service contract signed with the cloud-computing service provider shall be subject to the law of one of the EU countries and at least one of the data centers shall be located in the EU (resiliency requirement).
  • If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the contract may be subject to the law of one of the signing parties' country, even if that country is located outside of the EU.
  • If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the resiliency requirement can be omitted but must be taken into account in the analysis to assess the risks.

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

Contact Information
Laurent Fessmann
Partner
Luxembourg
laurent.fessmann@bakermckenzie.com
Catherine Martougin
Partner
Luxembourg
catherine.martougin@bakermckenzie.com
Jean-François Trapp
Partner
Luxembourg
jean-francois.trapp@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

HighQ
Copyright Baker McKenzie 2024 | Disclaimers | Supplemental Privacy Statement