Simplified procedure
- Outsourcing of material IT activities
In its communiqué dated 20 October 2021, the CSSF stated that "Material IT outsourcing concerns "critical or important functions" as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure would materially impair the soundness and continuity of the entity's services and activities as well as its regulatory compliance obligation."
The supervised entities may further refer to the CSSF Frequently Asked Questions on the assessment of IT outsourcing materiality to assess the materiality of their IT outsourcing projects.
Prior to its implementation, any new material IT outsourcing arrangement must be communicated to the CSSF through a notification procedure using this notification template. The same notification template must be used to submit changes to existing outsourcing arrangements.
Such a notification form replaces the former (i) authorization form request for IT outsourcing of material activities; (ii) notification Form A, which was used in the case of cloud-computing outsourcing for a prior notification where a cloud-computing infrastructure was used for a material activity and provided by a Luxembourg-based eligible support PFS; and (iii) authorization Form B request for material activity on cloud computing not provided by a support PFS.
The standard notification period is set to last at least three months before the planned outsourcing becomes effective.
The notification period is reduced to one month prior to the implementation of the outsourcing arrangement in the case of outsourcing to one of the following support PFS: IT systems and communication networks operators of the financial sector, or dematerialization or conversation service providers of the financial sector.
Within the respective three or one-month period of the outsourcing notification, the CSSF may respond in either of the following ways:
- By requesting additional information or partially or totally reject the notified project, in which case the applicable notification period will be suspended
- By not reacting at all, in which case the notified planned-outsourcing project could be implemented once the three- or one- month notification period, as applicable, has expired
- Sanctions
Any material IT outsourcing whose notification does not comply with both conditions (utilization of the new notification template and compliance with the notification period) must be considered as not having been notified to the CSSF.
- Transitional measures for pending authorization applications
In its communiqué accompanying Circular CSSF 21/785, the CSSF defined the transitional measures applicable to the supervised entities that have submitted authorization requests for material IT outsourcing prior to the entry into force of Circular CSSF 21/785, i.e., 15 October 2021:
Authorization application filed prior to 31 August 2021 |
Authorization application filed between 1 September and 14 October 2021 |
Procedures and deadlines in force prior to 15 October 2021 remain applicable. |
Supervised entities can expect to receive comments from the CSSF within three months of the entry into force of Circular 21/785 (i.e., by 15 January 2022). |
CSSF will in any event provide feedback (whether it requests additional information, or decides on non-objection, conditional non-objection or refusal). |
In the case of non-reaction from the CSSF within this three-month timeframe, the supervised entities may implement the outsourcing arrangement. |
Confirmation of the CSSF's ongoing supervision
In its communiqué dated 20 October 2021, the CSSF emphasized that the prior notification process does not preclude the CSSF from its supervision powers and that the CSSF may continue to intervene through on-site inspections when it deems it necessary.
In more detail
Circular CSSF 21/785 also amends point 31 "Contractual clauses" of Circular CSSF 17/654 as amended on IT outsourcing relying on a cloud-computing infrastructure to specify the following:
- The service contract signed with the cloud-computing service provider shall be subject to the law of one of the EU countries and at least one of the data centers shall be located in the EU (resiliency requirement).
- If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the contract may be subject to the law of one of the signing parties' country, even if that country is located outside of the EU.
- If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the resiliency requirement can be omitted but must be taken into account in the analysis to assess the risks.
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.