The Commission de Surveillance du Secteur Financier (CSSF) published the long-awaited Circular on outsourcing arrangements
Outsourcing for supervised entities in Luxembourg has been subject to challenging discussions between all stakeholders: the outsourcing entities service providers and the regulator. A certain lack of clarity was noticed among market players, mainly due to multiple circulars and multiple amendments of related regulations. With the goal to provide a transparent, homogeneous and harmonized national framework for outsourcing arrangements, the Commission de Surveillance du Secteur Financier (CSSF) published Circular 22/806 on outsourcing arrangements. “The Circular” defines supervisory expectations and also implements the requirements of the European Banking Authority (EBA) on outsourcing arrangements (EBA/GL/2019/02).
Supervised entities concerned by the extended scope
The Circular extends the requirements to a wide scope of supervised entities including not only credit institutions, payment instructions and electronic money institutions, investment firms, Professionals of the Financial Sector (PFSs), POST Luxembourg, but also investment fund managers (IFMs) under Circular CSSF 18/698 (only for Information and Communication Technology (“ICT”) outsourcing), undertakings for collective investment in transferable securities (UCITS), central counter parties (CCPs), approved publication arrangements, market operators operating a trading venue, central securities depositories (CSDs), and administrators of critical benchmarks when performing ICT outsourcing. Even branches in Luxembourg of a legal entity whose head office is located in a different Member State of the European Economic Area have to comply to some extent with the requirements of this Circular. For the sake of clarification, the Circular apply to IFMs only when performing Information and Communication Technology (“ICT”). Besides, Chapter 16 management companies which are not authorized as AIFMs are not expected to comply with the Circular.
All in-scope entities must apply the Circular requirements starting from 30 June 2022 to all their outsourcing arrangements entered into, reviewed or amended on or after this date. Entities may apply the principle of proportionality to achieve the requirements. Where applied, they may have a framework for their central administration, internal governance and risk management proportionate to the size, nature, scope and complexity of the organization and the riskiness of the products and services. This proportionality analysis shall be documented and approved by the management body. On a side note, entities should also bear in mind that when outsourcing, their risk is impacted and as consequence their governance and risk management framework as well.
Furthermore, for all existing outsourcing arrangements, the documentation should be completed following the first renewal date of each existing outsourcing arrangement and no later than 31 December 2022.
Worthwhile to mention that this Circular encompasses in a single document either business process outsourcing and ICT outsourcing. As a matter of fact, several other circulars where ICT outsourcing requirements were stated will be either amended (12/552, 18/698, …) or repealed (13/554, 15/611, 17/654…).
Demonstrating a strong governance of outsourcing arrangements
At the risk of repeating: while entities can outsource almost everything, the management body remains fully responsible and accountable for complying with regulatory obligations and the responsibilities to their customers, including the ability to oversee the outsourcing of critical or important functions.
Sophisticated readers should have noticed one important change: the concept of “materiality” has been repealed and replaced by “critical or important function”. In this Circular, the use of the term ‘critical or important functions’ is based not only on the wording of the Markets in Financial Instruments Directive (MiFID II) but also on the Payment Services Directive (PSD2) for the purpose of identifying functions under outsourcing arrangements for which specific requirements apply. Defining whether a function is important or critical is then a crucial step as this will determine: the degree to which you demonstrate due care of your outsourcing arrangement, the process used to communicate with the regulator (notification or not) and the extent to which some requirements are applied.
It goes without saying that when outsourcing, entities must not become an “empty shell”. In this context, entities should assign clear responsibilities for the documentation, management and control of outsourcing arrangements. An outsourcing function or an outsourcing officer should be appointed and should report to the management body. Not only she/he will be responsible for managing and reporting on outsourcing risks, but also overseeing the documentation of outsourcing arrangements.
While it is clear that internal control functions cannot be outsourced as a whole, the same applies to financial and accounting functions (only operational tasks can be transferred).In addition, when your accounting system is hosted outside of Luxembourg, you shall ensure, at the end of each day, a secure backup of all end-of-day accounting positions, including client positions, in a readable format – to guarantee an autonomous preparation of a balance sheet, a profit and loss statement and client positions.
The documentation requirement is also an important matter in demonstrating compliance. Many times throughout our experience, we have heard the question, “What minimum documentation should we have?”.
The Circular provides a clear response to that: first, an appropriate governance can only be established when the management body sets the tone and enforces it through an outsourcing policy which shall include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. Second, bear in mind that whatever happens you should be able to continue your critical functions… even when outsourcing. Therefore, a business continuity plan (BCP) regarding outsourced critical or important functions must be developed, documented, maintained and tested. Third, keep and update a register of all outsourcing arrangements: while before, such a register was only required for Cloud-based outsourcing, it is now compulsory to maintain a thorough register with predefined information and additional information when outsourcing is deemed critical. Completing the above, in particular when considering legacy outsourcing arrangements, is not an easy exercise…but that’s not all: the main phases of the outsourcing life cycle must be also documented.
Assess your operational risk
As a common sense, you will not outsource without conducting and documenting a pre-outsourcing analysis. In a first step, you are required to assess if the outsourcing arrangement concerns a critical or important function, assess if the supervisory conditions for outsourcing are met, perform a risk analysis and in particular estimate the extent to which the outsourcing arrangement would increase or decrease your operational risk. In addition, your selection process should demonstrate that you have conducted appropriate due diligence on the prospective service provider and that this latest is suitable.
Not less important are the contracts which should clearly set out both parties rights and obligations. The Circular provided a clear and complete list of key contractual clauses which should be included in the written outsourcing agreements. In this regard, it is worthwhile mentioning that contracts should encompass – and in particular for outsourcing related to critical and important functions – unrestricted rights of inspection and auditing related to the outsourcing arrangement, granted to your internal audit function, your statutory auditor and the competent authority.
Choose the right partner
Usually, when monitoring the performance of your service providers and the level of security mechanisms they have defined and implemented, you rely on key indicators they provide you with, or on third-party certifications and third-party reports made available to you. In essence, this should be fine. However, based on a risk approach, the Circular requires you also to exercise your access and audit rights, determine the audit frequency and areas to be audited. In this context, alone or with the support of an experienced firm, you must conduct third parties reviews to verify whether the availability, integrity and security of data and information is ensured and also carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures.
Finally, the Circular reiterates the need to develop an exit plan which must be defined and implemented for each outsourced arrangement. This document shall allow you to exit without undue disruption to your business activities, without limiting your compliance with regulatory requirements and without any detriment to the continuity and quality of the provision of services to your clients. Again, most of the times disregarded or underestimated, this plan should not be seen as backup solution but rather that an alternative solution for which a transition plan should be also developed.
Entities in scope have little time left to set up the necessary governance and documentation to comply with the circular requirements. The multidisciplinary regulatory consulting team of EY Luxembourg can help you understand the new regulations but also the requirements of regulations for your organization.
