In late 2021, the Luxembourg Commission de Surveillance du Secteur Financier (CSSF) published Circular CSSF 21/785 (the Circular), which introduced a more relaxed approach on the communication requirements in relation to material IT outsourcing (including to cloud-based infrastructures).
In this context, a “material” IT outsourcing refers to a firm’s “critical or important functions,” and the European Banking Authority’s Guidelines on outsourcing defines these functions as activities whose outsourcing may have a stronger impact on the financial institution’s risk profile or on its internal control framework.
Prior Notification Obligation
The key change to the process for engaging with a material IT outsourcing in Luxembourg is the removal of the requirement for prior authorization by the CSSF. Financial services firms were previously required to seek the CSSF’s prior authorization before entering into an agreement for a material IT outsourcing. This has been replaced with an obligation to notify the CSSF prior to entering such agreements. The CSSF has also updated its notification form, including by merging the forms relating to IT and cloud outsourcing into a new Form B.
The notification period varies depending on the status of the outsourcing service provider. If the service provider is a “support PSF” as defined by Articles 29-3 to 29-6 of the Law on the Financial Sector, then notification must be made at least one month before entering into an agreement for material IT (or cloud) outsourcing. If the service provider is not a support PSF, then the notice period increases to three months.
During this notification period and following its review of the notification material, the CSSF may respond: (1) requesting that the regulated entity provide additional information, (2) with a full or partial opposition to the outsourcing, and/or (3) with a decision to suspend the notification period.
While the expectation is that this new approach will shorten process timelines, this may not always be the case. Cécile Gellenoncourt, head of the Supervision of Information Systems and Support PFS noted, “In practice, the notifications received will be subject to a differentiated treatment which might vary according to the risks linked to the outsourcing project. Consequently, the analysis may be more or less in depth and may take place before the scheduled date of implementation of the project or after that date in the framework of the ongoing supervision or on-site inspection.”
If the CSSF does not respond at all within the relevant notification period, the regulated entity will be entitled to automatically implement the material IT outsourcing. However, a lack of response at this stage does not prevent the CSSF from applying binding measures or administrative sanctions if the outsourcing arrangement is failing to comply with the relevant legal and regulatory framework.
EU Law and Location of Data Centers
The Circular also provides financial services firms and their outsourcing providers with greater flexibility in relation to the governing law of the outsourcing agreement and the location of the data center. An agreement that is signed by a group may be governed by the country in which the signatory entity is located, even if this is outside of the European Union. Under the same circumstances, the service provider’s data center would not be required to be within the European Union; however, the CSSF notes that this would need to be taken into account in the regulated entity’s risk analysis of the outsourcing arrangement.
The CSSF acknowledged that the change in process was a response to the dramatic increase in authorization applications for IT outsourcing, which rose by 40% between 2019 and 2021. This is reflected in the fact that changes only apply to material IT (including cloud) outsourcing. In the event of a material business process outsourcing (BPO), the parties would still be required to seek prior authorization from the CSSF. To clarify, authorization and/or notification is not required where a Luxembourg regulated entity enters into a non-material outsourcing agreement, whether IT or BPO.
The Circular came into force on October 15, 2021.