The regulation of financial services relating to outsourcing by financial institutions having their registered office in Luxembourg has been considerably simplified by the introduction of the outsourcing circular of the Commission de Surveillance du Secteur Financier (CSSF) CSSF 22/806 (Circular outsourcing).
The circular on outsourcing, which entered into force on June 30, 2022, consolidated Luxembourg’s extensive network of regulations into a single set of harmonized rules that largely align with the European Banking Authority’s revised guidance on outsourcing agreements (EBA guidelines). The regulations were previously spread over several individual circulars, many of which have been amended or repealed.
Who is affected?
While the EBA guidelines only apply to credit institutions, investment firms and payment and electronic money institutions, the CSSF has chosen to extend the scope of the circular to outsourcing, with a view to fostering convergence at national level. The outsourcing circular also applies to other professionals in the financial services sector and to POST Luxembourg (the public mail and communication company) and, in the context of information technology outsourcing only, to other entities such as investment fund managers, market operators operating a venue, central securities depositories and others (In-Scope Entities).
- Required contractual provisions: The Outsourcing Circular appears to require that certain specified contractual rights and obligations, such as certain termination rights or insurance requirements, be included in all outsourcing contracts, not just “critical and important” ones. – what is required by the EBA guidelines. . It will be interesting to see how the Luxembourg market reacts and implements this requirement.
- Entity audit in scope: The Outsourcing Circular appears to have broadened the scope of an entity’s audit rights within the scope of its outsourcing providers and their subcontractors. Whereas in the previous circular the standard applied was that audits should not be “significantly impaired”, this has been increased to “unrestricted”, reflecting audit rights which previously only applied to regulators. In addition, the relevant subcontractors are required to provide the In-Scope Entities themselves with the same contractual access and audit rights granted by the subcontractor.
- Additional requirements for IT outsourcing: Part II of the Outsourcing Circular sets out guidelines for pure IT outsourcing arrangements, as well as specific requirements for (a) non-cloud IT outsourcing; and (b) cloud outsourcing. Where the outsourcing relates to an IT outsourcing that does not meet the critical or material threshold, In-Scope Entities may use their judgment not to apply certain requirements of the Outsourcing Circular relating to business continuity and transfer of services.
- Notification: Affected entities will continue to be required to notify the appropriate authority of any outsourcing of critical or important functions, as further detailed in this previous blog post.
What are the holdups ?
The Outsourcing Circular came into effect on June 30, 2022 and was immediately applicable with respect to new outsourcing arrangements.
Entities covered by the scope are required to update their existing outsourcing arrangements to ensure compliance with the Outsourcing Circular no later than the first renewal date or December 31, 2022. If this deadline is likely to be missed, the scoped entity should inform its competent authority in a timely manner, providing the planned steps to complete the review or possible exit strategy.