For more or less ten years, the Luxembourg financial sector has been increasingly looking and using for IT outsourcing solutions essentially due to costs reduction schemes following the latest financial crisis.
On 14 October 2021, the Luxembourg financial market authority (the Commission de Surveillance du Secteur Financier - CSSF) issued a new Circular CSSF 21/785 on the captioned matter with the view to replacing the prior authorization requirement with a prior notification obligation in case of material IT outsourcing (Circular 21/785).
WHO IS CONCERNED?
Circular 21/785 applies to all credit institutions, professional from the financial sector (PSF), payment institutions as well as electronic money institutions and investment fund managers subject to CSSF Circular 18/698.
SCOPE OF AMENDMENTS?
Circular 21/785 amends: (i) Circular CSSF 12/552 on Central administration, internal governance and risk management, as amended; (ii) Circular CSSF 17/656 on Administrative and accounting organisation; IT outsourcing; (iii) Circular CSSF 20/758 on Central administration, internal governance and risk management, as amended (investment firms; (iv) Circular CSSF 17/654 on IT outsourcing relying on a cloud computing infrastructure, as amended.
A KEY NOTION: “MATERIAL IT OUTSOURCING”
As per the European Banking Authority (EBA) Guidelines on outsourcing (EBA/GL/2019/02), material IT outsourcing refers to “critical or important functions” where a “defect or failure in its performance would materially impair the continuing of its [regulatory] compliance [obligations], or the soundness or the continuity of its services and activities”.
CHANGE OF PROCEDURE
Prior to the issuance of the Circular 21/785, the rule was the necessary prior authorisation to be obtained from the CSSF in case of any material IT outsourcing, whereas following the Circular 21/785 it is now sufficient to make a notification to CSSF. Such notification must take place by mean of a new notification form made available by the CSSF to be filed with the CSSF in anticipation of the contemplated outsourcing project.
The general rule provides that any material IT outsourcing notification shall take place three months prior to the contemplated implementation unless it refers to a material IT outsourcing to a Luxembourg support PSF under articles 29-3 to 29-6 of the Luxembourg law on the financial sector od 5 April 1993, as amended, in which case the notification is reduced to one month prior the intended implementation.
As mentioned above, Circular 21/785 equally amends Circular 17/654 concerning cloud computing infrastructure the provisions of which also become less constraining and shall apply the same rules of notification.
NO IMPACT ON THE SUPERVISION
The ease of the entire procedure will not impair CSSF mission, which may decide to suspend the said time limits in case of additional information request, partial or total refusal of the project.
Additionally, the CSSF issued a subsequent press release with the purpose of granting that risk management continues and that its responsibility remains with the supervised entity. Such press release states that “The new circular does not in any way call into question the quality and thoroughness of our supervision. Thus, […], [CSSF] may still intervene afterwards, through on-site inspections for example, if [CSSF] identify serious shortcomings regarding compliance with the professional obligations”.
ENTERING INTO FORCE AND TRANSITORY PERIOD
Circular 21/785 entered into force on 15 October 2021.
For applications submitted prior to 31 August 2021 included, the procedures and deadlines in place before 15 October 2021 remain applicable. Hence, the CSSF will systematically provide feedback on those applications in the form of a request for additional information, no objections, conditional no objections or refusal.
With respect to applications submitted between 1 September 2021 and 14 October 2021, the following provisions apply:
- Any CSSF request for additional information, partial or complete opposition to the project will take place at the latest until 15 January 2022 (three months as from 15 October 2021).
- The absence of any reaction from the CSSF by 15 January 2022 shall be considered as an agreement to the contemplated outsourcing project and its implementation may consequently take place.
- Nevertheless, CSSF made it clear that absence of reaction shall not impair CSSF to take supervisory measures or to apply binding measures and/or administrative sanctions at a later stage in the framework of the ongoing supervision in case any outsourcing projects do not comply with the applicable legal and regulatory framework.
For further information, please feel free to reach out to Pierre-Alexandre Degehet.