On 22 April 2022 the CSSF published an important new circular, Circular CSSF 22/806 on outsourcing arrangements (the “Circular”).

The Circular is addressed to credit institutions; professionals of the financial sector, including investment firms, payment institutions and electronic money institutions; investment fund managers (“IFMs”); UCITS that have designated a management company; central counterparties; approved publication arrangements and authorised reporting mechanisms; market operators of trading venues; central securities depositories and administrators of critical benchmarks, including their branches (collectively, “In-Scope Entities”). The Circular thus covers more entities than the European Banking Authority’s Guidelines on Outsourcing (EBA/GL/2019/02), which the Circular seeks to implement in order to harmonise outsourcing rules at the national level for virtually all regulated entities subject to CSSF supervision.

Along with the Circular, the CSSF has published

• Circular CSSF 22/805, which amends several other CSSF circulars to align them with the Circular;
• a specific FAQ shedding light inter alia on the applicability of the Circular to (i) Luxembourg IFMs within the meaning of Circular CSSF 18/698 (“Circular 18/698”) and (ii) Luxembourg UCITS that have designated a management company, which must only observe the Circular in relation to ICT outsourcing. For non-ICT outsourcing, their IFMs must still follow Circular 18/698.

The Circular has two main parts, which address (i) rules on outsourcing in general and (ii) rules on ICT outsourcing, irrespective of any reliance on cloud solutions. The Circular brings together rules that had previously been split over several CSSF circulars.

1. General rules

The Circular discusses the rules to be observed where In-Scope Entities engage in outsourcing arrangements. For the most part, these rules describe internal governance requirements for planning, implementing, monitoring and managing outsourced activities. Appropriate risk assessments, due diligence and pre-outsourcing analyses must be performed. The Circular also imposes ongoing obligations relating to governance, risk management, conflicts of interests, internal controls, professional secrecy, data protection, business continuity and exit planning. The Circular additionally lists requirements for the contents of outsourcing agreements.

With respect to oversight, the Circular mentions the possibility for the monitoring of intragroup outsourcing to be centralised, provided that each respective In-Scope Entity can appropriately oversee the services it receives and respond as needed. In case of intragroup outsourcing, the group entities outsourced to must be objectively suitable and outsourcing arrangements must not expose In-Scope Entities to undue conflicts of interest.

All functions that are outsourced must be assessed for their criticality and importance. The Circular provides guidance on how to carry out such assessments. Additional rules apply for outsourced functions deemed critical or important, including the need to include additional clauses in the outsourcing agreement, and to notify the CSSF of the intent to outsource by certain deadlines prior to the commencement of the outsourcing arrangement: one month when outsourcing to a Luxembourg-based support PSF, and three months in other cases.

An outsourcing policy must be adopted, and every In-Scope Entity must also keep an up-to-date outsourcing register.

Finally, the Circular also contains specific sections on outsourcing internal control functions and on outsourcing financial and accounting functions.

2. Specific rules for ICT outsourcing

The rules in the specific part of the Circular on ICT outsourcing only apply to actual outsourcing of ICT, and not to arrangements that concern outsourcings of entire functions which may happen to rely on ICT solutions.

Where ICT outsourcing relies on cloud solutions, additional rules apply that are close to those previously included in Circular CSSF 17/654 (now repealed). In-Scope Entities must assess whether ICT outsourcing indeed relies on cloud solutions, assess the criticality and importance of the relevant functions and apply the requirements accordingly, e.g. in relation to CSSF notifications and the contents of the outsourcing agreements. Further considerations beyond those mentioned above include, among others, the need to appoint a cloud officer, and requirements on EEA data resilience and the governing law of underlying contracts.

3. Entry into force

The Circular enters into force on 30 June 2022. As of this date, all outsourcing arrangements that are amended or entered into must comply with the new Circular. Existing outsourcing arrangements must be checked against its provisions and be made compliant by the end of the year. The requirement for prior notification of critical important ICT outsourcings (with or without cloud) applies with immediate effect.

We at Arendt can help you to identify gaps between your current outsourcing arrangements and the new requirements, and to implement the new rules, including by updating your outsourcing policies and agreements.