Review Luxembourg outsourcing contracts, financial firms urged

David Maria of Pinsent Masons in Luxembourg said that the circular on outsourcing arrangements (60-page / 499KB PDF) issued by the CSSF implements the European Banking Authority’s outsourcing guidelines and European Securities and Markets Authority guidelines, while also reflecting the legal and regulatory specificities of the Luxembourg financial market.

The circular consolidates the essential rules on outsourcing arrangements in a single document,” said Maria. “It sets out the requirements in relation to outsourcing, including definitions, scope of application, general principles and applicable governance requirements. It also details specific requirements for ICT outsourcing – both in a cloud and non-cloud context. The harmonised framework is relevant to all outsourcings across business, internal control, financial and accounting functions.”

Maria said the scope of the rules set out in the circular has been extended so that the outsourcing requirements now apply to a broader set of entities supervised by the CSSF. Credit institutions, payment institutions and investment firms, including their branches, are among the firms subject to the new rules in respect of all outsourcing arrangements.

For other firms, the requirements stipulated in the circular only apply in the context of ICT outsourcing. This is the case for investment fund managers incorporated under Luxembourg law, certain undertakings for collective investment in transferable securities, and central securities depositories, for example.

Maria highlighted that the outsourcing rules also apply to other professionals of the financial sector, including their branches, and said intra-group outsourcing activity is also within the scope of the circular. He also said that the circular makes clear that entities within scope of the Luxembourg framework remain fully responsible for compliance with the regulatory requirements, even in the case of sub-outsourcing.

A specific outsourcing process has to be set up, with an operational risk assessment on each step – at the pre-outsourcing analysis, contractual phase – including around sub-outsourcing and security of data and systems etc, and in respect of oversight of outsourced functions and exit plans,” Maria said.

According to the CSSF, firms are expected to implement measures to mitigate the risks they identify. The measures must be proportionate to the firm’s size and their internal organisation as well as to the nature, scale and complexity of their activities or services, including their risks.

Written contracts are expected to be implemented for every outsourcing arrangement. The circular specifies minimum clauses that must be inserted into those contract, which include those that provide for audit and data access rights.

According to Maria, similar to with the EBA guidelines, the Luxembourg circular draws a distinction between outsourcings that are 'critical or important' and those that are not in terms of the requirements that must be met. Stricter requirements apply where the functions being outsourced are critical or important, as defined by the EU’s MiFID regime of regulation. In-scope entities must maintain a register for all outsourcing arrangements they enter into.

Maria said: “Where in-scope entities intend to enter into new critical or important outsourcing arrangements, make material changes to existing critical or important outsourcing arrangements, or where changes to an outsourcing arrangement would lead to an outsourced function becoming critical or important, the entities have to notify the CSSF in advance.”

Prior notification must happen at least three months before the planned outsourcing, though a one-month notice period applies to other professionals of the financial sector and material changes and/or severe events regarding the outsourcing that could have a material impact on the continuing provision of the business activities must be notified without delay,” he said.

The CSSF has developed template forms to support prior notification. Specific templates for business process outsourcing and ICT outsourcing apply, though Maria said the existing templates are likely to be updated by the regulator in due course.

Maria said: “We expect, based on guidance it has issued (12-page / 178KB PDF), the CSSF to take a risk-based approach to assessing planned outsourcings. In the event of non-compliance with the circular, the CSSF may formulate additional requirements, such as limiting or restricting the scope of the outsourced functions or requiring exit from one or more outsourcing arrangements. Even after implementation of the outsourcing arrangements, the CSSF could still address comments to the relevant entity.

Maria said the rules specific to ICT outsourcing differentiate between outsourcing relying on a cloud computing infrastructure and other types of ICT outsourcing. Where firms are intent on outsourcing to the cloud, they must appoint a cloud officer. That officer is responsible for the use of cloud services and for guaranteeing the competences of the staff managing cloud computing resources.

Maria said the entry into force of the CSSF circular on 30 June should spur a review by financial institutions in Luxembourg of their outsourcing arrangements.

“A review should be carried out of all outsourcing arrangements entered into, reviewed or amended on or after 30 June 2022,” Maria said. “A review should also be conducted of legacy outsourcing arrangements that pre-date 30 June to ensure those arrangements comply with the circular and other existing rules, such as around professional secrecy and data protection, in relation to the mechanisms for international data transfers.”

“In the case of ‘critical or important’ outsourcing arrangements, these have to be reviewed at the first renewal date of the arrangement or in any case no later than by 31 December 2022. In-scope entities that are unable to meet that deadline must inform the CSSF accordingly, including with measures planned to complete the review or the exit strategy described on the outsourcing policy,” he said.

Maria also advised financial institutions to be alert to changes to outsourcing arrangements which could lead those arrangements to qualify as outsourcing of critical or important functions, which would subject those arrangements to stiffer regulatory requirements.

The outsourcing requirements in Luxembourg have changed at a time in which significant reform to the way third party risk is managed across EU financial services is expected. MEPs are expected to vote next month on whether to approve the EU’s proposed new Digital Operational Resilience Act (DORA).

DORA would  effectively codify the existing requirements around ICT security risk management and outsourcing that are contained in a suite of guidelines produced by EU authorities, enhancing requirements financial institutions face in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers.

DORA also envisages direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance. A similar regime impacting ‘critical third parties’, which is expected to impact cloud computing providers and other technology suppliers, is being provided for in the UK.

Yvonne Dunn and Luke Scanlon, also of Pinsent Masons, recently advised banks and insurers to develop a single control framework for managing third-party risk, regardless of whether the risks arise in the context of outsourcing arrangements or not. They said this reflects the evolving approach of UK financial regulators.