CSSF reinforces the rules for outsourcing

Much awaited by market professionals, the Financial Sector Stewardship Commission (CSSF) on April 22 published Circular 22/806 on Outsourcing. The document not only provides a framework for outsourcing arrangements, but also addresses ICT requirements. This is a change, as the latter has so far been broken down by various CSSF publications. “This flyer has the advantage of putting everything in one. It’s a good point of reference, because we only have one circular to refer to,” said David Hagen, founder of Hagen Advisory, an IT compliance advisory firm.

CSSF 22/806 is included in the European Convergence Perspective in terms of financial supervision. In February 2019, the European Banking Authority (EBA), the European banking sector supervisory authority, issued its recommendations for outsourcing arrangements (EBA/GL/2019/02). Publication CSSF 22/806 follows the study by the Luxembourg regulator of EBA recommendations, incorporating them into its management practices and organizational approach.

This circular is characterized by putting everything in one device. It’s a good reference point, because we only have one circuit left to refer to.

David Hagen, & nbsp Founder, & nbsp Hagen Advisory

In its recommendations for 2019, the EBA noted that financial institutions are showing an increased interest in outsourcing some of their activities for reasons of cost, flexibility and efficiency. In the context of the digitization of the financial services industry, more and more players are adapting their business models, intensifying the use of fintech solutions.

The first European guidelines governing outsourcing date back to 2006, and apply exclusively to credit institutions. The new, updated rules now aim for a more consistent framework for all financial institutions overseen by the EBA, in this case credit institutions, but also investment firms, payment institutions, and electronic money.

There is no delegation of responsibility

As the circular states, the regulator in Luxembourg considered it beneficial to “widen the scope (…) in order to promote convergence at the national level”. Publication CSSF 22/806 also includes Financial Services Professionals (PS) and Post Luxembourg.

In the case of outsourcing IT services, the circular also applies as a whole, particularly to fund managers, central counterparties, trading market operators and clearing houses. “Management companies and their funds are only concerned with IT outsourcing,” explains founder Hagen Advisory.

Management and fund companies are only interested in outsourcing IT.

David Hagen

David Hagen, & nbsp Founder, & nbsp Hagen Advisory

In this way, the regulatory text modifies the internal governance framework of the supervised entities, in particular by defining “critical or important functions”. It will therefore be subject to more stringent requirements, based on outsourcing agreements on a risk approach. The regulated entities are therefore required to keep a record of all outsourcing arrangements that may be used by the supervisory authorities during their supervisory activities.

One of the pillars of the publication is that, in terms of outsourcing, the responsibility of the governing body of the supervised entity cannot be outsourced. This is also the case when using a subcontractor, the circular notes: “The scope entity remains entirely responsible for compliance with regulatory requirements, including in the case of ‘outsourcing’, where outsourcing can alter the risks and reliability of outsourcing arrangements. external.”

Critical job evaluation

Among the changes introduced by the circular, the concept of material outsourcing has been replaced by the concept of “outsourcing a critical function or task,” as the CSSF explains. In fact, the publication provides some objective indicators that serve as a destination to enable its identification. “We are no longer talking about the material importance of the function being outsourced, but about the importance,” asks David Hagen, who then asks the question “To what extent are we adequately assessing the regulator.” Because “the principle of proportionality leaves the possibility of adjusting the criticality assessment”. Thus, there is a problem of aligning the regulator’s expectations in terms of proportionality with respect to the items referred to in the publication. This would leave open many discussions about the interpretation of materiality. “In my opinion, that will force us to go back to the risk analysis in order to be able to assess the proportionality,” David Hagen outlines. The goal of this approach is to be able to argue with the regulator “in order to avoid any subjective element about what is critical and what is not”.

The principle of proportionality leaves the possibility of adjusting the assessment of importance.

David Hagen

David Hagen, & nbsp Founder, & nbsp Hagen Advisory

The supervised entities are therefore expected to determine “whether outsourcing is permitted and to adapt their internal governance”. They must also adapt their risk management framework.

CSSF expects regulated entities to reduce operational risk when entering into outsourcing agreements. The risks to be considered are in particular those associated with the relationship with the service provider, the risks associated with “sub-outsourcing”, the risk of concentration posed by multiple outsourcing agreements with the same service provider and/or the risk of concentration posed by outsourcing outsourced to perform critical or important functions to a limited number of service providers,” the circular confirms.

Therefore, entities should pay particular attention to operational risks, from the point of view of focus and dependence, but also from the point of view of control: “Outsourcing should not affect the quality and independence of the entities’ internal controls.”

advance notice

Circular 22/806 as of June 30, 2022 applies to all outsourcing agreements entered into or modified as of this date. Therefore, regulated entities must notify CSSF at least three months prior to outsourcing projects. “The prior authorization previously applied to “outsourcing non-ICT materials” is now replaced by a simple advance notice of “outsourcing critical or non-ICT functions” effective June 30, 2022,” states the CSSF.

The regulatory text brings another new nuance, the CSSF notes: “Advance notice of possible objection to ‘physical ICT outsourcing’, introduced in 2021, has also been replaced by simple advance notification of ‘significant or significant ICT outsourcing’ Unlike outsourcing other than ICT, the simple notification procedure came into effect on the date of publication of the circular. Thus retroactive application has been put in place for ICT outsourcing files already notified to CSSF.

Leave a Reply

Your email address will not be published.