The financial services regulations relating to outsourcing by Luxembourg-headquartered financial institutions have been significantly simplified by the introduction of the Commission de Surveillance du Secteur Financier (CSSF) outsourcing circular CSSF 22/806 (Outsourcing Circular).
The Outsourcing Circular, which came into force on June 30, 2022, consolidated Luxembourg’s extensive network of regulations into a single set of harmonized rules that align in large part with the European Banking Authority’s revised guidelines on outsourcing arrangements (EBA Guidelines). The regulations were previously spread across multiple individual circulars, many of which have either been amended or repealed.
Who Is Affected?
While the EBA Guidelines only apply to credit institutions, investment firms, and payment and electronic money institutions, the CSSF chose to extend the Outsourcing Circular’s scope of application, with a view to promoting convergence at national level. The Outsourcing Circular also applies to other professionals within the financial services sector and POST Luxembourg (the government-owned mail and communications company) and, in the context of information technology outsourcings only, other entities such as investment fund managers, market operators operating a trading venue, central securities depositories, and others (In-Scope Entities).
- Required Contractual Provisions: The Outsourcing Circular seems to require that certain specified contractual rights and obligations, such as certain termination rights or insurance requirements, are included in all outsourcing contracts, and not just in those that are “critical and important”—which is the EBA Guidelines’ requirement. It will be interesting to see how the Luxembourg market reacts and implements this requirement.
- In-Scope Entity Audit: The Outsourcing Circular appears to have increased the breadth of an In-Scope Entity’s rights of audit over its outsourcing providers and their subcontractors. Whereas under the previous circular, the standard applied was that audits must not be “significantly impeded,” this has been increased to “unrestricted,” mirroring the rights of audit that previously applied only to regulators. Moreover, relevant subcontractors are required to provide the In-Scope Entities themselves the same contractual rights of access and audit as those granted by the outsourcing provider.
- Additional Requirements for IT Outsourcing: Part II of the Outsourcing Circular sets out guidance in respect of pure IT outsourcing arrangements, as well as specific requirements in respect of (a) non-cloud IT outsourcing; and (b) cloud outsourcing. Where the outsourcing relates to an IT outsourcing that does not meet the threshold of critical or important, In-Scope Entities can use their judgment not to apply certain requirements of the Outsourcing Circular relating to business continuity and transfer of services.
- Notification: In-Scope Entities will continue to have to notify the competent authority of any outsourcing of critical or important functions, as further outlined in this past blog post.
What Are the Deadlines?
The Outsourcing Circular came into force on June 30, 2022, and was applicable immediately in respect of new outsourcing arrangements.
In-Scope Entities are required to update their existing outsourcing arrangements to ensure compliance with the Outsourcing Circular by the earlier of the first renewal date or December 31, 2022. If this deadline is likely to be missed, the In-Scope Entity must inform its competent authority in a timely manner, providing the measures planned to complete the review or the possible exit strategy.