Modifications in the CSSF regime related to material IT outsourcing

According to the Commission de Surveillance du Secteur Financier (the "CSSF")¹, there has been an increase of over 40% in authorisation applications for IT outsourcing between 2019 and 2021. In particular, the amount of cloud outsourcing applications of Luxembourg entities doubled.

In this context, and in order to face the continuing development of material IT outsourcing (i.e. outsourcing of IT critical or important functions, as defined in the EBA Guidelines on outsourcing arrangements²), the CSSF has simplified its procedures. As of 15 October 2021, a new notification system has been introduced which is separate from the general authorisation procedure applicable to the rest of material IT outsourcing. This is governed by Circular CSSF 21/785³ (the "Circular") which modifies four existing CSSF Circulars (CSSF Circular 12/552, CSSF Circular 17/656, CSSF Circular 20/758 and Circular CSSF 17/654) replacing the requirement for prior authorisation by prior notification for material IT outsourcing operations.

IT outsourcing, according to the CSSF, is an arrangement between the institution and a service provider (including within the same group) whereby the service provider performs an IT process, service or activity that would otherwise be undertaken by the institution itself. If this service is not carried out in accordance with the rules and "reduces the institution's ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management", it is considered "material" IT outsourcing⁴.

Prior notification procedure instead of prior authorisation

Applying to any "material" IT outsourcing in the relevant financial institutions, this new prior notification obligation (instead of the general authorisation regime) for material IT outsourcing consists of two requirements:

1. an institution must provide prior notification to the competent authority (the CSSF or the European Central Bank for Luxembourg significant credit institutions falling under its supervision) by using the form provided by the CSSF on its official website. This needs to be submitted via email or secure communication channel to the CSSF;

2. the notification must be sent at least three months prior to the effective start date of the outsourcing (unless the IT outsourcing is provided by a PSF in accordance with Articles 29-3 to 29-6 of the Law of 5 April 1993 on the financial sector, in which case the notification must be made at least 1 month prior to the effective start date of the outsourcing).

Failure to satisfy the above requirements will amount to the material IT outsourcing being considered unnotified and noncompliant with CSSF procedures if such services are nevertheless conducted which can lead to penalties being imposed by the CSSF in accordance with the Law of 5 April 1993 on the financial sector, as amended.

Outsourcing to a cloud computing service provider

In response to the market, the CSSF has also modified the procedure set in Circular CSSF 16/654⁵, the outsourcing to a cloud computing service provider is no longer a prior authorisation procedure but is now done by way of prior notification. The institution must notify the competent authority at least one month before the effective start date of the outsourcing unless it falls under one of the exceptions⁶ requiring the institution to notify at least 3 months before the effective start date of the outsourcing.

The service contract between the financial institution and cloud computing service provider must be subject to the law of an EU Member state and shall provide for a resiliency of the cloud computing services provided to the ISCR⁷ in the European Union to ensure that at least one of the data centres will be located in the European Union enabling it to autonomously operate the cloud computing services, if necessary. This requirement remains unchanged and therefore continues to impact institutions post Brexit where many contracts have been governed by English law.

Finally, another modification included in relation to this specific outsourcing is that in case of an agreement for the outsourcing of cloud computing services of companies belonging to the same group, the agreement can be either subject to the laws of an EU Member State or the laws of a third country, if this is the jurisdiction of incorporation of the signatory.

Conclusion - notification is easier than prior approval

With this simplified procedure, the CSSF facilitates the proper execution of "material" IT outsourcing projects by institutions subject to the CSSF's supervision. This is a welcome change which will also reduce the risk of impediments or delays in the process and make it much easier for institutions to manage their business.

¹ Press release 21/25 on the publication of a new CSSF Circular on the obligation to notify in the case of IT outsourcing: https://www.cssf.lu/en/2021/10/publication-of-a-new-cssf-circular-on-the-obligation-to-notify-in-the-case-of-it-outsourcing/.

² Please find the full report here: https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1.

³ Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing: https://www.cssf.lu/wp-content/uploads/cssf21_785.pdf.

⁴ FAQ on the assessment of IT outsourcing materiality: https://www.cssf.lu/en/Document/faq-on-the-assessment-of-it-outsourcing-materiality/.

⁵ Circular CSSF 17/654 as amended by Circulars CSSF 19/714 and 21/777 on IT outsourcing relying on a cloud computing infrastructure: https://www.cssf.lu/wp-content/uploads/cssf17_654eng.pdf.

⁶ A cloud computing service provider is authorised under Articles 29-3 or 29-4 of the LFS and the resource operation is carried out either by the ISCR  or by an institution authorised under Articles 29-3 or 29-4 of the LFS; resource operation is carried out by an institution authorised under Articles 29-3 or 29-4 of the LFS, where it is the signatory; or an institution that benefits from such an approval as defined in Articles 29-3 or 29-4 of the LSF acts as an intermediary and not as an operator of the resources between an ISCR and a cloud computing service provider.

⁷ An institution supervised by the competent authority and consuming cloud computing resources for the purpose of carrying out its activities.