New rules, new details and a new terminology regarding financial sector outsourcing are being introduced by Luxembourg’s financial regulator CSSF with the presentation of its widely discussed ‹circular 22/806›. These changes, with significant consequences for the use of IT and cloud services, bring greater clarity within the regulatory framework. How these changes will affect every entity supervised, banks as well as asset management companies, by CSSF was spelled out in a recent webinar hosted by banking association ABBL.
Every entity governed by the law on the financial sector, plus those under payment services law are in the scope of this circular. It follows European Banking Authority guidelines published in 2019 and a subsequent consultation with industry, and creates an integrated framework, including unifying and updating rules previously present in separate CSSF circulars. Part one, transcribes the EBA guidelines on outsourcing arrangements which apply across the EU, and also includes Luxembourg-specific guidance, written in italics in the text. Part two is applicable for ICT outsourcing.
Comprehensive framework
“The circular must not be read on a standalone basis, because the EBA guidelines actually complement the overall framework on internal governance,” said Martine Wagner, Head of Department for the supervision of investment firms at the CSSF. “The circular has to be read in conjunction with circular 12/552 on central administration, internal governance and risk management that is applicable to banks,” she added.
As well as banks, investment firms, payment institutions and e-money institutions, and the outsourcing-focused specialised professionals in financial services, known as PFS, and support PFS, the regulation covers the fund industry. This includes investment fund managers, part one Ucits which designate a management company, central counterparties, approved publication arrangements and authorised reporting mechanisms. Also covered are operators of trading venues, central securities depositories, and administrators of critical benchmarks.
New proportionality principle
A key facet is how a principle of proportionality is introduced. “Implementing measures should be proportionate to the size to the internal organisation, to the nature of the activities and services including risks,” said Cécile Gellenoncourt, Head of Supervision of Information systems and Support PFS at the CSSF. Simply put, the more risky an operation is, the more the CSSF will expect a robust administrative, governance and risk management framework. “The circular requires in scope entities to document a proportionality analysis, and to have the conclusions approved by the management body,” she said.
General principles
A number of general principles for outsourcing have been laid out: ensuring sufficient business substance; the entity remains responsible for operations outsourced , also when outsourcing intragroup; tasks must be performed in compliance with all laws, including the likes of EU data privacy rules; and the arrangement must not prevent the supervisor from doing their work effectively.
Change in materiality terminology
There is change in terminology, with things that were considered to be “material” are now referred to as “critical” or “important”. Functions are deemed to be critical or important in three situations: where a defect would materially impair compliance with legal and regulatory obligations, financial performance, and the continuity of activities; when operational tasks of internal control functions or financial and accounting functions are outsourced; for credit institutions and payment institutions only, when they outsource functions, such as banking activities of payment services, to an extent that would require authorisation by the relevant competent authority.
“Also as part of the criticality assessment would be the connection of the outsourcing to core business activities, the entity’s ability to identify and manage risks, the entity’s ability to transfer the outsourcing function to another service provider, the impact on data confidentiality, integrity or availability and so on,” said CSSF›s Wagner. “Also to be taken into account is the aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area,” she added.
New outsourcing manager
Organisations will need to set up an outsourcing function to manage and oversee outsourcing risks and documentation requirements. Larger more complex entities may be expected to appoint an employee dedicated to this task, whereas smaller entities could designate this role to senior staff which would report directly to the management body.
Pre-authorisation is scrapped
Particularly welcomed by the industry is that pre-authorisation of an outsourcing arrangement is no longer required, being replaced by a mandatory pre-notification process. This must be done at least three months before the outsourcing plan comes into effect, or at least one month in case of records to a support PFS. This measure took effect from 13 June, except for ICT outsourcing where it has been in place since October 2021.
Next steps for businesses
The work entities need to undertake was summarised by Wagner. “With regard to their internal governance arrangements and internal control framework, entities must ask themselves whether they are compliant with the requirements, and if not they must adapt.” She recommended launching an identification and benchmarking exercise to identify whether arrangements are now considered to be critical or important under the new rules and to develop a compliance plan. The deadline for this is 31st December 2022. She said that if this deadline cannot be reached, the CSSF should be informed.
To view a replay of the ABBL-CSSF webinar, click on the image below:
Related articles on Investment Officer Luxembourg:
- ‹Wealthtech needs humans’
- CSSF modernises regime for fund administrators
- New ABBL framework guides banks on CRE risks