Following the publication of CSSF Circular 22/806 on the implementation of the European Banking Authority (EBA) guidelines on outsourcing arrangements, the ABBL and the CSSF organised a question and answer session on 8 June, which was attended by more than 800 ABBL members. Here is a summary of the answers given by the supervisor to some questions asked by the ABBL members.
New simple notification procedure for planned outsourcing of critical/important contions, including ICT and business process outsourcing
This is the most notable advance in the circular. In general, the notification period is 3 months before the planned outsourcing takes effect.
Secure backup of all end-of-day accounting positions in the EEA
A simple copy or extraction of the information in a readable format would be sufficient.
Mandatory insurance against certain risks
In-scope entities should consider whether a failure or disruption in service provision may ultimately result in significant financial loss to in-scope entities.
Sub-outsourcing by a Support PFS
The in-scope entity should determine whether sub-outsourcing is acceptable and consistent with its own outsourcing policy. The entity remains responsible for compliance with regulatory requirements, including in the case of sub-outsourcing.
Inform the CSSF without delay of material changes and/or serious events concerning outsourcing arrangements
Material changes and serious events having an impact on critical outsourcing arrangements which could lead to the interruption of the entity's business services fall under this case. The CSSF must be informed as soon as the entity becomes aware of such changes and/or events.
Difference between business process outsourcing and pure ICT outsourcing
The qualification of outsourcing depends on the outcome of the service offered: business-related outcome or ICT-related outcome.
Definition of cloud services
All seven cumulative characteristics must be met for cloud services to qualify, namely:
- On-demand self-service
- Broad network access
- Pooling of resources
- Rapid elasticity
- Measured service
- No access to data and systems by a cloud service provider without prior and explicit agreement by the in-scope entity
- No manual interaction by the Cloud Service Provider as regards to the day-to-day management of the Cloud environment of the In-scope entity
The future of the cloud computing outsourcing register
There will be only one outsourcing register and the former cloud computing register will be integrated into the more comprehensive register required by the outsourcing circular.
The key messages given above are not exhaustive and are based on the transcript of the ABBL-CSSF event. For more details, the ABBL invites its members to consult the webinar recording and to contact the CSSF directly. If you have not received the link to the webinar replay, please contact the ABBL Member Relations team.
The ABBL thanks the CSSF for the clarifications provided, and its members, in particular the Cloud Computing and Outsourcing Regulation working groups, for their productive cooperation on the work on the outsourcing circular. The ABBL will keep its members informed of future developments in the regulatory framework for outsourcing in Luxembourg.
By Andrey Martovoy – Innovation & Digital Adviser, and Gilles Pierre - Head of Banking Regulation and Financial Markets