In response to the continuing development of material IT outsourcing, the Commission de Surveillance du Secteur Financier (CSSF) simplifies its procedures for prior provision of information in this respect through Circular CSSF 21/785.
IT outsourcing increasingly used by the financial sector
For the past 10 years, the financial sector players have been increasingly using IT outsourcing solutions. This choice is based in particular on cost reduction strategies but also on the will within financial groups to refocus on core business competences and to benefit from IT services provided by experts. Moreover, this movement accelerated with the emergence of cloud solutions.
Thus, the CSSF noted an increase of over 40% in authorisation applications for IT outsourcing between 2019 and 2021. In this category, the share of cloud outsourcing doubled.
Prior notification rather than prior authorisation
On 14 October 2021, the CSSF published Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing. The circular also defines transitional measures for files already submitted to the CSSF and which are still being processed (more info HERE).
Material IT outsourcing concerns “critical or important functions” as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure would materially impair the soundness and continuity of the entity’s services and activities as well as its regulatory compliance obligation.
“Our wish was to review our approach so that the analysis of the authorisation applications does not impede the proper execution of the projects of entities under the CSSF’s supervision”, Cécile Gellenoncourt, head of the “Supervision of Information Systems and Support PFS” department explains. Thus, the supervised entities must submit a prior notification concerning their project at least three months before the planned outsourcing becomes effective or at least one month where the services of a support PFS are used. “In practice, the notifications received will be subject to a differentiated treatment which might vary according to the risks linked to the outsourcing project. Consequently, the analysis may be more or less in depth and may take place before the scheduled date of implementation of the project or after that date in the framework of the ongoing supervision or on-site inspection”, she continues.
No impact on the supervision as such
The CSSF has a dual mission: ensure the stability of the financial sector, a task shared with the Banque centrale du Luxembourg, and protect consumers of financial services. As regards outsourcing, the authority ensures that risk management continues to be guaranteed and that the responsibility of this management remains with the supervised entity. “The new circular does not in any way call into question the quality and thoroughness of our supervision. Thus, even in the case of a file that was simply notified to us, we may still intervene afterwards, through on-site inspections for example, if we identify serious shortcomings regarding compliance with the professional obligations”, Cécile Gellenoncourt concludes.
Press release by CSSF
Publié le 25 octobre 2021