CSSF 19/714 updating circular CSSF 17/654 on IT Outsourcing relying on a cloud-computing infrastructure

29/03/19

Background

On 27 March 2019, CSSF has published circular CSSF 19/714, which is updating the existing circular CSSF 17/654 on IT Outsourcing relying on a cloud-computing infrastructure. This Circular is applicable to credit institutions, PFS - as defined under the 1993 Law - payment institutions, electronic money institutions - as defined under the 2009 Law - and investment fund managers - as defined in the Circular CSSF 18/698. The circular is applicable with immediate effect.

The Circular CSSF 17/654 clarifies the applicable regulatory framework for IT outsourcing relying on a cloud-computing infrastructure provided by an external provider. The use of private clouds without outsourcing is thus excluded from the scope of this circular.

In addition, the Circular 17/654 specifies the five main characteristics of "cloud computing" and the requirements for outsourcing on a cloud computing infrastructure (e.g. resource operation, governance, notification and consent of customers, notification to CSSF in case of non-material outsourcing or authorisation by CSSF in case of material outsourcing, etc.). These requirements apply to the entire outsourcing chain as long as all outsourcing activities are exclusively of a data-processing/IT nature ("nature informatique") and at least one outsourcing activity corresponds to the definition of "cloud computing".

The Circular 17/654 distinguishes between two types of IT outsourcing, firstly “material outsourcing”, meaning outsourcing of any activity that, when not carried out in accordance with the rules, reduces the institution’s ability to meet the regulatory requirements or continue its operations as well as any activity necessary for sound and prudent risk management. Secondly “non-material outsourcing” that covers all other activities that are being outsourced to the cloud-computing infrastructure.

Since the publication of circular CSSF 17/654, the regulator has received a significant number of notifications related to non-material outsourcing arrangements as well as questions related to specific requirements of the circular. Therefore, the CSSF decided to make some substantial amendments to the existing circular, in order to provide additional guidance and clarity related to the regulatory obligations as well as to further align the framework with the recommendations on outsourcing to cloud service providers published by the European Banking Authority (EBA).

What's new?

The newly adopted Circular changes some of the above-mentioned requirements. One of the major changes is the removal of the notification requirement in case of non-material outsourcing, as it is replaced by the requirement to set up a register of all cloud outsourcing an entity has in place. Moreover, the terms “material outsourcing” and “non-material outsourcing” are further explained via provided examples.

The aforementioned register should be maintained by the institution on an ongoing basis, and shall be transmitted to the CSSF upon request.

In addition, the principle of proportionality is applied in a more tangible way, as several requirements are no longer applicable in case of non-material activities, including audit rights and monitoring of activities.

Finally, the CSSF has provided new forms to be used in case of authorisation requests for material activities, which replace the former “compliance tables”, in order to reduce the documentation requirements for the institutions.

What's next?

Apart from investment fund managers subject to Circular CSSF 18/698, the institutions shall establish and complete the aforementioned cloud register within six months as from the entry into force of this circular, i.e. by 27 September 2019.

Investment fund managers, which have already outsourced on a cloud computing infrastructure before the entry into force of this circular do not have to submit a notification or authorisation request to the CSSF for this outsourcing. They shall, however, establish and complete the cloud register within one year as from the entry into force of this circular, i.e. by 27 March 2020.

1. PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 2,870 people employed from 76 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.

2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 158 countries and employing over 250,000 people. Talk to us about your concerns and find out more by visiting us at www.pwc.com and www.pwc.lu.

Contact us

Florian Bewig

Director, PwC Luxembourg

Tel: +352 49 49 48 4169

Patrice Witz

Technology & Digital Leader, PwC Luxembourg