On 14 October, the Commission de Surveillance du Secteur Financier (CSSF) issued a communiqué regarding the publication of Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing.
Circular 21/785 addresses all credit and payment institutions, PSF companies and electronic money institutions, as well as investment fund managers subjected to CSSF Circular 18/698.
This circular amends circulars CSSF 12/552 as amended, CSSF 17/656 as amended, CSSF 20/758 and CSSF 17/654 as amended, by replacing the prior authorisation requirement for any material IT outsourcing, including outsourcing to a cloud-based infrastructure, by an obligation to notify the CSSF prior to the implementation of the outsourcing arrangement.
The notification form, available here, shall be submitted to the CSSF at least three months prior to the implementation of the outsourcing arrangement. In case of outsourcing to a support PFS according to articles 29-3 to 29-6 of the LSF, this period is reduced to one (1) month.
Within the three (3) months notification period, or one (1) month respectively, the CSSF has a right to react to the outsourcing notification, namely by requesting any additional information, partial or complete rejection of the project. In the absence of such a reaction, the outsourcing arrangement shall be considered as approved and thus may be implemented.
Additionally, the Circular 17/785 amends the Cloud Circular 17/654 (as amended) in two aspects specifically related to point 31 of the circular on contractual clauses. The service contract signed with the Cloud Service Provider (CSP) shall be subject to the law of one of the countries of the European Union (EU) and at least one cloud data center shall be located within the EU for resilience purposes. These requirements can be omitted if the entity consuming cloud resources (ESCR) becomes a party to an already established Group contract with the CSP.
Authorisation requests that were submitted prior to 31 August 2021 will be handled by the CSSF on a best effort basis, following the existing process. Any submissions made between 1 September - 14 October will receive comments or questions by the CSSF by 15 January 2022, or in case of no response by the CSSF, the outsourcing arrangements shall be considered as approved.
Any new material IT or cloud-based outsourcing arrangement shall be communicated to the CSSF through the new notification form, which replaces both the forms A and B in case of cloud outsourcing, as well as the existing form for authorisation requests for material IT outsourcing.
1. PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 2,800 people employed from 77 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.
2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 155 countries and employing over 284,000 people. Talk to us about your concerns and find out more by visiting us at www.pwc.com and www.pwc.lu.
Regulatory & Compliance Advisory Services - Banking - Managing Director, PwC Luxembourg
Tel: +352 49 49 48 4169