IT Regulatory & Outsourcing Services

As emerging technologies as well as growing competition and client needs are shaping the current and future IT landscape and related processes of organisations, regulators are continuing to define a complex regulatory framework with the aim to mitigate risks related to IT.

The topics addressed by regulation are manifold. Identifying applicable requirements, understanding how compliance can be achieved, implementing the necessary actions and monitoring such compliance on a continuous basis is proving to be a proper challenge for organisations. This challenge is further amplified by the fact that IT compliance does not only concern the CIO, but indeed has many internal stakeholders.

How we can help

We support you to stay abreast of IT regulation by helping you to identify the matters which are relevant to you and to jointly define action plans to achieve and maintain compliance. Our expertise and ongoing exchange with the governing bodies which design these requirements will provide you with the comfort, that implemented actions will meet both internal and external expectations.

Compliance and TOM evaluation

Your needs:

Having a clear picture of all regulation applicable to you can be more complex than one might assume. Furthermore, regulatory requirements are directly linked to the operational activities of an organisation, which can even lead to a potential redesign of the operating model based on applicable regulation.

Our approach:

Instead of merely highlighting potential compliance gaps, we will be challenging your current setup with the ambition to jointly establish a desired operating model in light of the practical implications from a regulatory perspective.

Our assistance:

  • Compliance assessment of IT functions in accordance with the relevant IT regulations;
  • Compliance assessment in accordance with the relevant outsourcing arrangement regulations;
  • Improvement of internal controls framework across all the IT and business units;
  • Feasibility study on cloud-based solutions implementation;

On-site inspection readiness evaluation and remediation support

Your needs:

On-site inspections by regulatory authorities can be rather painful experiences, as they are often announced at short notice and put additional strain on those responsible for preparing the terrain for the fieldwork.

Our approach:

We will help you to be adequately prepared for such an exercise, as we are able to anticipate the focal points of attention during the on-site inspection by the regulators. Furthermore, we will outline for you those areas which require further actions to reduce the number and severity of potential findings. Finally, we will assist you in defining adequate remediation plans to address recommendations made by the regulators.

Our assistance in the following aspects:

  • IT governance framework (i.e. IT strategy);

  • IT risks management framework (i.e. risk assessment, risk appetite and tolerance);

  • IT outsourcing management and oversight (including cloud computing)

  • Outsourcing service provider management (i.e. SLA, register, Service KPIs);

  • Information security management system (i.e. information security policy, testing);

  • Business continuity and crisis management measures, process and documentation (i.e. Business impact analysis and risk analysis, BC&DR plans;

Authorisation and notification assistance (i.e. Outsourcing, IT and cloud computing)

Your needs:

The implementation of IT projects which impact the ownership of responsibilities as well as the treatment of sensitive data such as client data often requires the interaction with the regulator. In specific cases, a prior approval is required before the organisation can implement the envisaged changes, for instance in case of outsourcing your main accounting system or utilisation of cloud-based solutions for material activities.

Our approach:

Based on our experience, we will be able to assist you in identifying the right type of communication with the regulatory authorities, both in terms of form and content. We will support you during the preparation of the communication as well as subsequent discussions with the regulator, so that you can concentrate on moving your internal projects forward.

Our assistance in the following CSSF applications:

  • Authorisation request for business process outsourcing (BPO)
  • Authorisation request for IT Outsourcing
  • Cloud outsourcing related applications

Licensing support

Your needs:

The acquisition of a regulated status usually requires a detailed description of the organisations activities to be provided to the authorities. Such description also includes the IT landscape and related processes, including information about delegated activities. Depending on the chosen business model, these descriptions are often of a complex nature, also because internal controls will need to be described in detail to mitigate risks related to the utilisation of IT assets.

Our approach:

Our assistance is provided during the whole licence application process, from the initial identification of the most suitable license and related IT setup via the initial discussions with the regulator to the drafting of the application file and treatment of subsequent questions. Our IT specialists will directly interact with your key stakeholders to ensure that provided descriptions are sufficiently detailed and aligned with external expectations.



Contact us

Cécile Liégeois

Clients & Markets Leader, PwC Luxembourg

Tel: +352 49 48 48 2245

Follow us