CSSF replaces prior authorization obligation with prior notification for material IT outsourcing

Context

On 14 October 2021, the Commission de Surveillance du Secteur Financier (CSSF) published Circular CSSF 21/785 (the “Circular”), replacing the prior authorization obligation with a prior notification obligation in the case of material IT outsourcing.

The Circular’s provisions apply to:

• Credit institutions;
• Professionals of the Financial Sector (PSF);
• Payment institutions;
• Electronic money institutions; and
• Investment fund managers subject to CSSF Circular 18/698.

Shift from prior authorization to prior notification for material IT outsourcing

This new Circular replaces the prior authorization requirement with a prior notification requirement for material IT outsourcing, i.e., IT outsourcing (ITO)/cloud outsourcing but not business process outsourcing (BPO).

This shift will significantly shorten project timelines by providing clarity on how long the competent authority will take to process and authorize the material IT outsourcing, given the notification file is complete and does not require the CSSF to request additional information.

As these changes only apply to ITO/cloud outsourcing and not BPO, the elements under consideration are the materiality, the type of outsourcing (BPO, ITO or cloud) and the provider. The decision tree is as follows:

• Material outsourcing:
  • BPO: prior authorization.
  • ITO: prior notification. The notification period depends on whether the outsourcing service provider is:
    • A “support PSF” (art 29-3 to 29-6 of the Law on the financial sector): the notification is made 1 month in advance; or
    • Not a “support PSF”: the notification is made 3 months in advance.
  • Cloud: prior notification. The same applies depending on whether the cloud service provider or the resource operator is:
    • A “support PSF”: the notification is made 1 month in advance; or
    • Not a “support PSF”: the notification is made 3 months in advance.
• Non-material outsourcing: neither authorization nor notification is required.

During the 1-month or 3-month prior notification period, the CSSF can request complimentary information or make a partial or total opposition to the project, and the CSSF may decide to suspend the notification period.

The CSSF also insists this notification does not prevail over any further comments/binding measures or administrative sanctions resulting from ongoing supervision or on-site inspection on outsourcing.

The CSSF has updated its notification form and merged the cloud and IT outsourcing forms.
 

Cloud outsourcing

The Circular provides more flexibility regarding Luxembourg’s law governing the data center’s contract and location (resiliency of the cloud computing services) when the cloud service contract is signed by the group’s head office located outside the EU and the local entity in Luxembourg benefits from this group contract.
 

Next steps

The Circular entered into force on 15 October 2021.

However, the CSSF also provides the following transitional measures for IT outsourcing authorization requests that were submitted to the CSSF before 15 October 2021:

• Before or on 31 August 2021: feedback will be systematically provided (whether a request for additional information, a no-objection, a conditional no-objection or a refusal) following the procedures and deadlines in place before 15 October 2021.
• Between 1 September 2021 and 14 October 2021: this depends on whether the CSSF provides feedback (whether a request for additional information, or partial or complete opposition to the draft or project) or not.
  • If the CSSF provides feedback before 15 January 2022: the CSSF will provide the supervised entity with details on the requests’ follow-up.
  • If the CSSF does not provide feedback by 15 January 2022: the supervised entities may implement the planned outsourcing.
     

How can Deloitte help?

Deloitte’s subject matter experts can help you navigate the outsourcing regulatory requirements by providing practical recommendations on outsourcing governance and projects, as well as smoothening the interaction with competent authorities for a higher success rate and less ambiguity regarding prior notifications or authorizations.

Our broad array of services includes:

• Compliance assessment: a gap analysis of your IT or cloud projects’ compliance with laws and regulations and pragmatic recommendations for improvement.
• Assistance with the register: the preparation (or quality assurance) of the outsourcing register.
• Assistance in communications with the regulator: the preparation (or quality assurance) of application files and participation in regulator meetings, for example:
  • Authorization requests for financial professionals wanting to use IT or cloud solutions.
  • Authorization requests for support PSFs wanting to offer cloud solutions.
  • Gap analysis of CSSF requirements for IT or cloud service providers wanting to expand into the Luxembourg financial sector.

Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better anticipate, manage and plan for upcoming regulations.

Contacts

Subject matter specialists

Regulatory Watch Kaleidoscope service