CSSF Circular 19/714 updating CSSF Circular 17/654 on cloud computing has been saved
CSSF Circular 19/714 updating CSSF Circular 17/654 on cloud computing
28 March 2019
Regulatory News Alert
On 27 March 2019, the CSSF published Circular 19/714 (the Circular) which updates Circular 17/654 on IT outsourcing based on a cloud computing infrastructure.
22 months after the publication of Circular 17/654, in light of more than 60 files submitted and recently published EBA Draft guidelines on outsourcing, the CSSF brings changes to the requirements of IT outsourcing relying on a cloud computing infrastructure. This update:
- Introduces proportionality in the requirement for non-material activities outsourced
- Introduces a register of cloud outsourcing to be maintained by the supervised entities (material & non-material)
- Removes the requirement for a notification for non-material activities outsourced
- Includes investment fund managers in the scope of application
This update also comes with a set of annexes that offers practical guidance as well as updates to the forms.
The Circular applies immediately to financial professionals, including credit institutions, investment firms, specialized PSFs, support PSFs, payment institutions, electronic money institutions, and investment fund managers.
This update will enable supervised entities to focus their effort on material activities outsourcing relying on a cloud computing infrastructure, but it also raises the expectation for the quality of documentation as well as of materiality and compliance assessments.
Introducing proportionality for non-material activities outsourced in the cloud
With more than 60 files submitted, the trends of use cases revealed that cloud infrastructures were majorly supporting non-material activities. The notification process for the latter was too burdensome for supervised entities and for the CSSF. Therefore, more proportionality was needed for its treatment.
This is why supervised entities can justify not applying the below regulatory requirements for non-material activities in accordance with their risk analysis:
- Notification of functionality changes from Cloud Service Providers and Resource Operators (§27.j and §27.k)
- Continuity in case of resolution or reorganisation or another procedure (§28.b)
- Transfer of services in case the continuity is threatened (§28.c)
- Monitoring of activities (§30)
- Contract under the European Union law (§31.a)
- Resiliency of the services in the European Union (§31.b)
- Right of audit for the ISCR (§31.j)
- Details regarding the right of audit (§32)
- Exercise the right of audit (§33)
Notifications are no longer required for non-material activity
This proportionality principle also brings changes in notification requirements. Supervised entities will no longer have to notify the CSSF of outsourcing non-material activities to the cloud.
The assessment on materiality remains the institution’s responsibility but the CSSF can challenge this assessment. For this purpose, the CSSF published an FAQ on the materiality where it describes the technical point of view and business point of view to be considered. The FAQ also provides seven examples of outsourced activities with varying scenarios where the same service could be material or non-material depending on the institution’s organization, processes and information system architecture.
However, supervised entities will have to set up a cloud outsourcing register
Supervised entities will have to create and maintain a register of all cloud outsourcing no matter whether it is material or non-material.
The register template published on the CSSF’s website contains 54 fields, nine of them only related to material activities outsourced and ten of them related to non-material activities outsourced.
The CSSF gives 12 months to investment fund managers and 6 months to other supervised entities to establish and complete the register.
Lastly, the Circular comes with some clarifications and updated forms
The Circular provides other clarifications including:
- The role of the authorized management in approving and reviewing outsourcing policies as well as the outsourcing register
- The case of a support PSF acting as intermediary (acting like a reseller) and not resource operators
- The right to audit and how to exercise it
- Regular controls of backup and the facilities to restore them
Finally, the CSSF updated the forms on its website:
- The outsourcing register template: the information from the register template covers activities outsourced, roles and responsibilities, cloud service provider, contractual information, controls over outsourced services, and justification for not applying requirements for non-material activities
- Notification or authorization forms: five forms are published together with a summary guiding the supervised entities through the templates or forms to use. The forms now embed a section of a simplified compliance assessment compared to the previous detailed compliance assessment template which was removed
- FAQ: the CSSF updated its FAQ on the Cloud Computing and published a new FAQ on the materiality assessment
How can Deloitte help?
Disrupt. Transform. Repeat. That’s the new normal. Done right, cloud not only drives that reality—it can turn it into your advantage. Deloitte’s end-to-end capabilities and understanding of your business and industry help amplify the transformative value of cloud.
Our broad array of services includes:
- Compliance assessment – gap analysis of our client’s cloud projects compliance with laws and regulations and pragmatic recommendations for improvement
- Assisting in documenting the register – preparation (or quality assurance) of the cloud outsourcing register
- Assisting in communications with the regulator – preparation (or quality assurance) of application files and participation in meetings with the regulator, e.g.:
- Authorization requests for financial professionals wishing to use cloud solutions
- Authorization requests for Support PSFs wishing to offer cloud solutions
-Gap analysis of CSSF requirements for cloud service providers wishing to expand in the Luxembourg financial sector
- Cloud strategy and readiness – your journey into the cloud must navigate pitfalls and opportunities that are unique to your business alone. That makes mapping out a clear strategy and preparing your organization essential to achieving your business goals
- Cloud package implementation – multiple SaaS solutions exist on the market for every common business process. Each solution has its strengths and weaknesses, its best uses and fits. Knowing what those are and how they will affect your business is critical for success
- Custom migration consulting services – a simple “lift-and-shift” approach to moving your applications to the cloud often bypasses the key benefits associated with the cloud—cost saving, scalability, increased speed, and flexibility
- IT operating model with cloud – as the workload shifts to new and more business-aligned tasks, IT needs to adjust to a new reality. Governance, service delivery, integration architecture, supplier management, and service measurement are among the areas that require recalibration