20 October 2021
Press release

Publication of a new CSSF Circular on the obligation to notify in the case of IT outsourcing

Press release 21/25

In response to the continuing development of material IT outsourcing, the Commission de Surveillance du Secteur Financier (CSSF) simplifies its procedures for prior provision of information in this respect through Circular CSSF 21/785.

IT outsourcing increasingly used by the financial sector

For the past 10 years, the financial sector players have been increasingly using IT outsourcing solutions. This choice is based in particular on cost reduction strategies but also on the will within financial groups to refocus on core business competences and to benefit from IT services provided by experts. Moreover, this movement accelerated with the emergence of cloud solutions.

Thus, the CSSF noted an increase of over 40% in authorisation applications for IT outsourcing between 2019 and 2021. In this category, the share of cloud outsourcing doubled.

Prior notification rather than prior authorisation

On 14 October 2021, the CSSF published Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing. The circular also defines transitional measures for files already submitted to the CSSF and which are still being processed.*

Material IT outsourcing concerns “critical or important functions” as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure would materially impair the soundness and continuity of the entity’s services and activities as well as its regulatory compliance obligation.

Our wish was to review our approach so that the analysis of the authorisation applications does not impede the proper execution of the projects of entities under the CSSF’s supervision”, Cécile Gellenoncourt, head of the “Supervision of Information Systems and Support PFS” department explains. Thus, the supervised entities must submit a prior notification concerning their project at least three (3) months before the planned outsourcing becomes effective or at least one (1) month where the services of a support PFS are used. “In practice, the notifications received will be subject to a differentiated treatment which might vary according to the risks linked to the outsourcing project. Consequently, the analysis may be more or less in depth and may take place before the scheduled date of implementation of the project or after that date in the framework of the ongoing supervision or on-site inspection”, she continues.

No impact on the supervision as such

The CSSF has a dual mission: ensure the stability of the financial sector, a task shared with the Banque centrale du Luxembourg, and protect consumers of financial services. As regards outsourcing, the authority ensures that risk management continues to be guaranteed and that the responsibility of this management remains with the supervised entity. “The new circular does not in any way call into question the quality and thoroughness of our supervision. Thus, even in the case of a file that was simply notified to us, we may still intervene afterwards, through on-site inspections for example, if we identify serious shortcomings regarding compliance with the professional obligations”, Cécile Gellenoncourt concludes.

La Commission de Surveillance du Secteur Financier

The Commission de Surveillance du Secteur Financier (CSSF) is a public institution which supervises the professionals and products of the Luxembourg financial sector. It supervises, regulates, authorises, informs, and, where appropriate, carries out on-site inspections and issues sanctions. Moreover, it is in charge of promoting transparency, simplicity and fairness in the markets of financial products and services and is responsible for the enforcement of laws relating to financial consumer protection and the fight against money laundering and terrorist financing.

The CSSF carries out its prudential supervision and supervision of the markets in order to contribute to the solidity and stability of the financial sector exclusively in the public interest.

The CSSF is under the authority of the Ministry of Finance but has financial autonomy and autonomy of action as required by the highest international organisations. It has a total workforce of nearly 1,000 highly qualified agents.

Press contact: Paul Wilwertz, t. +352 25 25 1 3157, email: paul.wilwertz@cssf.lu

*(Communiqué regarding the publication of Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing (only in French))