Chapter 2. Scope of application and proportionality

2. This circular defines the supervisory expectations that must be complied with when resorting to outsourcing arrangements.

Part I of this circular applies to the following In-Scope Entities when performing outsourcing other than ICT outsourcing 6:

6 For the sake of clarity, these entities are not required to include their ICT outsourcing arrangements in the register referred to in section 4.2.7.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

- credit institutions 7 8, including their branches, within the meaning of the LFS.

- investment firms, including their branches, within the meaning of the LFS.

- payment institutions and electronic money institutions, including their branches, (each referred to as a payment institution) within the meaning of the LPS. Account information service providers (AISP) that only provide the service in point 8 of Annex of the LPS are not included in the scope of application of this circular. Any reference made in this circular to ‘payment services’ includes payment services or issuance of electronic money provided by electronic money institutions;

This circular applies in full (Part I and Part II) to the following In-Scope Entities:

- specialised and support professionals of the financial sector (PFS) including their branches, within the meaning of the LFS. Branches in Luxembourg of PFS incorporated under foreign law shall be deemed to be included in the notion of PFS;

- POST Luxembourg governed by the Law of 15 December 2000 on postal financial services 9. All provisions that apply to payment institutions shall also apply to POST Luxembourg;

- branches in Luxembourg of credit institutions, investment firms and payment institutions incorporated in a third country. They shall be deemed to be included in the notion of credit institution, investment firm and payment institution respectively.

This circular applies also in full to the following entities established in Luxembourg when performing ICT outsourcing:

- management companies authorised only under Article 125-1 of Chapter 16 of the UCITS Law

This circular must be complied with by In-Scope Entities when designing the internal governance arrangements in the context of their business model taken as a whole, giving in particular due consideration to those activities that are regulated by the LFS, the LPS or any other national law conferring a competence to the CSSF. Consequently, this circular also applies when In-Scope Entities provide investment services and perform investment activities in accordance with the MiFID Law, develop internal governance arrangements in the context

7 The ECB is the competent authority for the prudential supervision of significant credit institutions (significant institutions – SIs). SIs shall refer to the relevant ECB rules (if any). 8 This circular shall apply to (mixed) financial holding companies that are approved in accordance with Article 34-2 LFS. See also Circular CSSF 12/552, point 3, Part I. 9 For the sake of clarity, the wording “postal financial services” has the meaning provided for in Article 1 of

the Law of 15 December 2000 as amended.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

of the AML/CFT Law or provide asset management services and depositary tasks for Undertakings for Collective Investments established in Luxembourg.

Branches in Luxembourg of the aforementioned types of entities that are part of a legal entity whose head office is located in a different Member State of the EEA (EEA branches) are subject to the supervision of the competent authority of that Member State (home Member State). However, as the CSSF is competent for ensuring that EEA branches comply with the specific requirements laid down in the thematic or sectoral frameworks 10, Part I of this circular applies if EEA branches outsource functions that belong to areas for which the CSSF retains an oversight responsibility, except for ICT outsourcing 11. While this circular does not impose specific requirements with regard to internal governance arrangements of EEA branches, such branches are nevertheless expected to adopt internal governance arrangements which are comparable to those provided for in this circular, in coordination with their head office.

3. The provisions of this circular shall apply to all In-Scope Entities on an individual basis. Credit institutions and investment firms shall also comply with this circular on a sub-consolidated and consolidated basis, taking into account their prudential scope of consolidation. Credit institutions and investment firms that are a parent undertaking shall ensure that the internal governance arrangements, processes and mechanisms in their subsidiaries are consistent, well integrated and appropriate for the effective application of this circular at all relevant levels of supervision 12.

4. In-Scope Entities shall, when complying with this circular, have regard to the principle of proportionality. According to this principle, In-Scope Entities shall take implementing measures that are proportionate to their size and their internal organisation as well as to the nature, scale and complexity of their activities or services, including their risks. As such, In-Scope Entities that are large, complex or engage in risky activities or services shall adopt a more robust framework for their central administration, internal governance and risk management. By contrast, In-Scope Entities may apply a less elaborated framework where justified by their size and internal organisation as well as by the nature, scale and complexity of their activities or services, including their risks.

10 notably in the context of investment services in accordance with the MiFID Law, the AML/CFT Law, the provision of asset management services and depositary tasks for Undertakings for Collective Investments established in Luxembourg. 11 Those arrangements are covered by Circular CSSF 25/882 on requirements on the use of ICT third-party services for Financial Entities subject to DORA and DORA regulation. 12 Where a waiver has been granted pursuant to Article 10 CRR to cooperative societies or Article 7 CRR, the provisions of this circular shall be applied at the level of the parent undertaking including its subsidiaries or by the central body and its affiliates as a whole.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

5. That said, outsourcing arrangements may have an impact on the risk profile of the In-Scope Entities, notably the operational risk they may be exposed to (e.g. disruption risk). Consequently, In-Scope Entities may need to enhance their internal control framework and procedures to integrate this modified risk dimension into their entity-wide risk management framework.

6. To support the appropriate implementation of this circular, In-Scope Entities shall document their proportionality analysis in writing and have their conclusions approved by the management body.

Chapter 3. General principles governing outsourcing arrangements and intragroup outsourcing