Sub-chapter 3.1 General principles governing outsourcing arrangements

7. Outsourcing is a means for In-Scope Entities to get relatively easy access to expertise including in the space of new technologies and to achieve economies of scale and therefore improve cost efficiency. However, the implementation of outsourcing arrangements by In-Scope Entities creates specific risks and shall be subject to specific requirements in accordance with Articles 36-2 LFS, 37- 1(5) LFS, 11(4) LPS and 24-7(4) LPS, where applicable.

Outsourcing arrangements shall be subject to the following principles:

- Outsourcing arrangements shall be subject to appropriate oversight and may, in no circumstances, lead to the circumvention of the spirit and letter of regulatory requirements or prudential measures.

- When outsourcing operational tasks to a service provider, the In-Scope Entity shall ensure that those operational tasks are effectively performed. In-Scope Entities shall perform an appropriate monitoring and auditing of outsourcing arrangements, including through the receiving of appropriate reports in line with section 4.3.3 and with section 4.2.6 and sub-section 4.3.2.3, respectively.

- The responsibility of the management body for the In-Scope Entity and all its activities can never be outsourced:

• Any outsourcing that would result in the delegation by the management body of its responsibility, altering the relationship and obligations of the In-Scope Entities towards their clients, undermining the conditions of their authorisation or removing or modifying any of the conditions subject to which the In-scope Entity’s authorisation was granted, shall not be permitted. • The In-Scope Entity remains fully responsible for compliance with regulatory requirements including in the case of sub-outsourcing as sub-outsourcing can change the risk and reliability of outsourcing

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

arrangements. Therefore, the In-Scope Entity must determine whether sub-outsourcing is authorized and adapt its internal governance and risk management framework with regard to sub-outsourcing, in particular regarding critical or important outsourcing arrangements, while the initial service provider also has monitoring obligations.

- Outsourcing arrangements shall not create undue operational risks. The risks to be considered include those associated with the relationship with the service provider, the risk caused by allowing for sub-outsourcing, the concentration risk posed by multiple outsourcing arrangements to the same service provider and/or the concentration risk posed by outsourcing critical or important functions to a limited number of service providers. In-Scope Entities shall in any case manage concentration and dependence risks appropriately.

- Outsourcing shall not impair the quality and independence of In-Scope Entities’ internal controls or the ability of those entities to oversee and supervise compliance with regulatory requirements and to continue their activities under a going concern.

- Outsourcing must not lead to a situation where In-Scope Entities would be in breach with legal or regulatory requirements on central administration and become empty shells that lack the substance to remain authorised. To this end, management bodies shall ensure that, including in a context of an outsourcing of functions to a parent entity or other group entities, sufficient resources are available to appropriately support and ensure the performance of their responsibilities, including overseeing the risks and managing the outsourcing arrangements.

- When outsourcing, In-Scope Entities must ensure that all requirements of this circular are met on an ongoing basis. Functions that are considered critical under a resolution perspective may also be outsourced subject to not creating impediments to the resolvability of the BRRD institution.

8. When performing outsourcing arrangements that involve information subject to confidentiality requirements, In-Scope Entities shall put in place appropriate confidentiality arrangements and ensure compliance with Article 41(2a) LFS or Article 30(2a) LPS, where applicable.

9. In-Scope Entities shall comply with GDPR and the requirements of the Luxembourg competent authority in this area, namely the “Commission Nationale pour la Protection des Données” (CNPD).

10. Outsourcing may, in no circumstances, hamper the performance of supervisory powers by competent authorities with regard to all aspects of supervisory relevance. Outsourcing arrangements shall in particular not impact the competent authorities’ ability to oversee and supervise In-Scope Entities’ compliance with legal or regulatory requirements under a going concern or BRRD institutions’ regulatory compliance from a resolution perspective.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883