Sub-chapter 3.2 Intragroup outsourcing

11. Intragroup outsourcing is not necessarily less risky than outsourcing to an entity outside the group. Intragroup outsourcing is therefore subject to the same regulatory framework and conditions as outsourcing to service providers outside the group. Where In-Scope Entities intend to outsource to entities within the same group, they shall also ensure that the reason for selecting a group entity is based on objective reasons. In particular, the group entity shall be suitable and the outsourcing arrangement may not expose the In-Scope Entities to an undue conflict of interest.

12. When outsourcing within the same group, In-Scope Entities may have a higher level of control over and information about the outsourced function and the service provider, which they could take into account in their risk assessment. In-Scope Entities shall however not exclusively rely on their group entities for the management of the outsourcing and shall design procedures for the performance of appropriate monitoring and oversight at the level of the In- Scope Entity itself to ensure compliance with the requirements set out in this circular.

13. Subject to the general principles set out in sub-chapter 3.1, In-Scope Entities that use centrally provided governance arrangements shall therefore comply with the following:

a. where In-Scope Entities have outsourcing arrangements with service providers within the group, the management body of the In-Scope Entity retains, also for these outsourcing arrangements, full responsibility for compliance with the regulatory requirements and the effective application of this circular;

b. where In-Scope Entities have outsourcing arrangements with a service provider within the group, the In-Scope Entity shall ensure that those outsourcing arrangements, including operational tasks that are outsourced, are effectively performed. In-Scope Entities shall perform an appropriate monitoring and auditing of outsourcing arrangements, including through the receiving of appropriate reports, in line with section 4.3.3. and with section 4.2.6 and sub-section 4.3.2.3, respectively.

14. In addition to point 13 above, In-Scope Entities within a group shall take into account the following:

a. where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), In-Scope Entities shall ensure that both the independent monitoring of the service provider and its appropriate oversight by each In-Scope Entity is possible, including by receiving, at least annually and upon request, from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring and by

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

challenging those reports. In addition, In-Scope Entities shall receive from the centralised monitoring function a summary of the relevant outsourcing audit reports and, upon request, the full audit report.

The management body of In-Scope Entities shall determine whether the extent and the contents of these reports are consistent and appropriate and shall take action if these reports do not enable it to comply with the requirements on internal governance and on risk management as laid down in other relevant circulars CSSF;

b. In-Scope Entities shall ensure that their management body shall be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, comprising legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes and accept them or take action as appropriate;

c. where In-Scope Entities within the group rely on a central pre-outsourcing assessment of outsourcing arrangements, each In-Scope Entity shall receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process and accept it or take action as appropriate;

d. for In-Scope Entities within a group, the register as referred to in section 4.2.7 may be kept centrally. Where the register of all existing outsourcing arrangements, is established and maintained centrally within a group, the competent authorities and all In-Scope Entities shall be able to obtain the individual register without undue delay. This register shall include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group. In-Scope Entities shall be satisfied that the register complies with the provisions set out in Section 4.2.7 on Documentation requirements;

e. in relation to their exit strategies, where In-Scope Entities rely on an exit plan for a critical or important function that has been established at group level, all In-Scope Entities shall receive a summary of the plan and be satisfied that the plan can be effectively executed in accordance with the provisions set out in Section 4.3.4 on Exit plans;

f. In-Scope Entities within a group may rely on centrally established business continuity plans regarding their outsourced functions. In-Scope Entities shall receive a summary of the plan and be satisfied that the plan complies with the provisions of Section 4.2.5 on Business continuity plans.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Chapter 4. Governance of outsourcing arrangements

Sub-chapter 4.1 Assessment of outsourcing arrangements