Aller au contenu

+352 621 583 116 · Contact us

Luxembourg-based firm · Reply within 1 business day FR

CSSF 22/806 · Summary

← All articles Law overview →

Part I - Outsourcing arrangements

I.1. Chapter 1. Definitions, abbreviations and acronyms

Part I - Outsourcing arrangements

I.2. Chapter 2. Scope of application and proportionality

Part I - Chapter 3. General principles

I.3.1. Sub-chapter 3.1 General principles governing outsourcing arrangements

Part I - Chapter 3. General principles

I.3.2. Sub-chapter 3.2 Intragroup outsourcing

Part I - Chapter 4. Governance - Sub-chapter 4.1 Assessment

I.4.1.1. Section 4.1.1 Outsourcing

Part I - Chapter 4. Governance - Sub-chapter 4.1 Assessment

I.4.1.2. Section 4.1.2 Critical or important functions

Part I - Chapter 4. Governance - Sub-chapter 4.1 Assessment

I.4.1.3. Section 4.1.3 Outsourcing arrangements relating to internal control functions

Part I - Chapter 4. Governance - Sub-chapter 4.1 Assessment

I.4.1.4. Section 4.1.4 Outsourcing arrangements relating to the financial and accounting function

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.1. Section 4.2.1 Sound governance arrangements and third-party risk

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.2. Section 4.2.2 Sound governance arrangements for outsourcing

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.3. Section 4.2.3 Outsourcing policy

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.4. Section 4.2.4 Conflicts of interest

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.5. Section 4.2.5 Business continuity plans

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.6. Section 4.2.6 Internal audit function

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.7. Section 4.2.7 Documentation requirements

Part I - Chapter 4. Governance - Sub-chapter 4.2 Governance framework

I.4.2.8. Section 4.2.8 Outsourcing supervisory conditions

Part I - Chapter 4. Governance - Sub-chapter 4.3 Outsourcing process

I.4.3.1. Section 4.3.1 Pre-outsourcing analysis

Part I - Chapter 4. Governance - Sub-chapter 4.3 Outsourcing process

I.4.3.2. Section 4.3.2 Contractual phase

Part I - Chapter 4. Governance - Sub-chapter 4.3 Outsourcing process

I.4.3.3. Section 4.3.3 Monitoring of outsourced functions

Part I - Chapter 4. Governance - Sub-chapter 4.3 Outsourcing process

I.4.3.4. Section 4.3.4 Exit plans

Part II - Chapter 1. Non-cloud ICT outsourcing

II.1.1. Sub-chapter 1.1 Requirements for Relevant Entities other than support PFS

Part II - Chapter 1. Non-cloud ICT outsourcing

II.1.2. Sub-chapter 1.2 Requirements for support PFS

Part II - Chapter 2. Cloud computing ICT outsourcing - Sub-chapter 2.1

II.2.1.1. Section 2.1.1 Specific terminology

Part II - Chapter 2. Cloud computing ICT outsourcing - Sub-chapter 2.1

II.2.1.2. Section 2.1.2 Definition of cloud computing

Part II - Chapter 2. Cloud computing ICT outsourcing - Sub-chapter 2.1

II.2.1.3. Section 2.1.3 Conditions of application of chapter 2

Part II - Chapter 2. Cloud computing ICT outsourcing

II.2.2. Sub-chapter 2.2 Requirements for outsourcing on a cloud computing infrastructure

Part III - Date of application

III. Part III - Date of application

Annex

Annexe. Annex - List of implemented ESA Guidelines

Luxgap coverage GDPR NIS 2 DORA AI Act Whistleblowing CSSF 22/806

Article I.4.1.1

Section 4.1.1 Outsourcing

CSSF Circular 22/806 on outsourcing (as amended by CSSF 25/883) · CSSF 22/806

15. In-Scope Entities shall establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration shall be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by In-Scope Entities, even if the In-Scope Entity has not performed this function in the past itself.

16. Where an arrangement with a service provider covers multiple functions, In- Scope Entities shall consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects shall be considered together.

17. As a general principle, In-Scope Entities shall not consider the following as outsourcing:

a. a function that is legally required to be performed by a service provider, e.g. statutory audit; b. market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch); c. global network infrastructures (e.g. Visa, MasterCard); d. clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; e. global financial messaging infrastructures that are subject to oversight by relevant authorities; f. correspondent banking services; and g. the acquisition of services that would otherwise not be undertaken by the In-Scope Entity (e.g. advice from an architect, legal advice and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the In-Scope Entity’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards 13, card

13 This does not cover the issuance of payment instruments such as the issuance of credit cards, which is a regulated payment service under the LPS.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line).

They trust us

See all references →