Section 4.1.2 Critical or important functions

18. In-Scope Entities shall always consider a function as critical or important in the following situations:

a. where a defect or failure in its performance would materially impair:

i. their continuing compliance with the conditions of their authorisation and/or their other legal and regulatory obligations;

ii. their financial performance; or

iii. the soundness or continuity of their services and activities;

b. when operational tasks of internal control functions or operational tasks of the financial and accounting function as referred in points 21 to 29 are outsourced;

c. when credit institutions and payment institutions intend to outsource functions of banking activities or payment services to an extent that would require authorisation 14 by the relevant competent authority as referred to in points 61 to 63.

19. In the case of BRRD institutions, particular attention shall be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions according to the BRRD Law 15 and identified by these institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778 16. Functions that are necessary to perform activities of core business lines or critical functions shall be considered as critical or important functions for the purpose of this circular, unless the BRRD institution’s assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function.

14 See the activities listed in Annex I of LFS and in Annex of LPS related to payment services. 15 Critical functions according to Article 1(64) of BRRD Law means activities, services or operations the discontinuance of which is likely in one or more Member States, to lead to the disruption of services that are essential to the real economy or to disrupt financial stability due to the size, market share, external and internal interconnectedness, complexity or cross-border activities of a BRRD institution or group, with particular regard to the substitutability of those activities, services or operations. 16 Commission Delegated Regulation (EU) 2016/778 of 2 February 2016 supplementing Directive 2014/59/EU of the European Parliament and of the Council with regard to the circumstances and conditions under which the payment of extraordinary ex post contributions may be partially or entirely deferred, and on the criteria for the determination of the activities, services and operations with regard to critical functions, and for the determination of the business lines and associated services with regard to core business lines.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

20. When assessing whether an outsourcing arrangement relates to a function that is critical or important, In-Scope Entities shall take into account, together with the outcome of the risk assessment outlined in points 66 to 70 at least the following factors:

a. whether the outsourcing arrangement is directly connected to core business activities;

b. the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their:

i. short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;

ii. business continuity and operational resilience;

iii. operational risk, including conduct, ICT and legal risks;

iv. reputational risks;

v. where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;

c. the potential impact of the outsourcing arrangement on their ability to:

i. identify, monitor and manage all risks;

ii. comply with legal and regulatory requirements;

iii. conduct appropriate audits regarding the outsourced function;

d. the potential impact on the services provided to its clients;

e. all outsourcing arrangements, the In-Scope Entity’s aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;

f. the size and complexity of any business area affected;

g. the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;

h. the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);

i. the ability to reintegrate the outsourced function into the In-Scope Entity, if necessary or desirable;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

j. the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the In-Scope Entity and its clients, including but not limited to compliance with GDPR.

Section 4.1.3 Outsourcing arrangements relating to internal control functions 21. Outsourcing arrangements of internal control functions shall not effectively result in the transfer of these functions as a whole to the service provider(s). Therefore, outsourcing arrangements shall be limited, in principle, to operational tasks of these functions.

22. Outsourcing arrangements of operational tasks of the internal control functions shall not undermine the permanence of the internal control arrangements and functions of the In-Scope Entity or their continued effectiveness. In practice this means that outsourcing arrangements shall be proportionate and shall not result in the effective carving out of the substance of the In-Scope Entities’ internal control functions.

23. In accordance with the requirements of section 4.3.1.2, In-Scope Entities shall ascertain that the service provider complies with applicable suitability requirements and has appropriate and sufficient technical knowledge and experience. In particular, the service provider shall demonstrate an appropriate and up-to-date knowledge of the regulatory framework that applies to the In- Scope Entity.

24. When outsourcing operational tasks of the internal control functions, the service provider shall be placed under the oversight of and report to the person in charge of the relevant internal control function of the In-scope Entity (e.g. the Chief Compliance Officer, the Chief Risk Officer or the Chief Internal Auditor). Where In-scope Entities outsource the full range of operational tasks of their internal control function, the service provider shall report to the member of the management body in charge of the internal control function.

25. In the context of the internal audit function, the service provider shall also have a direct access to the management body in its supervisory functions or, where appropriate, to the chairperson of the audit committee. In addition, the service provider shall carry out the internal audit operational tasks in accordance with the In-Scope Entity’s internal audit plan and work programme, document the work and the findings of each mission in sufficient detail and issue a dedicated report on each mission. All documents shall be drafted in French, German or English and delivered to the person in charge of the internal audit function, to the management body and, where applicable, to the audit committee.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 4.1.4 Outsourcing arrangements relating to the financial and accounting function 26. Outsourcing arrangements of the financial and accounting function shall not effectively result in the transfer of this function as a whole to the service provider(s). Therefore, outsourcing arrangements shall be limited, in principle, to operational tasks of this function. Outsourcing arrangements of operational tasks of the financial and accounting functions shall not undermine the permanence of the central administration of the In-Scope Entity.

27. When outsourcing operational tasks of the accounting function, In-Scope Entities shall have, at the closing of each day, unconditional and unrestricted access to the balance of all accounts and of all accounting movements of the day in order to provide the competent authority or any other body, as required by applicable laws and regulations, with this information.

28. When using an accounting system that is located outside of Luxembourg (accounting system hosting outsourcing) independently or in connection with the outsourcing of operational tasks of the accounting function, the In-Scope Entity shall have, at the end of each day, a secure backup of all end of day accounting positions, including client positions, in a readable format, to guarantee an autonomous preparation of a balance sheet, a profit and loss statement and client positions.

This backup shall be stored at the premises of the In-Scope Entity in the EEA, of a group entity located in the EEA, or of another service provider (i.e. a service provider different from the one to whom the accounting system is outsourced) located in the EEA. The accounting system shall allow keeping regular accounts in accordance with the applicable accounting framework in Luxembourg, the preparation of statutory accounts and the preparation of the prudential reports to the competent authority.

29. In case of outsourcing of the production of prudential reports, the person in charge of the financial and accounting function in the In-Scope Entity shall ensure that these reports represent faithfully the In-Scope Entity’s prudential situation and are prepared in accordance with the applicable instructions. In addition, this person shall be able to ensure that the In-Scope Entity’s annual accounts are prepared in accordance with the applicable accounting laws and regulations 17.

17 The Law of 17 June 1992 relating to the annual and consolidated accounts of credit institutions governed by the laws of Luxembourg for credit institutions or the Law of 19 December 2002 as amended relating to the trade register the accounting rules and the annual accounts of companies for other In-Scope Entities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-Chapter 4.2 Governance framework

Section 4.2.1 Sound governance arrangements and third-party risk 30. As part of the overall internal control framework, including internal control mechanisms, 18 In-Scope Entities shall have a holistic entity-wide risk management framework extending across all business lines and internal units. Under that framework, In-Scope Entities shall identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework shall also enable In-Scope Entities to make well- informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 19

31. In-Scope Entities, taking into account the principle of proportionality, shall identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, shall be assessed in line with points 66 to 70.

32. In-Scope Entities shall ensure that they comply with all requirements under GDPR, including for their third-party and outsourcing arrangements.

Section 4.2.2 Sound governance arrangements for outsourcing 33. The outsourcing of functions shall not result in the delegation of the management body’s responsibilities. The management body remains fully responsible and accountable for complying with all of their regulatory obligations or their responsibilities to their customers, including the ability to oversee the outsourcing of critical or important functions.

34. The management body is at all times fully responsible and accountable for at least:

a. ensuring that the In-Scope Entity meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority;

b. the internal organisation of the In-Scope Entity;

c. the identification, assessment and management of conflicts of interest;

d. the setting of the In-Scope Entity’s strategies and policies (e.g. the business model, the risk appetite, the risk management framework);

18 Please also refer to Articles 6, 7, 24-2 and 24-3 LPS, when applicable. 19 Please refer to Circular CSSF 20/750 on ICT and security risk management.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

e. overseeing the day-to-day management of the In-Scope Entity, including the management of all risks associated with outsourcing; and

f. the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making.

35. Outsourcing shall not lower the suitability requirements applied to the In- Scope Entity’s management body and key function holders. In-Scope Entities shall have adequate competence, sufficient and appropriately skilled resources to ensure an appropriate management and oversight of outsourcing arrangements.

36. In-Scope Entities shall:

a. clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements;

b. allocate sufficient skilled resources to ensure compliance with the legal and regulatory requirements, including this circular and the documentation and monitoring all outsourcing arrangements;

c. for each outsourced activity, designate from among its employees a person who will be in charge of managing the outsourcing relationship(s) and managing access to confidential data; and

d. establish an outsourcing function or designate a sufficiently senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the In-Scope Entity’s internal control framework and overseeing the documentation of outsourcing arrangements. Small entities 20 shall at least ensure a clear and sound division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the In-Scope Entity’s management body.

37. In-Scope Entities shall maintain at all times sufficient substance and not become ‘empty shells’ or ‘letter-box entities’. To this end, they shall:

a. meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in point 34;

b. retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements;

20 Credit institutions and investment firms shall refer to Circulars CSSF 12/552 and CSSF 20/758 to perform the assessment of small entities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

c. exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions, in particular where operational tasks of internal control functions, of the financial and accounting function or of core business activities are outsourced; and

d. have sufficient skilled resources and capacities to ensure compliance with points a. to c. above.

38. When setting up an outsourcing arrangement, In-Scope Entities shall at least ensure that:

a. they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced;

b. they maintain the orderliness of the conduct of their business and, for credit institutions and payment institutions, the banking and payment services they provide;

c. the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech);

d. appropriate confidentiality arrangements are in place regarding data and other information;

e. an appropriate flow of relevant information with service providers is maintained;

f. with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame:

i. transfer the function to alternative service providers;

ii. reintegrate the function; or

iii. discontinue the business activities that are depending on the function.

g. where personal data are processed by service providers located in the EEA and/or third countries, appropriate measures are implemented and data are processed in accordance with GDPR;

h. appropriate confidentiality arrangements are in place and ensure compliance with Article 41(2a) LFS or Article 30(2a) LPS, where applicable.

Section 4.2.3 Outsourcing policy 39. The management body of an In-Scope Entity that has outsourcing arrangements in place or plans on entering into such arrangements shall approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

consolidated basis. For credit institutions and investment firms, the outsourcing policy shall, in particular, take into account the requirements pertaining to “New Product Approval Process” 21.

40. The policy shall include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy shall cover at least:

a. the responsibilities of the management body in line with points 33 and 34, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions;

b. the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements;

c. the planning of outsourcing arrangements, including:

i. the definition of business requirements regarding outsourcing arrangements;

ii. the criteria, including those referred to in points 18 to 20, and processes for identifying critical or important functions;

iii. risk identification, assessment and management in accordance with points 66 to 70;

iv. due diligence checks on prospective service providers, including the measures required under points 71 to 75;

v. procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with points 43 to 46;

vi. business continuity planning in accordance with points 47 to 50;

vii. the approval process of new outsourcing arrangements. This process must consider the additional time requirement due to the prior notification to the competent authority in accordance with points 59 and 60;

d. the implementation, monitoring and management of outsourcing arrangements, including:

i. the ongoing assessment of the service provider’s performance in line with points 104 to 110;

21 Please refer to Part II, sub-chapter 7.3 of Circular CSSF 12/552 for credit institutions or to Part II, sub- chapter 7.3 of Circular CSSF 20/758 for investment firms.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

ii. the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing);

iii. the independent review and audit of compliance with legal and regulatory requirements and policies;

iv. the renewal processes;

e. the documentation and record-keeping, taking into account the requirements set out in points 53 to 58;

f. the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible, taking into account possible service interruptions or the unexpected termination of an outsourcing agreement, in line with points 111 to 113.

41. The outsourcing policy shall differentiate between the following:

a. outsourcing of critical or important functions and other outsourcing arrangements;

b. outsourcing to service providers that are authorised by a relevant competent authority in a Member State or in a third country and those that are not;

c. intragroup outsourcing arrangements and outsourcing to entities outside the group; and

d. outsourcing to service providers located within a Member State and third countries.

42. In-Scope Entities shall ensure that the outsourcing policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process:

a. the In-Scope Entity’s risk profile;

b. the ability to oversee the service provider and to manage the risks;

c. the business continuity measures; and

d. the performance of their business activities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 4.2.4 Conflicts of interests 22 43. In-Scope Entities shall identify, assess and manage conflicts of interests with regard to their outsourcing arrangements.

44. Where outsourcing creates material conflicts of interest, including between entities within the same group, In-Scope Entities need to take appropriate measures to manage those conflicts of interest.

45. When functions are provided by a service provider that is part of a group or that is owned by the In-Scope Entity or its group, the conditions, including financial conditions, for the outsourced service shall be set at arm’s length. However, within the pricing of services synergies resulting from providing the same or similar services to several In-Scope Entities within a group may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this shall be irrespective of the failure of any other group entity.

46. The In-Scope Entity shall, in particular, ensure that the service provider is independent from the statutory auditor (réviseur d’entreprises agréé or cabinet de révision agréé) in charge of the statutory audit of the In-Scope Entity and from the group to which the statutory auditor belongs.

Section 4.2.5 Business continuity plans 47. Special attention shall be paid to the continuity aspects and the revocable nature of an outsourcing arrangement. The In-Scope Entity shall be able to continue its critical functions in case of exceptional events or crisis.

48. In-Scope Entities shall have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions.

49. Business continuity plans shall take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans shall also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider’s jurisdiction.

50. Where the outsourcing arrangement comprises ICT systems and data of In- Scope Entities, the measures for redundancy and backup of these systems and data shall either be specified in the outsourcing agreement with the service

22 Please also refer to Circular CSSF 12/552, Part II, sub-chapter 7.2 (points 165 to 174) for credit institutions or Circular CSSF 20/758, Part II, sub-chapter 7.2 (points 167 to 176) for investment firms.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

provider or configured by the In-Scope Entities 23, in line with the business continuity plan of the In-Scope Entities.

Section 4.2.6 Internal audit function 51. The internal audit function’s activities shall cover, following a risk-based approach, the review of outsourced activities. The audit plan and programme shall include, in particular, the outsourcing arrangements of critical or important functions.