Section 4.1.3 Outsourcing arrangements relating to internal control functions

functions 19 Section 4.1.4 Outsourcing arrangements relating to the financial and accounting function 20 Sub-Chapter 4.2 Governance framework 21 Section 4.2.1 Sound governance arrangements and third-party risk 21 Section 4.2.2 Sound governance arrangements for outsourcing 21 Section 4.2.3 Outsourcing policy 24 Section 4.2.4 Conflicts of interests 26 Section 4.2.5 Business continuity plans 26 Section 4.2.6 Internal audit function 27 Section 4.2.7 Documentation requirements 27 Section 4.2.8 Supervisory conditions for outsourcing 30 Sub-chapter 4.3 Outsourcing process 32 Section 4.3.1 Pre-outsourcing analysis 32 Section 4.3.2 Contractual phase 35 Section 4.3.3 Oversight of outsourced functions 42 Section 4.3.4 Exit plans 43 Part II – Requirements in the context of ICT outsourcing arrangements 45 Chapter 1. ICT outsourcing arrangements other than those relying on a cloud computing infrastructure 46 Sub-chapter 1.1 Requirements applicable to In-Scope Entities other than Support PFS authorised under Articles 29-3, 29-5 and 29-6 LFS and their branches abroad 46 Sub-chapter 1.2 Requirements applicable to Support PFS authorised under Articles 29-3, 29-5 and 29-6 LFS and their branches abroad 47 Chapter 2. ICT outsourcing arrangements relying on a cloud computing infrastructure 50 Sub-chapter 2.1 Definitions and application 50 Section 2.1.1 Specific terminology 50 Section 2.1.2 Definition of “cloud computing” 51 Section 2.1.3 Conditions of application of Chapter 2 52 Sub-chapter 2.2 Requirements to be observed with respect to outsourcing to a cloud computing infrastructure 53 Part III – Date of application 58 Annex – List of implemented ESAs Guidelines 59

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Part I – Outsourcing arrangements

Chapter 1. Definitions, abbreviations and acronyms

1. Unless otherwise specified, terms used and defined in the LFS, the LPS and Regulation (EU) No 575/2013 shall have the same meaning in this circular. In addition, for the purposes of this circular, the following definitions apply:

1) Cloud services services provided using cloud computing, that is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Services are considered as cloud computing services within the meaning of this circular if the conditions defined in points 135 and 136 are fulfilled.

a. Community cloud cloud infrastructure available for the exclusive use by a specific community of In-Scope Entities, including several In-Scope Entities of a single group.

b. Hybrid cloud cloud infrastructure that is composed of two or more distinct cloud infrastructures.

c. Public cloud cloud infrastructure available for open use by the general public.

d. Private cloud cloud infrastructure available for the exclusive use by a single In-Scope Entity.

2) Competent authority the CSSF or the ECB as competent authority for the supervision of entities in accordance with point 2 of this circular.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

3) Core business activities the activities of the In-Scope Entities which are subject to an authorisation or a registration by a competent authority.

4) Critical or important any function that is considered critical or function 4 important as set out in points 18 to 20.

5) Function any processes, services or activities.

6) ICT outsourcing an arrangement of any form between the In- Scope Entity and a service provider by which that service provider performs an ICT process, an ICT service or an ICT activity that would otherwise be undertaken by the In-Scope Entity itself. The services are pure ICT services in nature.

7) In-Scope Entity all supervised entities in accordance with point 2 of this circular.

8) Internal control functions the risk control function, the compliance function and the internal audit function.

9) Intragroup outsourcing 5 an outsourcing by an In-Scope Entity to a service provider who belongs to the same group.

For In-Scope Entities that are subject to supervision on a consolidated basis in accordance with their sectoral laws and regulations or that belong to a group that is subject to such consolidated supervision it is important to note that the scope of application of the provisions on intragroup outsourcing extends beyond the sole scope of such consolidated supervision.

4 In the context of outsourcing arrangements, the meaning of ‘critical or important function’ is to be read according to MiFID Law and Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II. In that regard, outsourcing arrangements comprise those that relate to ‘critical functions’ for the purpose of the recovery and resolution framework as defined under Article 1(64) of the BRRD Law. 5 For credit institutions that belong to a network of a central body or are part of an institutional protection scheme (IPS) subject to the conditions laid down in Article 113(7) CRR, an outsourcing to a member of the network or of the IPS shall be considered as an intragroup outsourcing for the purpose of this circular.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

10) Key function holders persons who have significant influence over the direction of the In-Scope Entity but who are neither members of the management body and are not the Chief Executive Officer (CEO).

In line with the specific provisions of Circular CSSF 12/552 and Circular CSSF 20/758, they include the heads of internal control functions and may include the Chief Financial Officer (CFO), where they are not members of the management body, and, where identified on a risk-based approach by institutions, other key function holders.

Other key function holders might include heads of significant business lines, European Economic Area/European Free Trade Association branches, third country subsidiaries and other internal functions.

11) Management body an In-Scope Entity’s body or bodies, which are appointed in accordance with national law, which are empowered to set the In-Scope Entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include the persons who effectively direct the business of the In-Scope Entity and the directors and persons responsible for the management of the In-Scope Entity.

In accordance with relevant circulars CSSF as applicable, the term management body encompasses the notions of authorised management, board of directors/or board of managers and/or supervisory board and executive board.

12) Member State Member State of the European Union. This term includes EEA countries other than EU countries as a matter of principal.

13) an arrangement of any form between an In- Scope Entity and a service provider by which a. Outsourcing that service provider performs a process, a service or an activity that would otherwise be undertaken by the In-Scope Entity itself.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

b. Sub-outsourcing a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider (the “sub-contractor”).

There may be multiple sub-outsourcing arrangements within a same outsourcing arrangement. Sub-outsourcing may also be referred to as a ‘chain of outsourcing’, or ‘chain-outsourcing’.

14) Service provider a third-party entity that is undertaking an outsourced process, service or activity, or parts thereof, under an outsourcing arrangement.

In this context, a group entity shall be considered as a third-party entity.

15) Third country a State other than a Member State of the European Economic Area.

Abbreviations and acronyms:

16) AML/CFT Law Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended

17) BRRD Law Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes, as amended

18) BRRD institution a credit institution or a BRRD investment firm according to Article 59-15, point 13 LFS

19) CRR Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms

20) DORA Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU)

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

21) EBA the European Banking Authority

22) ECB European Central Bank

23) EEA European Economic Area

24) ESMA the European Securities and Markets Authority

25) GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

26) ICT Information and Communication Technology

27) LFS Law of 5 April 1993 on the financial sector, as amended

28) LPS Law of 10 November 2009 on payment services, as amended

29) MiFID II Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU

30) MiFID Law Law of 30 May 2018 on markets in financial instruments, as amended

31) UCITS Law Law of 17 December 2010 relating to undertakings for collective investment, as amended

Chapter 2. Scope of application and proportionality

2. This circular defines the supervisory expectations that must be complied with when resorting to outsourcing arrangements.

Part I of this circular applies to the following In-Scope Entities when performing outsourcing other than ICT outsourcing 6:

6 For the sake of clarity, these entities are not required to include their ICT outsourcing arrangements in the register referred to in section 4.2.7.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

- credit institutions 7 8, including their branches, within the meaning of the LFS.

- investment firms, including their branches, within the meaning of the LFS.

- payment institutions and electronic money institutions, including their branches, (each referred to as a payment institution) within the meaning of the LPS. Account information service providers (AISP) that only provide the service in point 8 of Annex of the LPS are not included in the scope of application of this circular. Any reference made in this circular to ‘payment services’ includes payment services or issuance of electronic money provided by electronic money institutions;

This circular applies in full (Part I and Part II) to the following In-Scope Entities:

- specialised and support professionals of the financial sector (PFS) including their branches, within the meaning of the LFS. Branches in Luxembourg of PFS incorporated under foreign law shall be deemed to be included in the notion of PFS;

- POST Luxembourg governed by the Law of 15 December 2000 on postal financial services 9. All provisions that apply to payment institutions shall also apply to POST Luxembourg;

- branches in Luxembourg of credit institutions, investment firms and payment institutions incorporated in a third country. They shall be deemed to be included in the notion of credit institution, investment firm and payment institution respectively.

This circular applies also in full to the following entities established in Luxembourg when performing ICT outsourcing:

- management companies authorised only under Article 125-1 of Chapter 16 of the UCITS Law

This circular must be complied with by In-Scope Entities when designing the internal governance arrangements in the context of their business model taken as a whole, giving in particular due consideration to those activities that are regulated by the LFS, the LPS or any other national law conferring a competence to the CSSF. Consequently, this circular also applies when In-Scope Entities provide investment services and perform investment activities in accordance with the MiFID Law, develop internal governance arrangements in the context

7 The ECB is the competent authority for the prudential supervision of significant credit institutions (significant institutions – SIs). SIs shall refer to the relevant ECB rules (if any). 8 This circular shall apply to (mixed) financial holding companies that are approved in accordance with Article 34-2 LFS. See also Circular CSSF 12/552, point 3, Part I. 9 For the sake of clarity, the wording “postal financial services” has the meaning provided for in Article 1 of

the Law of 15 December 2000 as amended.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

of the AML/CFT Law or provide asset management services and depositary tasks for Undertakings for Collective Investments established in Luxembourg.

Branches in Luxembourg of the aforementioned types of entities that are part of a legal entity whose head office is located in a different Member State of the EEA (EEA branches) are subject to the supervision of the competent authority of that Member State (home Member State). However, as the CSSF is competent for ensuring that EEA branches comply with the specific requirements laid down in the thematic or sectoral frameworks 10, Part I of this circular applies if EEA branches outsource functions that belong to areas for which the CSSF retains an oversight responsibility, except for ICT outsourcing 11. While this circular does not impose specific requirements with regard to internal governance arrangements of EEA branches, such branches are nevertheless expected to adopt internal governance arrangements which are comparable to those provided for in this circular, in coordination with their head office.

3. The provisions of this circular shall apply to all In-Scope Entities on an individual basis. Credit institutions and investment firms shall also comply with this circular on a sub-consolidated and consolidated basis, taking into account their prudential scope of consolidation. Credit institutions and investment firms that are a parent undertaking shall ensure that the internal governance arrangements, processes and mechanisms in their subsidiaries are consistent, well integrated and appropriate for the effective application of this circular at all relevant levels of supervision 12.

4. In-Scope Entities shall, when complying with this circular, have regard to the principle of proportionality. According to this principle, In-Scope Entities shall take implementing measures that are proportionate to their size and their internal organisation as well as to the nature, scale and complexity of their activities or services, including their risks. As such, In-Scope Entities that are large, complex or engage in risky activities or services shall adopt a more robust framework for their central administration, internal governance and risk management. By contrast, In-Scope Entities may apply a less elaborated framework where justified by their size and internal organisation as well as by the nature, scale and complexity of their activities or services, including their risks.

10 notably in the context of investment services in accordance with the MiFID Law, the AML/CFT Law, the provision of asset management services and depositary tasks for Undertakings for Collective Investments established in Luxembourg. 11 Those arrangements are covered by Circular CSSF 25/882 on requirements on the use of ICT third-party services for Financial Entities subject to DORA and DORA regulation. 12 Where a waiver has been granted pursuant to Article 10 CRR to cooperative societies or Article 7 CRR, the provisions of this circular shall be applied at the level of the parent undertaking including its subsidiaries or by the central body and its affiliates as a whole.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

5. That said, outsourcing arrangements may have an impact on the risk profile of the In-Scope Entities, notably the operational risk they may be exposed to (e.g. disruption risk). Consequently, In-Scope Entities may need to enhance their internal control framework and procedures to integrate this modified risk dimension into their entity-wide risk management framework.

6. To support the appropriate implementation of this circular, In-Scope Entities shall document their proportionality analysis in writing and have their conclusions approved by the management body.

Chapter 3. General principles governing outsourcing arrangements and intragroup outsourcing

Sub-chapter 3.1 General principles governing outsourcing arrangements

7. Outsourcing is a means for In-Scope Entities to get relatively easy access to expertise including in the space of new technologies and to achieve economies of scale and therefore improve cost efficiency. However, the implementation of outsourcing arrangements by In-Scope Entities creates specific risks and shall be subject to specific requirements in accordance with Articles 36-2 LFS, 37- 1(5) LFS, 11(4) LPS and 24-7(4) LPS, where applicable.

Outsourcing arrangements shall be subject to the following principles:

- Outsourcing arrangements shall be subject to appropriate oversight and may, in no circumstances, lead to the circumvention of the spirit and letter of regulatory requirements or prudential measures.

- When outsourcing operational tasks to a service provider, the In-Scope Entity shall ensure that those operational tasks are effectively performed. In-Scope Entities shall perform an appropriate monitoring and auditing of outsourcing arrangements, including through the receiving of appropriate reports in line with section 4.3.3 and with section 4.2.6 and sub-section 4.3.2.3, respectively.

- The responsibility of the management body for the In-Scope Entity and all its activities can never be outsourced:

• Any outsourcing that would result in the delegation by the management body of its responsibility, altering the relationship and obligations of the In-Scope Entities towards their clients, undermining the conditions of their authorisation or removing or modifying any of the conditions subject to which the In-scope Entity’s authorisation was granted, shall not be permitted. • The In-Scope Entity remains fully responsible for compliance with regulatory requirements including in the case of sub-outsourcing as sub-outsourcing can change the risk and reliability of outsourcing

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

arrangements. Therefore, the In-Scope Entity must determine whether sub-outsourcing is authorized and adapt its internal governance and risk management framework with regard to sub-outsourcing, in particular regarding critical or important outsourcing arrangements, while the initial service provider also has monitoring obligations.

- Outsourcing arrangements shall not create undue operational risks. The risks to be considered include those associated with the relationship with the service provider, the risk caused by allowing for sub-outsourcing, the concentration risk posed by multiple outsourcing arrangements to the same service provider and/or the concentration risk posed by outsourcing critical or important functions to a limited number of service providers. In-Scope Entities shall in any case manage concentration and dependence risks appropriately.

- Outsourcing shall not impair the quality and independence of In-Scope Entities’ internal controls or the ability of those entities to oversee and supervise compliance with regulatory requirements and to continue their activities under a going concern.

- Outsourcing must not lead to a situation where In-Scope Entities would be in breach with legal or regulatory requirements on central administration and become empty shells that lack the substance to remain authorised. To this end, management bodies shall ensure that, including in a context of an outsourcing of functions to a parent entity or other group entities, sufficient resources are available to appropriately support and ensure the performance of their responsibilities, including overseeing the risks and managing the outsourcing arrangements.

- When outsourcing, In-Scope Entities must ensure that all requirements of this circular are met on an ongoing basis. Functions that are considered critical under a resolution perspective may also be outsourced subject to not creating impediments to the resolvability of the BRRD institution.

8. When performing outsourcing arrangements that involve information subject to confidentiality requirements, In-Scope Entities shall put in place appropriate confidentiality arrangements and ensure compliance with Article 41(2a) LFS or Article 30(2a) LPS, where applicable.

9. In-Scope Entities shall comply with GDPR and the requirements of the Luxembourg competent authority in this area, namely the “Commission Nationale pour la Protection des Données” (CNPD).

10. Outsourcing may, in no circumstances, hamper the performance of supervisory powers by competent authorities with regard to all aspects of supervisory relevance. Outsourcing arrangements shall in particular not impact the competent authorities’ ability to oversee and supervise In-Scope Entities’ compliance with legal or regulatory requirements under a going concern or BRRD institutions’ regulatory compliance from a resolution perspective.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 3.2 Intragroup outsourcing

11. Intragroup outsourcing is not necessarily less risky than outsourcing to an entity outside the group. Intragroup outsourcing is therefore subject to the same regulatory framework and conditions as outsourcing to service providers outside the group. Where In-Scope Entities intend to outsource to entities within the same group, they shall also ensure that the reason for selecting a group entity is based on objective reasons. In particular, the group entity shall be suitable and the outsourcing arrangement may not expose the In-Scope Entities to an undue conflict of interest.

12. When outsourcing within the same group, In-Scope Entities may have a higher level of control over and information about the outsourced function and the service provider, which they could take into account in their risk assessment. In-Scope Entities shall however not exclusively rely on their group entities for the management of the outsourcing and shall design procedures for the performance of appropriate monitoring and oversight at the level of the In- Scope Entity itself to ensure compliance with the requirements set out in this circular.

13. Subject to the general principles set out in sub-chapter 3.1, In-Scope Entities that use centrally provided governance arrangements shall therefore comply with the following:

a. where In-Scope Entities have outsourcing arrangements with service providers within the group, the management body of the In-Scope Entity retains, also for these outsourcing arrangements, full responsibility for compliance with the regulatory requirements and the effective application of this circular;

b. where In-Scope Entities have outsourcing arrangements with a service provider within the group, the In-Scope Entity shall ensure that those outsourcing arrangements, including operational tasks that are outsourced, are effectively performed. In-Scope Entities shall perform an appropriate monitoring and auditing of outsourcing arrangements, including through the receiving of appropriate reports, in line with section 4.3.3. and with section 4.2.6 and sub-section 4.3.2.3, respectively.

14. In addition to point 13 above, In-Scope Entities within a group shall take into account the following:

a. where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), In-Scope Entities shall ensure that both the independent monitoring of the service provider and its appropriate oversight by each In-Scope Entity is possible, including by receiving, at least annually and upon request, from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring and by