Section 4.2.2 Sound governance arrangements for outsourcing

33. The outsourcing of functions shall not result in the delegation of the management body’s responsibilities. The management body remains fully responsible and accountable for complying with all of their regulatory obligations or their responsibilities to their customers, including the ability to oversee the outsourcing of critical or important functions.

34. The management body is at all times fully responsible and accountable for at least:

a. ensuring that the In-Scope Entity meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority;

b. the internal organisation of the In-Scope Entity;

c. the identification, assessment and management of conflicts of interest;

d. the setting of the In-Scope Entity’s strategies and policies (e.g. the business model, the risk appetite, the risk management framework);

18 Please also refer to Articles 6, 7, 24-2 and 24-3 LPS, when applicable. 19 Please refer to Circular CSSF 20/750 on ICT and security risk management.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

e. overseeing the day-to-day management of the In-Scope Entity, including the management of all risks associated with outsourcing; and

f. the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making.

35. Outsourcing shall not lower the suitability requirements applied to the In- Scope Entity’s management body and key function holders. In-Scope Entities shall have adequate competence, sufficient and appropriately skilled resources to ensure an appropriate management and oversight of outsourcing arrangements.

36. In-Scope Entities shall:

a. clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements;

b. allocate sufficient skilled resources to ensure compliance with the legal and regulatory requirements, including this circular and the documentation and monitoring all outsourcing arrangements;

c. for each outsourced activity, designate from among its employees a person who will be in charge of managing the outsourcing relationship(s) and managing access to confidential data; and

d. establish an outsourcing function or designate a sufficiently senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the In-Scope Entity’s internal control framework and overseeing the documentation of outsourcing arrangements. Small entities 20 shall at least ensure a clear and sound division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the In-Scope Entity’s management body.

37. In-Scope Entities shall maintain at all times sufficient substance and not become ‘empty shells’ or ‘letter-box entities’. To this end, they shall:

a. meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in point 34;

b. retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements;

20 Credit institutions and investment firms shall refer to Circulars CSSF 12/552 and CSSF 20/758 to perform the assessment of small entities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

c. exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions, in particular where operational tasks of internal control functions, of the financial and accounting function or of core business activities are outsourced; and

d. have sufficient skilled resources and capacities to ensure compliance with points a. to c. above.

38. When setting up an outsourcing arrangement, In-Scope Entities shall at least ensure that:

a. they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced;

b. they maintain the orderliness of the conduct of their business and, for credit institutions and payment institutions, the banking and payment services they provide;

c. the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech);

d. appropriate confidentiality arrangements are in place regarding data and other information;

e. an appropriate flow of relevant information with service providers is maintained;

f. with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame:

i. transfer the function to alternative service providers;

ii. reintegrate the function; or

iii. discontinue the business activities that are depending on the function.

g. where personal data are processed by service providers located in the EEA and/or third countries, appropriate measures are implemented and data are processed in accordance with GDPR;

h. appropriate confidentiality arrangements are in place and ensure compliance with Article 41(2a) LFS or Article 30(2a) LPS, where applicable.