Section 4.2.3 Outsourcing policy

39. The management body of an In-Scope Entity that has outsourcing arrangements in place or plans on entering into such arrangements shall approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

consolidated basis. For credit institutions and investment firms, the outsourcing policy shall, in particular, take into account the requirements pertaining to “New Product Approval Process” 21.

40. The policy shall include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy shall cover at least:

a. the responsibilities of the management body in line with points 33 and 34, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions;

b. the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements;

c. the planning of outsourcing arrangements, including:

i. the definition of business requirements regarding outsourcing arrangements;

ii. the criteria, including those referred to in points 18 to 20, and processes for identifying critical or important functions;

iii. risk identification, assessment and management in accordance with points 66 to 70;

iv. due diligence checks on prospective service providers, including the measures required under points 71 to 75;

v. procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with points 43 to 46;

vi. business continuity planning in accordance with points 47 to 50;

vii. the approval process of new outsourcing arrangements. This process must consider the additional time requirement due to the prior notification to the competent authority in accordance with points 59 and 60;

d. the implementation, monitoring and management of outsourcing arrangements, including:

i. the ongoing assessment of the service provider’s performance in line with points 104 to 110;

21 Please refer to Part II, sub-chapter 7.3 of Circular CSSF 12/552 for credit institutions or to Part II, sub- chapter 7.3 of Circular CSSF 20/758 for investment firms.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

ii. the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing);

iii. the independent review and audit of compliance with legal and regulatory requirements and policies;

iv. the renewal processes;

e. the documentation and record-keeping, taking into account the requirements set out in points 53 to 58;

f. the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible, taking into account possible service interruptions or the unexpected termination of an outsourcing agreement, in line with points 111 to 113.

41. The outsourcing policy shall differentiate between the following:

a. outsourcing of critical or important functions and other outsourcing arrangements;

b. outsourcing to service providers that are authorised by a relevant competent authority in a Member State or in a third country and those that are not;

c. intragroup outsourcing arrangements and outsourcing to entities outside the group; and

d. outsourcing to service providers located within a Member State and third countries.

42. In-Scope Entities shall ensure that the outsourcing policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process:

a. the In-Scope Entity’s risk profile;

b. the ability to oversee the service provider and to manage the risks;

c. the business continuity measures; and

d. the performance of their business activities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883