Section 4.2.7 Documentation requirements

53. In-Scope Entities shall maintain an updated register of information on all outsourcing arrangements at individual level and, as applicable, at sub- consolidated and consolidated levels, as set out in point 3, and shall appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. In-Scope Entities shall maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period in accordance with Luxembourg law.

54. For the purposes of prudential supervision, the register shall include at least the following information for all existing outsourcing arrangements:

a. a reference number for each outsourcing arrangement;

23 In case of outsourcing to a cloud computing infrastructure, the parametrisation of continuity measures may be performed by the In-Scope Entities.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

b. the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the In-Scope Entity;

c. a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider;

d. a category assigned by the In-Scope Entity that reflects the nature of the function as described under point (c) (e.g. ICT, internal control functions), which shall facilitate the identification of different types of arrangements;

e. the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any);

f. the country or countries where the service is to be performed, including the location (i.e. country or region) of the data;

g. whether or not (yes/no) the outsourced function is considered critical or important, including a brief summary of the reasons why the outsourced function is considered or not as critical or important;

h. in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored;

i. the date of the most recent assessment of the criticality or importance of the outsourced function.

55. For the outsourcing of critical or important functions, the register shall include the following additional information:

a. the In-Scope Entities and other firms within the scope of the prudential consolidation, as applicable, that make use of the outsourcing;

b. whether or not the service provider or sub-contractor is part of the group or is owned by In-Scope Entities within the group;

c. the date of the most recent risk assessment and a brief summary of the main results;

d. the individual or decision-making body (e.g. the management body) in the In-Scope Entity that approved the outsourcing arrangement;

e. the governing law of the outsourcing agreement;

f. the dates of the most recent and next scheduled audits, where applicable;

g. where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

where the sub-contractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored;

h. an outcome of the assessment of the service provider’s substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the In-Scope Entity or the impact of discontinuing the critical or important function;

i. identification of alternative service providers in line with point (h);

j. whether the outsourced critical or important function supports business operations that are time-critical;

k. the estimated annual budget cost;

l. the date of the prior notification to the competent authority in accordance with points 59 and 60, as applicable.

56. In-Scope Entities shall, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point 54(d) (e.g. all ICT outsourcing arrangements).

57. In-Scope Entities shall appropriately document the assessments made under points 66 to 103 and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment).

58. In-Scope Entities shall, upon request, make available to the competent authority all information necessary to enable the competent authority to execute its effective supervision, including a copy of the outsourcing agreement.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 4.2.8 Supervisory conditions for outsourcing 59. An In-Scope Entity that intends to outsource a critical or important function 24 shall notify in advance its plans to the competent authority using the instructions and, where available, the forms on the CSSF website. Such a notification is to be submitted at least three (3) months before the planned outsourcing comes into effect. When resorting to a Luxembourg support PFS governed by Articles 29-1 to 29-6 LFS, this notice period is reduced to one (1) month. Any planned outsourcing arrangement which has not been notified within the above notification period and/or without using the instructions and, where applicable, the forms available on the CSSF website will be considered as not notified.

60. The notification is without prejudice to the supervisory measures or the application of binding measures and/or administrative sanctions which the competent authority might take as part of its ongoing supervision, where it appears that these outsourcing projects do not comply with the applicable legal and regulatory framework.

In any event, In-Scope Entities remain fully responsible to comply with all the relevant laws and regulations as regards the planned outsourcing projects.

61. Should credit institutions or payment institutions outsource functions of banking activities or payment services to a service provider located in Luxembourg or another Member State, to an extent that the performance of that function would require authorisation or registration where such activities would be carried out in Luxembourg, such an outsourcing shall take place only if one of the following conditions is met:

a. the service provider is authorised or registered by a relevant competent authority in that Member State to perform such banking activities or payment services; or

b. the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework.

24 An In-Scope Entity shall also notify the competent authority in case of material changes to existing outsourcing arrangements (e.g. in case such material changes impact a critical or important outsourced function or lead to an outsourcing arrangement becoming critical or important) without undue delay.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

62. Should credit institutions or payment institutions outsource functions of banking activities or payment services to a service provider located in a third country, to an extent that the performance of that function would require authorisation or registration where such activities would be carried out in Luxembourg, such an outsourcing shall take place only if the following conditions are met:

a. the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a ‘supervisory authority’); and

b. there is an appropriate cooperation agreement 25, e.g. in the form of a memorandum of understanding or college agreement, between the competent authority and the supervisory authorities responsible for the supervision of the service provider. In-Scope Entities shall contact the CSSF in the early planning stages of their planned outsourcing arrangement to ascertain that cooperation arrangements between the CSSF and the third country supervisory authority are or can be put in place.

63. For the purposes of points 61 and 62, the outsourcing of functions of banking activities to an extent that the performance of that function would require authorisation or registration where such activities would be carried out in Luxembourg shall apply in the event where a credit institution 26 intends to proceed to the outsourcing of a material proportion of the activity that consists in the taking of deposits and other repayable funds from the public 27.

64. The outsourcing to a service provider located in Luxembourg that relates to services subject to an authorisation requirement in accordance with Articles 29- 1 to 29-6 LFS shall take place only if one of the following conditions is met:

a. the service provider is authorised by the CSSF in accordance with Articles 29-1 to 29-6 LFS to provide such services; or

b. the service provider is otherwise allowed to carry out those services, i.e. it is a credit institution or it is an entity falling under the scope of Article 1- 1(2)(c) LFS that is part of the group to which the In-Scope Entity belongs and which exclusively deals with group transactions.

25 Cooperation agreements may take the form of a Memorandum of Understanding or of a dedicated agreement concluded between the competent authority and a third country supervisory authority in the context of the prudential supervision of a specific In-Scope Entity. A list of MoUs that have been signed by the CSSF is available on the CSSF website. The list of MoUs signed by the ECB is available on the ECB website. 26 or POST Luxembourg. 27 In accordance with Article 2(3) LSF, persons or undertakings other than credit institutions are prohibited from carrying out the business of taking deposits or other repayable funds from the public.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 4.3 Outsourcing process

Section 4.3.1 Pre-outsourcing analysis

65. Before entering into any outsourcing arrangement, In-Scope Entities shall:

a. assess if the outsourcing arrangement concerns a critical or important function;

b. assess if the supervisory conditions for outsourcing are met;

c. identify and assess all of the relevant risks of the outsourcing arrangement;

d. undertake appropriate due diligence on the prospective service provider; and

e. identify and assess conflicts of interest that the outsourcing may cause.

Sub-section 4.3.1.1 Risk assessment of outsourcing arrangements 66. In-Scope Entities shall assess the potential impact of outsourcing arrangements on their operational capacity and risk, shall take into account the assessment results when deciding if the function shall be outsourced to a service provider and shall take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements.

67. The assessment shall include, where appropriate, scenarios of possible risk events, including high-severity operational risk events, in particular when the outsourcing arrangement relates to a critical or important function of the In- Scope Entity. Within the scenario analysis, In-Scope Entities shall assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. In-Scope Entities shall document the analysis performed and their results and shall estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Small entities may use qualitative risk assessment approaches, while other In- Scope Entities shall have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis.

68. When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider’s performance, In-Scope Entities shall, at least:

a. identify and classify the relevant functions and related data and systems as regards their risk sensitivity and required security measures;

b. conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced in order to address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

services are or may be provided and where the data are or are likely to be stored;

c. consider the consequences of where the service provider is located (within or outside the EEA) in accordance with points 61 to 64 and whether the service provider is supervised by a relevant competent authority;

d. consider the political stability and security situation of the jurisdictions in question, including:

i. the laws in force, including laws on data protection;

ii. the law enforcement provisions in place; and

iii. the insolvency law provisions that would apply in the event of a service provider’s failure and any constraints that would arise in respect of the urgent recovery of the In-Scope Entity’s data in particular;

e. define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the (intended) outsourcing. In-Scope Entities shall also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture;

f. consider whether the service provider is a subsidiary or parent undertaking of the In-Scope Entity or is included in the scope of accounting consolidation and, if so, the extent to which the In-Scope Entity controls it or has the ability to influence its actions.

69. Within the risk assessment, In-Scope Entities shall also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least:

a. concentration risks, including from:

i. outsourcing to a dominant service provider that is not easily substitutable; and

ii. multiple outsourcing arrangements with the same service provider or closely connected service providers;

b. the aggregated risks resulting from outsourcing several functions across the In-Scope Entity and, in the case of groups of In-Scope Entities, the aggregated risks on a consolidated basis;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

c. in the case of significant In-Scope Entities 28, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and

d. the measures implemented by the In-Scope Entity and by the service provider to manage and mitigate the risks.

70. Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions, or material parts thereof, to other service providers, In-Scope Entities shall take into account:

a. the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider;

b. the risk that long and complex chains of sub-outsourcing reduce their ability to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them.

Sub-section 4.3.1.2 Due diligence 71. Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, In-Scope Entities shall ensure in their selection and assessment process that the service provider is suitable.

72. In-Scope Entities shall ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, ICT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the function in a reliable and professional manner to meet its obligations over the duration of the draft contract.

73. Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to:

a. its business model, nature, scale, complexity, financial situation, ownership and group structure;

b. the long-term relationships with service providers that have already been assessed and perform services for the In-Scope Entity;

c. whether the service provider is a parent undertaking or subsidiary of the In-Scope Entity or is part of the scope of accounting consolidation of the In-Scope Entity;

28 In particular entities that are in scope of art. 59-3 LFS.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

d. whether or not the service provider is supervised by relevant competent authorities.

74. Where outsourcing involves the processing of personal or confidential data, In-Scope Entities shall be satisfied that the service provider implements appropriate technical and organisational measures to protect the data.

75. In-Scope Entities shall take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, In-Scope Entities shall be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour.

Section 4.3.2 Contractual phase 76. The rights and obligations of the In-Scope Entity and the service provider shall be clearly allocated and set out in a written outsourcing agreement.

77. The outsourcing agreement shall set out:

a. a clear description of the outsourced function to be provided;

b. the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the In-Scope Entity;

c. the governing law of the agreement;

d. the parties’ financial obligations;

e. whether the sub-outsourcing, in particular, of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in points 78 to 82 that the sub-outsourcing is subject to;

f. the location(s) (i.e. regions or countries) where the function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the In-Scope Entity if the service provider proposes to change the location(s);

g. where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in points 83 to 87;

h. the right of the In-Scope Entity to monitor the service provider’s performance on an ongoing basis;

i. the agreed service levels, which shall include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

j. the reporting obligations of the service provider to the In-Scope Entity, including the communication by the service provider of any development that may have a material impact on the service provider’s ability to effectively carry out the function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements (including the obligation to report any significant problem having an impact on the outsourced functions as well as any emergency situation) and, as appropriate, the obligations to submit reports of the internal audit function of the service provider;

k. whether the service provider shall take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;

l. the requirements to implement and test business contingency plans;

m. provisions that ensure that the data that are owned by the In-Scope Entity can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider;

n. the obligation of the service provider to cooperate with the competent authorities and, where applicable, resolution authorities of the In-Scope Entity, including other persons appointed by them;

o. for BRRD institutions, a clear reference to the national resolution authority’s 29 powers, especially to Articles 59-47 LFS, 66 and 69 of the BRRD Law, and in particular a description of the ‘substantive obligations’ of the contract in the sense of the Articles 59-47 LFS and 66 of the BRRD Law;

p. the unrestricted right of In-Scope Entities and competent authorities to inspect and audit the service provider, including in case of sub-outsourcing, with regard to, at least, the critical or important outsourced function, as specified in points 88 to 100;

q. termination rights as specified in points 101 to 103.

Sub-section 4.3.2.1 Sub-outsourcing 78. The outsourcing agreement shall specify whether or not sub-outsourcing, in particular of critical or important functions, or material parts thereof, is permitted.

79. If sub-outsourcing of critical or important functions is permitted, In-Scope Entities shall determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register.

29 means an authority as defined in point (8) of Article 1 of the BRRD Law.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

80. If sub-outsourcing of critical or important functions, or material parts thereof, is permitted, the written outsourcing agreement shall:

a. specify any types of activities that are excluded from sub-outsourcing;

b. specify the conditions to be complied with in the case of sub-outsourcing;

c. specify that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the In-Scope Entity are continuously met;

d. require the service provider to obtain prior specific or general written authorisation from the In-Scope Entity before sub-outsourcing data; 30

e. include an obligation of the service provider to inform the In-Scope Entity of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of sub-contractors and to the notification period; in particular, the notification period to be set shall allow the In-Scope Entity at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect;

f. ensure, where appropriate, that the In-Scope Entity has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required;

g. ensure that the In-Scope Entity has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub- outsourcing materially increases the risks for the In-Scope Entity or where the service provider sub-outsources without notifying the In-Scope Entity.