Section 4.3.1 Pre-outsourcing analysis

65. Before entering into any outsourcing arrangement, In-Scope Entities shall:

a. assess if the outsourcing arrangement concerns a critical or important function;

b. assess if the supervisory conditions for outsourcing are met;

c. identify and assess all of the relevant risks of the outsourcing arrangement;

d. undertake appropriate due diligence on the prospective service provider; and

e. identify and assess conflicts of interest that the outsourcing may cause.

Sub-section 4.3.1.1 Risk assessment of outsourcing arrangements 66. In-Scope Entities shall assess the potential impact of outsourcing arrangements on their operational capacity and risk, shall take into account the assessment results when deciding if the function shall be outsourced to a service provider and shall take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements.

67. The assessment shall include, where appropriate, scenarios of possible risk events, including high-severity operational risk events, in particular when the outsourcing arrangement relates to a critical or important function of the In- Scope Entity. Within the scenario analysis, In-Scope Entities shall assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. In-Scope Entities shall document the analysis performed and their results and shall estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Small entities may use qualitative risk assessment approaches, while other In- Scope Entities shall have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis.

68. When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider’s performance, In-Scope Entities shall, at least:

a. identify and classify the relevant functions and related data and systems as regards their risk sensitivity and required security measures;

b. conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced in order to address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

services are or may be provided and where the data are or are likely to be stored;

c. consider the consequences of where the service provider is located (within or outside the EEA) in accordance with points 61 to 64 and whether the service provider is supervised by a relevant competent authority;

d. consider the political stability and security situation of the jurisdictions in question, including:

i. the laws in force, including laws on data protection;

ii. the law enforcement provisions in place; and

iii. the insolvency law provisions that would apply in the event of a service provider’s failure and any constraints that would arise in respect of the urgent recovery of the In-Scope Entity’s data in particular;

e. define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the (intended) outsourcing. In-Scope Entities shall also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture;

f. consider whether the service provider is a subsidiary or parent undertaking of the In-Scope Entity or is included in the scope of accounting consolidation and, if so, the extent to which the In-Scope Entity controls it or has the ability to influence its actions.

69. Within the risk assessment, In-Scope Entities shall also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least:

a. concentration risks, including from:

i. outsourcing to a dominant service provider that is not easily substitutable; and

ii. multiple outsourcing arrangements with the same service provider or closely connected service providers;

b. the aggregated risks resulting from outsourcing several functions across the In-Scope Entity and, in the case of groups of In-Scope Entities, the aggregated risks on a consolidated basis;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

c. in the case of significant In-Scope Entities 28, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and

d. the measures implemented by the In-Scope Entity and by the service provider to manage and mitigate the risks.

70. Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions, or material parts thereof, to other service providers, In-Scope Entities shall take into account:

a. the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider;

b. the risk that long and complex chains of sub-outsourcing reduce their ability to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them.

Sub-section 4.3.1.2 Due diligence 71. Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, In-Scope Entities shall ensure in their selection and assessment process that the service provider is suitable.

72. In-Scope Entities shall ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, ICT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the function in a reliable and professional manner to meet its obligations over the duration of the draft contract.

73. Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to:

a. its business model, nature, scale, complexity, financial situation, ownership and group structure;

b. the long-term relationships with service providers that have already been assessed and perform services for the In-Scope Entity;

c. whether the service provider is a parent undertaking or subsidiary of the In-Scope Entity or is part of the scope of accounting consolidation of the In-Scope Entity;

28 In particular entities that are in scope of art. 59-3 LFS.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

d. whether or not the service provider is supervised by relevant competent authorities.

74. Where outsourcing involves the processing of personal or confidential data, In-Scope Entities shall be satisfied that the service provider implements appropriate technical and organisational measures to protect the data.

75. In-Scope Entities shall take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, In-Scope Entities shall be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour.