Section 4.3.2 Contractual phase

76. The rights and obligations of the In-Scope Entity and the service provider shall be clearly allocated and set out in a written outsourcing agreement.

77. The outsourcing agreement shall set out:

a. a clear description of the outsourced function to be provided;

b. the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the In-Scope Entity;

c. the governing law of the agreement;

d. the parties’ financial obligations;

e. whether the sub-outsourcing, in particular, of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in points 78 to 82 that the sub-outsourcing is subject to;

f. the location(s) (i.e. regions or countries) where the function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the In-Scope Entity if the service provider proposes to change the location(s);

g. where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in points 83 to 87;

h. the right of the In-Scope Entity to monitor the service provider’s performance on an ongoing basis;

i. the agreed service levels, which shall include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

j. the reporting obligations of the service provider to the In-Scope Entity, including the communication by the service provider of any development that may have a material impact on the service provider’s ability to effectively carry out the function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements (including the obligation to report any significant problem having an impact on the outsourced functions as well as any emergency situation) and, as appropriate, the obligations to submit reports of the internal audit function of the service provider;

k. whether the service provider shall take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;

l. the requirements to implement and test business contingency plans;

m. provisions that ensure that the data that are owned by the In-Scope Entity can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider;

n. the obligation of the service provider to cooperate with the competent authorities and, where applicable, resolution authorities of the In-Scope Entity, including other persons appointed by them;

o. for BRRD institutions, a clear reference to the national resolution authority’s 29 powers, especially to Articles 59-47 LFS, 66 and 69 of the BRRD Law, and in particular a description of the ‘substantive obligations’ of the contract in the sense of the Articles 59-47 LFS and 66 of the BRRD Law;

p. the unrestricted right of In-Scope Entities and competent authorities to inspect and audit the service provider, including in case of sub-outsourcing, with regard to, at least, the critical or important outsourced function, as specified in points 88 to 100;

q. termination rights as specified in points 101 to 103.

Sub-section 4.3.2.1 Sub-outsourcing 78. The outsourcing agreement shall specify whether or not sub-outsourcing, in particular of critical or important functions, or material parts thereof, is permitted.

79. If sub-outsourcing of critical or important functions is permitted, In-Scope Entities shall determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register.

29 means an authority as defined in point (8) of Article 1 of the BRRD Law.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

80. If sub-outsourcing of critical or important functions, or material parts thereof, is permitted, the written outsourcing agreement shall:

a. specify any types of activities that are excluded from sub-outsourcing;

b. specify the conditions to be complied with in the case of sub-outsourcing;

c. specify that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the In-Scope Entity are continuously met;

d. require the service provider to obtain prior specific or general written authorisation from the In-Scope Entity before sub-outsourcing data; 30

e. include an obligation of the service provider to inform the In-Scope Entity of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of sub-contractors and to the notification period; in particular, the notification period to be set shall allow the In-Scope Entity at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect;

f. ensure, where appropriate, that the In-Scope Entity has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required;

g. ensure that the In-Scope Entity has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub- outsourcing materially increases the risks for the In-Scope Entity or where the service provider sub-outsources without notifying the In-Scope Entity.

81. In-Scope Entities shall agree to sub-outsourcing critical or important functions, or material parts thereof, only if the sub-contractor undertakes to:

a. comply with applicable laws, regulatory requirements and contractual obligations; and

b. grant the In-Scope Entity and competent authority the same contractual rights of access and audit as those granted by the service provider.

82. In-Scope Entities shall ensure that the service provider appropriately oversees the sub-contractors, in line with the policy defined by the In-Scope Entity. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to

30 Please refer to Article 28 GDPR.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

a material increase of risk, including where the conditions in point 81 above would not be met, the In-Scope Entity shall exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract.

Sub-section 4.3.2.2 Security of data and systems 83. The confidentiality and integrity of data and systems shall be controlled throughout the outsourcing chain. In particular, access to data and systems shall fulfil the principles of “need to know” and “least privilege”, i.e. access shall only be granted to persons whose functions so require, for a specific purpose, and their privileges shall be limited to the strict necessary minimum to exercise their functions.

84. In-Scope Entities shall ensure that service providers, where relevant, comply with appropriate ICT security standards.

85. Where relevant (e.g. in the context of cloud or other ICT outsourcing), In- Scope Entities shall define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. Where, in the outsourcing agreement, security measures are made available by the service provider to the In-Scope Entities for personalized selection and configuration (notably for cloud outsourcing), In-Scope Entities shall ensure that proper selection and configuration take place, in line with the In-Scope Entity’s security policy and requirements.

86. In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, In-Scope Entities shall adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) which shall in particular take into account point 101 c, d and e and information security considerations and comply with the provisions of points 133 to 142.

87. Without prejudice to the requirements under GDPR, In-Scope Entities, when outsourcing (in particular to third countries), shall take into account differences in national provisions regarding the protection of data. In-Scope Entities shall ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the In-Scope Entity (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients’ information, where applicable, are observed).

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-section 4.3.2.3 Access, information and audit rights 88. In-Scope Entities shall ensure within the written outsourcing agreement that the internal audit function, the statutory auditor and the competent authority have a guaranteed access to the information relating to the outsourced functions using a risk-based approach in order to enable them to issue a well-founded opinion on the adequacy of the outsourcing. This access implies that they may also verify the relevant data kept by the service provider and, in the cases provided for in the applicable national law, have the power to perform on-site inspections of the service provider. The aforementioned opinion may, where appropriate, be based on the reports of the service provider’s external auditor. The written outsourcing agreement shall also provide that the internal control functions have access to any documentation relating to the outsourced functions, at any time and without difficulty, to maintain these functions’ continued ability to exercise their controls.

89. Regardless of the criticality or importance of the outsourced function, the written outsourcing agreement shall refer to the information gathering and investigatory powers of competent authorities under Articles 49, 53 and 59 LFS and Articles 31, 38 and 58-5 LPS and, where applicable, resolution authorities under Article 61(1) BRRD Law with regard to service providers located in a Member State and shall also ensure those rights with regard to service providers located in third countries.

90. With regard to the outsourcing of critical or important functions, In-Scope Entities shall ensure within the written outsourcing agreement that the service provider grants them, their statutory auditor and their competent authority, including, where applicable, their resolution authority, and any other person appointed by them or the competent authority or resolution authority, the following:

a. full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider’s external auditors (‘access and information rights’); and

b. unrestricted rights of inspection and auditing related to the outsourcing arrangement (‘audit rights’), including the possibility for the competent authority to communicate any observations made in this context to the In- Scope Entities, to enable them to monitor the outsourcing arrangement and to ensure compliance with the applicable regulatory and contractual requirements;

91. For the outsourcing of functions that are not critical or important, In-Scope Entities shall ensure the access and audit rights as set out in point 90 and sub- section 4.3.2.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

scalability, the potential impact on the continuous performance of its activities and the contractual period. In-Scope Entities shall take into account that functions may become critical or important over time.

92. In-Scope Entities shall ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, their statutory auditors, competent authorities or third parties appointed by them to exercise these rights.

93. In-Scope Entities shall exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards.

94. Without prejudice to their final responsibility regarding outsourcing arrangements, In-Scope Entities may use:

a. pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider;

b. third-party certifications and third-party or internal audit reports, made available by the service provider.

95. For the outsourcing of critical or important functions, In-Scope Entities shall assess whether third-party certifications and reports as referred to in point 94(b) are adequate and sufficient to comply with their regulatory obligations and shall not rely solely on these reports over time.

96. In-Scope Entities shall make use of the method referred to in point 94(b) only if they:

a. are satisfied with the audit plan for the outsourced function;

b. ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the In-Scope Entity and the compliance with relevant regulatory requirements;

c. thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete;

d. ensure that key systems and controls are covered in future versions of the certification or audit report;

e. are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, re-performance/verification of the evidence in the underlying audit file);

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

f. are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place;

g. have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification shall be reasonable and legitimate from a risk management perspective; and

h. retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions.

97. In-Scope Entities shall, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes.

98. Before a planned on-site visit, In-Scope Entities, auditors or third parties acting on behalf of the In-Scope Entity or of the competent authority shall provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective.

99. When performing audits in multi-client environments, care shall be taken to ensure that risks to another client’s environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated.

100. Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the In-Scope Entity shall verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the In-Scope Entity reviewing third-party certifications or audits carried out by service providers.

Sub-section 4.3.2.4 Termination rights 101. The outsourcing agreement shall expressly allow the possibility for the In- Scope Entity to terminate the arrangement in accordance with applicable law, including in the following situations:

a. where the service provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions;

b. where impediments capable of altering the performance of the outsourced function are identified;

c. where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub- contractors);

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

d. where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and

e. where instructions are given by the In-Scope Entity’s competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the In-Scope Entity.

102. The outsourcing agreement shall facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the In-Scope Entity, whenever the continuity or quality of the service provision are likely to be affected. To this end, the written outsourcing agreement shall:

a. clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the In-Scope Entity, including the treatment of data;

b. set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions;

c. include an obligation of the service provider to support the In-Scope Entity in the orderly transfer of the function in the event of the termination of the outsourcing agreement; and

d. without prejudice to applicable law, include a commitment for the service provider to erase the data and systems of the In-Scope Entity within a reasonable timeframe when the contract is terminated.

103. The outsourcing arrangement shall not include any termination clause or service termination clause in case of bankruptcy, controlled management, suspension of payments, compositions and arrangements with creditors aimed at preventing bankruptcy or other similar proceedings. In particular, in the context of BRRD institutions, clauses triggering the termination or service termination because of resolution actions, reorganisation measures or a winding-up procedure as required in accordance with the BRRD Law are not allowed.

Section 4.3.3 Oversight of outsourced functions 104. In-Scope Entities shall monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk- based approach and with the main focus being on the outsourcing of critical or important functions, including that the continuity of the services provided under the arrangement and the availability, integrity and security of data and information are ensured. Where the risk, nature or scale of an outsourced function has materially changed, In-Scope Entities shall reassess the criticality or importance of that function.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

105. In-Scope Entities shall apply due skill, care and diligence when planning, implementing, monitoring and managing outsourcing arrangements.

106. In-Scope Entities shall regularly update their risk assessment in accordance with points 66 to 70 and shall periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions.

107. In-Scope Entities shall monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account points 66 to 70.

108. In-Scope Entities shall ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by:

a. ensuring that they receive appropriate reports from service providers;

b. evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and

c. reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing.

109. In-Scope Entities shall take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, In-Scope Entities shall follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, In-Scope Entities shall take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary.

110. In-Scope Entities 31 shall inform the competent authority with no delay of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of their business activities, to allow the competent authority to assess whether regulatory action is needed.

Section 4.3.4 Exit plans 111. In-Scope Entities shall have a documented exit plan when outsourcing critical or important functions that is in line with their outsourcing policy, exit strategies and business continuity plans, taking into account at least the possibility of:

31 See also Circular CSSF 21/787.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

a. the termination of outsourcing arrangements;

b. the failure of the service provider;

c. the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function;

d. material risks arising for the appropriate and continuous application of the function.

112. In-Scope Entities shall ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they shall:

a. develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and

b. identify alternative solutions and develop transition plans to enable In- Scope Entities to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the In-Scope Entity or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase.

113. When developing exit plans, In-Scope Entities shall:

a. define the objectives of the exit plan;