On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).
The Revised Cloud Circular (CSSF Circular 19/714) notably makes the following amendments to the CSSF Circular 17/654:
- inclusion of investment fund managers in the scope of application of the Revised Cloud Circular (in line with the CSSF Circular 18/698) in addition to all credit institutions and professionals of the financial sector (PFS) authorised under the Luxembourg law of 5 April 1993 on the financial sector, as amended (the Financial Sector Law), and all payment institutions and electronic money institutions (the Supervised Entities) authorised under the Luxembourg law of 10 November 2009 on payment services, as amended;
- deletion of the requirement to notify the CSSF of a cloud computing outsourcing of non-material activities in favour of maintaining a cloud register (the Cloud Register);
- introduction of the Cloud Register to be maintained by the Supervised Entities for all cloud computing outsourcing irrespective of whether the outsourced activities are material or non-material;
- replacement of the former “compliance table” under the initial CSSF Circular 17/654 by more specific and pragmatic forms available on the CSSF website; and
- in accordance with the general principle of proportionality, introduction of optionality for some requirements of the Revised Cloud Circular for non-material activities only (see point 3 below).
The CSSF also published the following explanatory documents helping to better understand the Revised Cloud Circular on its website:
- a guide to assist the Supervised Entities in qualifying the materiality of the activities; and
- an updated FAQ to assist the Supervised Entities in their analyses and procedures.
1. Compulsory Cloud Register
Supervised Entities falling under the scope of the Revised Cloud Circular shall maintain a Cloud Register under the form published by the CSSF on its website of all cloud computing infrastructure outsourcing, whether the outsourced activities are material or not. This Cloud Register shall be transmitted to the competent authority (the CSSF or the European Central Bank for Luxembourg credit institutions falling under its supervision, the Competent Authority) upon request.
Apart from investment fund managers, which will have one year to comply (i.e. no later than 27 March 2020), other Supervised Entities shall establish and complete their Cloud Register within six months as from the entry into force of the Revised Cloud Circular on 27 March 2019 (i.e. no later than 27 September 2019).
It is important that all Supervised Entities ensure compliance within the deadlines set by the Revised Cloud Circular, as the CSSF will carry out unannounced controls.
2. Prior Notification and Authorisation Forms for the Outsourcing of Material Activities
Supervised Entities intending to outsource material activities to a cloud computing infrastructure must notify the Competent Authority where any of the below conditions is met:
- the cloud computing service provider is an institution authorised under Articles 29-3 or 29-4 of the Financial Sector Law (i.e. a Primary IT systems operators of the financial sector or a Secondary IT systems and communication networks operators of the financial sector (the IT Support PFS) and resource operation is carried out either by the Supervised Entity or by an IT Support PFS; or
- resource operation is carried out by an IT Support PFS, where the latter is the signatory.
The notification form to be transmitted to the Competent Authority during the preliminary phase of the project is available on the CSSF website as the form A.
However, where none of the conditions set out above is met, Supervised Entities must electronically apply for a prior authorisation to the Competent Authority using the form B available on the CSSF website.
Similarly, a Supervised Entity intending to change its cloud computing service provider, its models or its resource operator must inform anew the Competent Authority in accordance with the requirements set out above (i.e. new notification or authorisation request).
But Supervised Entities wishing to terminate a cloud outsourcing which is material will have to notify the Competent Authority of their decision by using the specific notification form C available on the CSSF website.
3. Optionality of Some Requirements for Non-Material Activities Only
The Revised Cloud Circular also introduces a principle of proportionality according to which the implementing measures of the Competent Authority shall be adapted to the nature, scale and complexity of the activity outsourced, including the risks. Therefore, pursuant to the principle of proportionality, Supervised Entities may justify not applying the following requirements of the Revised Cloud Circular where only non-material activities are outsourced and in accordance with their risk analysis:
- notification by the cloud computing service provider in case of change of functionalities (point 27.j of the Revised Cloud Circular);
- notification by the resource operator in case of change of functionalities (point 27.k of the Revised Cloud Circular);
- continuity in case of resolution or reorganisation or another procedure (point 28.b of the Revised Cloud Circular);
- transfer of services in case the continuity is threatened (point 28.c of the Revised Cloud Circular);
- monitoring of activities (point 30 of the Revised Cloud Circular);
- contract under the European Union law (point 31.a of the Revised Cloud Circular);
- resiliency of the services in the European Union (point 31.b of the Revised Cloud Circular);
- right of audit for the Supervised Entity (point 31.j of the Revised Cloud Circular);
- details regarding the right of audit (point 32 of the Revised Cloud Circular); and
- exercise of the right of audit (point 33 of the Revised Cloud Circular).
Supervised Entities must briefly justify their decision not to apply limited requirements of the Revised Cloud Circular by completing the last part of their Cloud Register dedicated to these aspects.
Depending on whether the outsourcing is material or not and to various factors to be assessed in concreto in each case, the CSSF may impose the following penalties in order of increasing severity:
- a warning,
- a blame,
- a fine,
- one or more of the following measures:
- a temporary or definitive prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity,
- a temporary or definitive prohibition on participation in the profession by the de jure or de facto, directors or senior management personnel of persons or entities subject to the supervision of the CSSF.
The CSSF may also disclose to the public any penalties imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.
Even if the Revised Cloud Circular is more flexible and based on a more decentralised approach than the initial CSSF Circular 17/654 in terms of notification and authorisation procedures, there are still important obligations for Supervised Entities, notably to establish and update regularly a Cloud Register. Supervised Entities should therefore ensure that sufficient attention is paid to the Revised Cloud Circular in the preparation and implementation of their cloud outsourcing projects.
The content of this article is intended to provide a general overview of the subject matter. Please contact us should you require any further information.
- “Material activity” means any activity that, when it is not carried out in accordance with the rules applicable to the Supervised Entity, reduces the Supervised Entity’s ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management.
- “Resource operation” means managing cloud computing resources made available through the client interface. By extension, “resource operator” means the natural or legal person that uses the client interface to manage the cloud computing resources.
- “Signatory” means the institution that signs the contract with the cloud computing service provider. Several cases can be distinguished to identify the signatory of a cloud computing service contract:
a. where the Supervised Entity itself is the resource operator, the service contract is signed between the Supervised Entity and the cloud computing service provider (the signatory is the Supervised Entity).
b. where a third party is in charge of resource operation, the contract shall be signed: (i) either between the Supervised Entity and the cloud computing service provider (the signatory is the Supervised Entity) or (ii) between the resource operator and the cloud computing service provider (the signatory is the resource operator).