Cloud-based services, stronger governance and data protection are just some of the new provisions meant to simplify IT outsourcing for regulated entities. The Commission de Surveillance du Secteur Financier (CSSF) Circulars published in May could change the design of financial institutions’ operational processes in Luxembourg.
More support for cloud-based services
For a long time, the CSSF has discouraged financial institutions’ use of cloud infrastructure over doubts around sensitive data protection and transparency of internal controls. With the new provisions, the Luxembourg regulator supports the implementation of cloud-based solutions, for both consumers and providers of cloud technologies in Luxembourg.
Financial institutions that opt for IT outsourcing must make sure they take into account and manage the risks associated. They also have to comply with strict requirements of internal governance, risk management, business continuity and data protection. In particular, they have to put in place a Cloud Officer, whose job is to support governance and oversight objectives.
IT outsourcing abroad for confidential data
Firms can now perform client-identifying data processing outside of Luxembourg, with a mere notification of clients concerned. They have to, however, assess the legal risks stemming from this approach and check if the notification is enough or they need to get consent.
Regulated entities can choose any IT service provider to operate their systems, including group-related ones.
Security watch and patch management
The new provisions put a spotlight on security measure, as well. Credit institutions and investment firms need to implement a security watch process. They have to be able to quickly identify their weaknesses and implement security patches when necessary. As a result, companies have to equip their teams with technical know-how and strengthen their governance to increase reactivity.
If you want to know more about these legislative changes, click here.