Jasper Ronda, Senior Manager, and Marina Carrer, Manager, Regulatory Consulting expertise at Arendt. Marie Russillo Maison Moderne

Jasper Ronda, Senior Manager, and Marina Carrer, Manager, Regulatory Consulting expertise at Arendt. Marie Russillo Maison Moderne

This year, the CSSF published Circular 22/806. For investment fund managers, the circular imposes specific requirements about outsourced ICT services.

Let’s start with CSSF Circular 18/698. What was it?

 Circular 18/698 aimed at providing further clarification on authorization processes and conditions for investment fund managers (IFMs), while setting out the fundamental governance and organizational structures which are expected in terms of substance. If, on the one hand, the circular mirrored existing practices, on the other, it also introduced details and new requirements, including those related to delegated activities, the heart of our discussion today.

Rules for delegation and oversight have been particularly enhanced. Among other things, the Circular defined a three-level delegation oversight model. The first being the initial due diligence to assess if a delegate has the necessary knowledge, resources and processes to perform the service. The information must be requested, gathered, analysed, and then put into a final report – all before signing the contract, which is of utmost importance. Once the contract has been signed, we move into the monitoring phase, which can be split into ongoing oversight and periodic due diligence.

What changes does CSSF Circular 22/806 put into place?

 Circular 22/806 incorporates guidelines from the European level, broadens the scope and centralises rules from other circulars into one, including rules related to ICT that were already applicable. Circular 22/806 follows the same principle that Marina described about Circular 18/698. If you outsource something, you need to do initial due diligence and oversee the service provider. The scope can be different though. If you are an IFM, the outsourcing rules only apply to ICT services, whereas that restriction to ICT is not applicable to other entities concerned by the circular.

IFMs now have to look at all of their ICT outsourcing, and the definition is very broad and includes every sort of service imaginable. They need to build a framework or review existing frameworks of due diligence and contracts.

M. C. Taking a step back, what is quite challenging for IFMs is that, when Circular 18/698 came out, the IT function was for the first time mentioned as an IFM function. The circular significantly impacted how IFMs were operating. Due to delegation models, IFMs have been undertaking substantial efforts to implement requirements on an ongoing basis, some of which might still be adequate, but many of which might not be in the context of ICT outsourcing, considering CSSF Circular 22/806.

What sorts of pressures are IFMs in Luxembourg facing?

J. R. Circular 22/806 applies already now to new outsourcings, but existing relationships also need to be compliant by the end of the year, so, for many IFMs, the pressure is on. Some IFMs are on track, but many are not. What’s also tricky is that the circular applies to different actors in different ways and there is limited guidance on how proportionality is applied. It can be hard to see which level of documentation and due diligence one needs to apply to different levels of IT outsourcing because there is no further explanation of how to apply the principle of proportionality. However, this also means that we don’t have to apply the same principle to each delegate regardless of the level of risk and that we must adapt the approach.

Are there some other important elements to know about?

M. C. On top of elements such as audit rights and contractual clauses, the termination phase with a delegate is of paramount importance. A clear and defined exit plan must be put in place and considered as from the beginning of the relationship. Such exit strategy can be materialized through either the substitution of the delegate or via the insourcing of the activities. Neither of these approaches are necessarily easy and immediate to implement. For instance, if the plan is to insource, you would need to demonstrate that you now have the resources, knowledge and expertise in-house, as well as obtain prior authorization from the regulator.

J. R. It’s one thing to say you’ve done the job, but the key is to be able to demonstrate it to the regulator. The CSSF exercises oversight and performs on-site visits, and before they come, they ask for a great number of documents such as contracts, reports of due diligence and questionnaires. Gathering and centralising everything does pose a challenge. Having the right tools is really helpful. At Arendt, we created a tool that ensures that an organisation can more easily navigate oversight requirements with solid processes, all while gathering and centralising important documents. 

What are some tips for IFMs to remain compliant?

M. C. When the CSSF performs a review, it is based not only on what they have recently received, but also on what was reported by the entity in the past months or years. The CSSF compares all information they have on record and what is given to them during an on-site visit, and it even goes back to the very early stages of an entity, to the initial application file provided. This is why we urge our clients, when they set up new structures, to put in place solid processes and governance from the outset, which should then also be put in practice. Being appropriately guided and assisted from the start is key.

J. R. For the CSSF, if it’s not documented, it doesn’t exist. If you say you meet a delegate every month or quarter for a service review meeting but there is no evidence of that, then the CSSF considers it as non existent. So, if you have a meeting with a service provider in which you discuss your concerns about something but the meeting is not documented, the regulator will not consider it.

M. C. Clients may not have the time, resources or expertise to interpret the numerous rules and requirements stemming from the various circulars, and that’s where we step in and bring added value to the table. We know the regulation, we have the expertise, we know the market practices as well as the regulator’s expectations, and we know how to implement these rules. If you are an IFM, complying with oversight rules might seem daunting, but we are here to help with our expertise and tools.

DELEGATION RULES AND THE CSSF CIRCULAR 22/806

Initial due diligence

Although burdensome, due diligence – assessing a delegate’s suitability for the role – needs to be completed before a contract is signed. Failing to do this will likely cause issues, especially during visits from regulators.

Do it correctly from the start

Processes and good governance should be set up from the very start, which will help to avoid issues during CSSF reviews. Having the right tool, such as one created by Arendt, can be invaluable.

All documents completed

Everything needs to be documented, and for IFMs, this means all elements of oversight on ICT service providers, especially when a concern is expressed. Rule of thumb: if it is not documented, it never happened.

For more information, visit