ABBL’s Digital Banking and FinTech Innovation Cluster (DBFI) held an ABBL Meets Members conference on 13 June 2017 where the CSSF presented its new Circular on the Cloud Computing infrastructure and other recent regulatory changes in IT outsourcing.
More than 130 representatives of ABBL members attended the event.
Marc Hemmerling, General Counsel Digital Banking, FinTech & Payments, ABBL, highlighted the importance of the changes introduced by the CSSF and outlined the recent developments in this domain on the EU level.
Jean Hilger, Head of the DBFI highlighted the role the cluster plays in making sure ABBL members are well informed and assisted in the transition to promising technologies to be used by the banking sector.
Cécile Gellenoncourt, Chef de service adjoint – Surveillance des Systèmes d’Informations Service Surveillance des Systèmes d’informations et des PSF de Support, CSSF, shed light on the changes brought by new Circular (Circular CSSF 17/654 – only available in French).
Objectives of the regulatory changes introduced by the CSSF
- to take into account the cloud specificities in the context of outsourcing
- to distinguish the provisioning of a cloud based outsourcing from the traditional outsourcing services provided by Support PFS
- to maintain Support PFS’s particularities and to clarify their role in a cloud context
- to stay compatible as far as possible with the work done at EBA level (Taskforce on IT Risk Supervision – TFIT)
Definition of the Cloud Computing
The CSSF introduces its own definition of the Cloud Computing fulfilling the following 7 criteria:
- On-demand self-service
- Broad network access
- Resources pooling
- Rapid elasticity
- Measured service
- Apart from exceptional situations, the provider does not access the data and systems of the the consumer without its prior consent and without monitoring mechanism available to the Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities (ISCR)
- No manual interaction of the provider as regards the day-to-day management of resources.
Three circulars will govern Cloud Computing and IT Outsourcing in Luxembourg
- Circular CSSF 17/655 (only available in French – sub-chap. 7.4) – for credit institutions and investment firms
- Circular CSSF 05/178 (only available in French) – for payment institutions, e-money institutions and PFS others than investments firms
- The new Circular CSSF 17/654 (only available in French)
The application of the circulars will depend whether the CSSF’s definition of the Cloud Computing (all 7 criteria) is met:
- If yes, the new cloud circular applies instead of respectively the sub-chapter 7.4 of CSSF circular 17/655, or of the CSSF circular 17/656 (only available in French – the Circular 05/178 has been abolished and replaced)
- If not, the 2 CSSF circulars 17/655 and 17/656 remain applicable respectively to the types of entities concerned
- Signatory of the contract with the cloud service provider
- Consumer (of resources) – modified in «ISCR», Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities
- Resource Operator
- Cloud Computing Service Provider (CSP)
The cloud Circular takes up the obligations of the 17/655, but should be read according to the role played by the regulated entity.
The Circular points out the disconnection on from discussion on art. 41:
- Encryption with the localization of the encryption keys in Luxembourg is no longer mandatory
- Reference to legal risks and obligations
- Consequence in current situation: the consent remains necessary if the operator not the Support PSF
- The form of the consent is not specified
Confidentiality is now based on the technology and processes by applying key security principles:
- Need to know
- Least privilege
Cloud Officer Position
The Circular introduces the Cloud Officer position in financial services with the following functions:
- Is responsible for the use of the cloud computing services and guarantees the competences of the teams
- Is an employee of the resource operator
- Shall have the adequate competencies on the product used
- The ISCR and the CSSF must know the name of the cloud officer
- A resource operator can have several cloud officers
- The potions of Cloud Officer and Data Security Officer are incompatible