Articles Published  18.06.2017

Back

Cloud Computing Infrastructures: New Horizons


Cécile Gellenoncourt, CSSF ©ABBL

  Source: ABBL


ABBL's Digital Banking and FinTech Innovation Cluster (DBFI) held an ABBL Meets Members conference on 13 June 2017 where the CSSF presented its new Circular on the Cloud Computing infrastructure and other recent regulatory changes in IT outsourcing.

More than 130 representatives of ABBL members attended the event.

Marc Hemmerling, General Counsel Digital Banking, FinTech & Payments, ABBL, highlighted the importance of the changes introduced by the CSSF and outlined the recent developments in this domain on the EU level.

Jean Hilger, Head of the DBFI highlighted the role the cluster plays in making sure ABBL members are well informed and assisted in the transition to promising technologies to be used by the banking sector.

Cécile Gellenoncourt, Chef de service adjoint - Surveillance des Systèmes d'Informations Service Surveillance des Systèmes d'informations et des PSF de Support, CSSF, shed light on the changes brought by new Circular (Circular CSSF 17/654 - only available in French).

Objectives of the regulatory changes introduced by the CSSF

  • to take into account the cloud specificities in the context of outsourcing
  • to distinguish the provisioning of a cloud based outsourcing from the traditional outsourcing services provided by Support PFS
  • to maintain Support PFS’s particularities and to clarify their role in a cloud context
  • to stay compatible as far as possible with the work done at EBA level (Taskforce on IT Risk Supervision - TFIT)

Definition of the Cloud Computing

The CSSF introduces its own definition of the Cloud Computing fulfilling the following 7 criteria:

  1. On-demand self-service
  2. Broad network access
  3. Resources pooling
  4. Rapid elasticity 
  5. Measured service
  6. Apart from exceptional situations, the provider does not access the data and systems of the  the consumer without its prior consent and without monitoring mechanism available to the Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities (ISCR)
  7. No manual interaction of the provider as regards the day-to-day management of resources.

Three circulars will govern Cloud Computing and IT Outsourcing in Luxembourg

The application of the circulars will depend whether the CSSF’s definition of the Cloud Computing (all 7 criteria) is met:

  • If yes, the new cloud circular applies instead of respectively the sub-chapter 7.4 of CSSF circular 17/655, or of the CSSF circular 17/656 (only available in French - the Circular 05/178 has been abolished and replaced)
  • If not, the 2 CSSF circulars 17/655 and 17/656 remain applicable respectively to the types of entities concerned

Roles

  • Signatory of the contract with the cloud service provider
  • Consumer (of resources) - modified in «ISCR», Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities
  • Resource Operator
  • Cloud Computing Service Provider (CSP)

The cloud Circular takes up the obligations of the 17/655, but should be read according to the role played by the regulated entity.

The Circular points out the disconnection on from discussion on art. 41:

  • Encryption with the localization of the encryption keys in Luxembourg is no longer mandatory
  • Reference to legal risks and obligations
  • Consequence in current situation: the consent remains necessary if the operator not the Support PSF
  • The form of the consent is not specified

Confidentiality is now based on the technology and processes by applying key security principles:

  • Need to know
  • Least privilege

Cloud Officer Position

The Circular introduces the Cloud Officer position in financial services with the following functions:

  • Is responsible for the use of the cloud computing services and guarantees the competences of the teams
  • Is an employee of the resource operator
  • Shall have the adequate competencies on the product used
  • The ISCR and the CSSF must know the name of the cloud officer
  • A resource operator can have several cloud officers
  • The potions of Cloud Officer and Data Security Officer are incompatible

 

Interested to
become a member?

ABBL membership gives you the advantage of working side by side with your peers. So, why not join and become an active member of our community?

Become a member

Agenda stay tuned

Stay tuned or participate at ABBL, its members, or other financial sector actors’ events.

Check the calendar

ABBL
Association des Banques et Banquiers, Luxembourg
12, rue Erasme | L-1468 Luxembourg
Tél.: (+352) 46 36 601 | Fax: (+352) 46 09 21
Email: mail@abbl.lu
Heures d'ouverture:
Du Lundi au vendredi de 8h00 à 17h30


Conception & design E-connect, powered by Quilium

We use cookies to ensure the best experience on our website. By accepting you agree the use of cookies. OK Learn more