Outsourcing regulation in the financial services industry (as per the CSSF circular 22/806)

Organisations in the financial services industry rely significantly on service providers as part of their operating model.

This training intends to provide the participants with an in-depth overview of the main regulatory requirements for outsourcing arrangements as defined by the CSSF circular 22/806.

By the end of this training, participants will be able to:

• understand the main provisions of the CSSF circular 22/806;
• identify the key changes introduced by the new circular compared to the existing regulatory framework;
• distinguish between outsourcing arrangements and third party services;
• assess the criticality of outsourcing arrangements;
• understand the regulatory and practical implications of preparing CSSF notifications related to future outsourcing projects

Introduction to outsourcing regulation

• Evolution of regulatory landscape
• Outsourcing drivers and benefits
• Types of outsourcing arrangements
• Identifying outsourcing arrangements
• Assessing criticality

Outsourcing governance

• Roles and responsibilities
• The outsourcing policy
• The outsourcing register
• Contractual arrangements
• Interacting with the regulator
• Stages of the outsourcing lifecycle

ICT outsourcing and cloud computing

• Definitions, roles and responsibilities
• Cloud specific risks and limitations

This course is coordinated by Cécile Liégeois, Partner, and presented by Xiaoyi Fang, Director and Vojtech Volf, Senior Manager at PwC Luxembourg.

• Cécile Liégeois is a partner specialising in audit and regulatory matters within the Financial Sector industry, with over 25 years of professional experience in Luxembourg. She possesses extensive expertise in Luxembourg banking, payment, and investment firm regulations, including MiFID II, governance, compliance, outsourcing, DORA, SFDR, and PSD2. Cécile leads external audits of banks, financial sector professionals, and management companies, preparing regulatory reports and managing projects on new regulatory implementations with a focus on business, regulatory, and operational impacts. She also supports the establishment of new regulated entities or branches such as banks, MiFID firms, or payment institutions. Her client work includes audits, regulatory impact assessments, compliance assistance, AML reviews, and outsourcing framework evaluations.
• Xiaoyi Fang is a director specialising in the implementation of regulatory and IT-driven projects for entities supervised by CSSF, with expertise in EU and Luxembourg regulatory frameworks. She has led and contributed to numerous complex projects involving large banking groups, subsidiaries, and European institutions. Xiaoyi is well-versed in banking business operations and regulatory topics such as internal governance, IT compliance, outsourcing, MiFID, and ESG. Her expertise includes outsourcing matters, IT compliance, and MiFID II-SFDR. She has managed significant client projects, including remediation support, complex IT projects, and MiFID II implementation, and serves as a trainer and workshop moderator on regulatory and compliance subjects.
• Vojtech Volf is a senior manager in PwC’s Regulatory and Compliance department, specializing in ICT compliance with over eight years of experience, including tenure at PwC since 2018. He focuses on IT compliance, PSD2, outsourcing (BPO/Cloud/IT), IT and security risks, privacy, and payment-related matters. Vojtech supports various license application processes for e-money, payment institutions, and IFMs, emphasizing IT, data privacy, and operational payment aspects such as payment flows and safeguarding. He has led numerous ICT compliance, risk, and outsourcing projects, including risk assessments, remediation efforts, gap analyses for DORA and CSSF regulations, license acquisitions, and development of ICT compliance tools.