240 likes | 392 Views
Professional of Support of the Financial Sector : Myths and Realities. Thierry Seignert President Association PSF of Support October 1st, 2013. Agenda. Law of the August 2 nd 2003 The ‘Risk Based Approach’ circular View of the PFS cluster. Law of the August 2nd, 2003.
E N D
Professional of Support of the Financial Sector : Myths and Realities Thierry Seignert President Association PSF of Support October 1st, 2013
Agenda • Law of the August 2nd 2003 • The ‘Risk Based Approach’ circular • View of the PFS cluster
Law of the August 2nd, 2003 • Creation of new categories of “Professionnels du Secteur Financier” (PFSs) • “Operator of IT Systems & Communications Networks“ with PFS agreement are authorized to perform IT outsourcing/out-tasking services to financial institutions in Luxembourg. • Registration of the PFSs in Luxembourg and subject to the prudential control by the Financial Sector Surveillance Commission (CSSF). • New regulatory frame for IT outsourcing services. • Maintained level of trust and confidence by the customers of the financial institutions outsourcing their IT to a PFSs. • For Luxembourg, goal was/is to create a center of excellence recognized abroad
Changes in legal position Standard IT Services / Outsourcing Financial Institution CSSF IT company Luxembourg’s Law Law 2 Aug 03 Financial Institution IT company CSSF PFSs IT activities subcontracted to the PFSs but responsibility of the Financial Institution remains by it. Law 2 Aug 03 For confidential data
Heritage In Luxembourg Outside of Luxembourg Before the outsourcing contract Confidentiality Responsibility Financial Institution not Lux Financial institution Lux IT After outsourcing IT group of PFSs Financial institution Lux PFSs CSSF Circ 05/178 + Law 2 Aug 03 Law 2 Aug 03 Data going outside of Lux is not confidential or is encrypted.
Positionning the PFSs • PFSs is submitted to the rules of conduct of the financial sector • the “secret professionnel” • Anti money laundering • Cooperation with authorities • … • To function, a PFSs has to be able to qualify the sensitivity of the data it is handling at all times to ensure that the data is treated with the correct tools and protection (CSSF correspondence Réf.: AI.04/28-PDU/JD) Sample of letter of PSF agreement
Legal compliance A PFSs needs to appoint a "Réviseur d'entreprises" to verify the compliance of the amended law of April 5, 1993 as well as to verify the appropriate application of relevant circulars under supervision of the CSSF. 4 eyes principle Yearly External audit Organisation 4 Eyes principle
Roles & Responsibility • A PFSs could not cascade any of ITS own responsibilities, although subcontracting is allowed to other PFS with detailed SOW and informing clients. The full responsibility is kept face to the customer. • Interventions of non PFSs resource are possible but with supervision.
Question Can a PFSs deliver services to a non Financial Customer ? YES
The ‘Risk Based Approach’ Circular 12/544 • Context • Level of risks different between PFSs • Nature of the services • Market share • Organization of the PFSs • Main approach of the circular • Optimisation of the CSSF supervisory activity on the PFSs • Expansion of the Risk-Based Approach of the PFSs towards the financial sector • Principle of proportionality
RAR Report Introduction Obligations to the PSF of Support - to provide to the CSSF 2 yearly reports called Risk Analysis Report (RAR) • On its management system of the risks • A self assessment of its risks which is or its branches can make run to its customers of the financial sector This RAR will be emitted for the bodies of direction and administration of the PFSs concerned as well as the CSSF. The PFSs will be committed on the truthfulness of all the elements included in the RAR. Compte-rendu analytique de revision (CRA) including • Long form report describing its activities, organisation, and infrastructure • Remarks of the external auditor on long form report + RAR Mission of the external auditor will be extented
RISK Categories The CSSF has distinguished 2 types of risks categories: • Direct RISKS: Risks on activities and services dedicated to the Financial Sector that could have direct impact on the PFSs clients 10 categories in total. • Indirect RISKS: Risks linked to the PFSs organization and administration or risks related to activities and services provided to the non financial sector that could have indirect impact to the clients of Financial sector.
Auto Evaluation of Direct and Indirect Risks The PFSs has to supply a description and a self-assessment of its direct and indirect risks in the financial sector. Importance of every identified risk has to be identified based on • The probability of emergence of the risk ( P ) and the impact of the risk (l) • Risk can be several types: legal, operational, reputational financial • If several types of impact are applicable for the same risk, the PFSs takes the highest for the calculation of the importance of the risk. Value Description 0 No impact 1 2 Rumors, anxieties of isolated customers. 3 4 Cover of the national press / Numerous requests of customers' information. 5 6 Cover in specialist publications / Loss of some customers or a strategic customer. 7 8 Cover in all the national audiovisual media / Customers' massive departure. 9 10 Cover international press / Departure of all the customers. Impact on the reputation
For every identified Direct risk, the PFSs calculates : The Gross Risk raw ie without consideration of the existing controls The net importance of the risk, that is with consideration of the existing means to reduce or transfer the risk ( net risk); Calculation of the Risk
Risk id: D1-04 Category: D1 Title: Issues with the management of the contracts Risk Description: Issues with the management of the contract risks to lead to issues due to insufficient attention to relationship with the client or financial issues for the PFSs. Gross Risk Evaluation of PFSs (Before controls): Explanation why this importance for the clients: Probability is very likely that not managed contracts will lead to issues. The reputation impact will lead to massif loss of clients and the financial impact major losses that can annul the yearly result is the issues are in sensitive areas even for the clients that might get in trouble due to a failing partner that is managing their IT infrastructure. Concerned clients: All Mitigating factors/insurance and audit follow up of the risk: Contract reviews and financial follow up integrate the risk management in the different Internal processes and assure the correct focus on the management of contracts, this is a focus area in audits. Net Risk Evaluation of PFSs (After controls):
QUESTION Can the RAR be seen by the customers of the PFSs ? YES
For the customer Better knowledges of its PFSs For the PFSs Knowledges of its risks Definition and prioritization of improvement/mitigation plans Formalisation of processes Justification of the agreement within its group Competitive advantage Advantages of the RAR
PFSs Cluster in one page Sector of 9000 employees Dec 2012 +4,55% -4,88% +3,88% +10,7% -19,1% 85 compagnies with PSF agreement end of 2012
In Luxembourg , PFSs through their APSFS association are represented to Haut Comité de Place Financiere (HCPF) Luxembourg For Finance (LFF) Federation des professionels du Secteur Financier Luxembourg (PROFIL) Participation to Events Promotion of the PFSs cluster
Promotion of the PSF Agreement outside Luxembourg Continuous effort from PFSs within their respective group Customers within their respective group The different associations of the Financial place. Become an Information Trust Center able to manage other types of confidential data : medical, legal… Challenges for the future
Annual Conference APSFS Oct 17, 2013 To register, please go directly to: http://www.supportpsf.lu