AGEFI Luxembourg - septembre 2025

AGEFI Luxembourg 14 Septembre 2025 Economie ByBertrandPARFAIT,Partner–RiskandRegulatory &Marc ABOU JAOUDE, Senior Manager – Risk andRegulatory, Deloitte Luxembourg T he soundness and stability of the financial system remain of paramount importance, safe- guarded over time by competent authorities at both the local level (Luxembourg) and the EU level. That being said, in a context marked by growing competi- tiveness,accelerateddigitaliza- tion, increasing demands for robustdatamanagement,and rising cost pressure, financial entities across industries are increasingly relying on third- party providers. These arrangements enable institutions to deliver more efficient, value- added solutions to their clients and to differentiate themselves from the competition. This growing reliance on third parties is driven further bymultiple factorsincludingambitionstoreducecosts,accessspe- cializedcompetencies,achieveeconomiesofscaleand enhance flexibility. In addition to engaging external service providers, financialentitiesarealsoacceleratingtheiruseofintra- groupserviceproviders.Thistrendhasledtothecen- tralizationofcertainservicesandfunctionswithinspe- cificcentersofexcellence,hasstrengthenedspecialized skills, and has enabled the sharing of costs, thereby promoting greater efficiency within the group. The growing reliance on third-party service providers, whileofferingsignificantbenefitsforfinancialentities, alsointroducesmaterialoperationalriskstothefinan- cial system, particularly in relation to concentration, resilience anddependency aspects. Althoughthird-partyriskisnotanewconcept—hav- ing been already included in the Basel II risk taxono- my proposed by the Basel Committee—regulatory requirements on the subject have been progressively reinforced. Organizations are now expected to inte- grate adequate oversight and monitoring mecha- nisms within their risk management frameworks to specifically address third-party risk. Regulatory approach to themanagement of third-party service providers Before addressing the general phased regulatory approach to third-partymanagement, it is important toclarifythecompositionofthethird-partyecosystem. This ecosystem encompasses, on one side, service providers whose activities qualify as outsourcing arrangements, and on the other, providers of ICT or businessprocessservicesthatfalloutsidethescopeof outsourcing. At the European Union level, the rein- forcement of regulatory requirements on third-party risk management has focused primarily on the out- sourcing framework, most notably through the EBA GuidelinesonOutsourcing.Theseguidelinesestablish thecriteriaforqualifyingthird-partyarrangementsas outsourcing, require institutions to assess the level of criticality (i.e. critical or important), and set out the correspondingobligationsintermsofriskassessment, due diligence, contractual provisions, oversight, and exit strategies. In Luxembourg, these requirements have been further extended beyond banking institutions to encompass a wider range of financial entities, including investment firms, payment andelectronicmoney institutions, and specialized or support professionals of the financial sector. This was achieved through the entry into force of the CSSF Circular 22/806, which renders outsourcing requirements, broadly alignedwith those of the EBA Guidelines on Outsourcing, manda- tory at the local level. Building on this framework, the Digital Operational Resilience Act (DORA) was introduced, establishing principles on ICT third-party risk management amongitsvariousdimensions.DORAmarkedashift from a narrow focus on outsourcing of ICT services toward a broader consideration of ICT third-party service providers. Thisevolutionhasbeenreinforcedattheinternational level by several key publications. In December 2023, the Financial Stability Board released a publication named “Enhancingthird-partyriskmanagementandover- sight:Atoolkitforfinancialinstitutionsandfinancialauthor- ities.” This was followed in July 2024 by the Basel CommitteeonBankingSupervision’s(BCBS)consul- tative document “Principles for the sound management of third-party risk.” More recently, in June 2025, the European Securities and Market Authority (ESMA) issued its guidelines on “Principles on third-party risks supervision.” Most recently, on 8 July 2025, the European Banking Authority (EBA) published a consultation paper on its proposed EBA guidelines on the sound manage- ment of third-party risk. These proposals aimto broaden the scope of robust third-party man- agement requirements beyond only services qualifying as outsourcing or ICT-related arrangements. ThissuccessionofpublicationsbybothEUand international bodies underscores the systemic importance of third-party risk for the financial sector. Accordingly, market participants are expected to adopt adequate practices ensuring the safeguardof the stabil- ity and resilience of the financial system.Acoordinated effort by all stakeholders is imperative. Requirements for amore robust third-party risk management framework The EBA Draft Guidelines on the sound management of third-party risks propose a strong alignment with several of the requirements andprocessesalreadyapplicableundertheoutsourc- ing framework. In this context, the requirements set out in the draft guidelines can be organized around four keyphases: Inaddition,particularattentionmustbegiventorisks arisingfromsubcontractingchainsandconcentration on specific third-party service providers. Finally, and consistent with the outsourcing frame- work,thedraftEBAguidelinesclarifythatintragroup third-partyarrangementsaretobesubjecttothesame risk management framework as arrangements with externalserviceproviders.Inpractice,thismeansthat thesamelevelofanalysisandduediligenceisexpect- ed to be applied to intragroup arrangements as to thosewith thirdparties outside the group. Anticipated impacts Theongoingandupcomingregulatorydevelopments on third-party riskmanagementwill have significant implicationsforfinancialentities.First,institutionswill be expected to enhance the maturity and robustness of their third-party riskmanagement frameworks. In particular,theymustensurethattheiroperationalrisk management frameworks are adequatelyadapted to capture and measure the operational risks arising from the use of third parties. This evolution also requires a review of entities’ risk appetite frame- works, ensuring that aggregated third-party riskcan be measured and aligned with both their overall third-party risk management strategy and their defined risk tolerance. As such, financial entities will need to review and, where necessary, redesign their frameworks to ensure the prudent and sound management of third-party services. In addition, once the proposed EBA Guidelines on the sound management of third-party risks come into effect, they will introduce more extensive requirements that financial entities must consider when engaging third-party service providers. The additional workload arising from these require- ments will need to be carefully assessed and man- aged by financial entities. Equally important is the clear definition of internal governance arrangements supporting the third- party risk management framework. Roles and responsibilitiesof all relevant stakeholders across the threelinesofdefensemustbeestablished,formalized and clearly communicated. Similarly, significant efforts will be requiredtoretroactivelyimplementthe revised third-party risk management framework for existing arrangements. This process will involve, among other tasks,reviewingandamendingexisting contractual arrangements, performing all necessary assessments (including criticality, risk, and conflicts of interest), developing exit plans, and conducting more detaileddue diligence. Conclusion In conclusion, the evolving regulatory requirements on third-party riskman- agement attest to the fact that regulators viewthird- party risks as a material operational threat to the stability and soundness of the financial sector. As highlighted, theuse of third-party serviceproviders is widespread in the financial industry, enabling institutions to achieve business objectives and effi- ciency gains, but it requires robust risk manage- ment measures. To prepare for both current and forthcoming regula- tory developments, financial entities are encouraged to proactively review their existing third-party risk management frameworks and plan for their imple- mentation across both new and existing third-party arrangements. This proactive approach allows insti- tutions to manage and distribute over time the sig- nificant efforts needed for compliance. Ultimately, anticipation and proactive planning will be essential for a smooth and successful compliance journey with third-party risk management require- ments, while also supporting the development of an appropriate risk culture across the organization. The increasing importance of third-party risk management Inclusion of specific clauses within the contractual arrangement for example, access, information and auditrights,subcontractingandterminationrights. Third-partyarrangementsregister. In case quality standards are not beingmet,follow-upactionstoimple- mentwithpossibleeventualtermina- tion of the agreement in case of sus- tainedlackofquality. Updateofriskassessment. Ongoingduediligence. Third-partyserviceproviderassessment. Criticalityassessment. Supervisoryconditionsforcontractingwith third-partyserviceproviders. Riskassessment. Initialduediligence. Conflictsofinterestassessment. Exitplan(incaseofcriticalorimportantservice). D ans un environnement mar- qué par l’instabilité poli- tique française aujourd’hui et l’exigence croissante des investis- seurs privés, la comparaison entre l’assurance-vie française (AVF) et l’as- surance-vie luxembourgeoise (AVL) s’impose comme un sujet central. Le rapport de l’Autorité desMarchés Fi- nanciers (AMF, Juin 2021) avait mis en lumière les rigidités du modèle fran- çais,avecuneprépondérancedessup- ports d’investissement intra-groupe (63 % en moyenne sur tous les contrats français).Acela il faut rajou- terlafaiblesseduchoixdessupports, entre 500 et 1.000 généralement, et centrés à plus de 80 % sur des actifs traditionnels (actions, obligations) à l’heure où lemodèle d’un portefeuille d’investissement tra- ditionnel 60/40 est désormais dépassé. Àl’inverse, l’AVLsedistinguepar sa sécurité renfor- cée, sa flexibilité d’investissement, son accès facilité au financement et son rôlemajeur dans la transmis- sion patrimoniale. Sécurité juridique et prudentielle L’AVF bénéficie d’un dispositif de garantie pla- fonné à 70.000 € par compagnie, ce qui limite la couverture en cas de défaillance, surtout que le fonds de garantie nous semble sous capitalisé. L’AVL repose elle sur le triangle de sécurité luxembourgeois : ségrégation stricte des actifs représentatifs, déposés auprès d’une banque dépositaire agréée par le Com- missariat aux Assurances (CAA), et super-privilège de l’assuré, sans pla- fond. Ce mécanisme, déjà éprouvé, confère une protection optimale, recon- nue comme l’une des plus robustes au niveau européen. Flexibilité et univers d’investissement L’AVF reste contrainte : environ 1.000 fonds disponibles en moyenne, dont 63 % d’origine intra-groupe, et une ouverture li- mitée aux actifs alternatifs. À l’inverse, l’AVL ouvre l’accès à plus de 100.000 fonds, en multidevises, avec la possibilité d’intégrer simplement des classes d’actifs différen- ciantes tellesque leprivate equity, ladetteprivée, les actifsréels,lesproduitsstructurésouencorecertaines stratégies alternatives. Cette souplesse permet de bâtirdesportefeuillesvéritablement personnalisés et adaptés aux exigences familles. Accès facilité au financement : le crédit Lombard Dans un contexte de baisse des taux courts, un des atouts majeurs de l’AVL réside dans l’accès au cré- dit Lombard, permettant demobiliser des liquidités sans dénouer les investissements. Les valeurs de gage dépendent de la nature des actifs : 95 % pour les fonds en euros ou monétaires, 40– 60 % pour les actions ou produits structurés, et jusqu’à 25 %pour cer- taines dettes privées liquides. Les actifs illiquides comme leprivate equity ou l’immobilier ne sont en re- vanche pas finançables. Ainsi, un contrat valorisé 500.000 € peut géné- rer enmoyenne 250 à 300.000 €, tout en étant géré par un gérant externe, offrant un levier patrimonial efficace toutenpréservantl’antérioritéfiscale. Transmission patrimoniale et portefeuilles sous-jacents L’assurance-vie constitue un instrument privilégié de transmission successorale. En France, l’AVF conserve son attrait fiscal (abattement de 152.500 € par bénéficiaire) mais demeure limitée quant aux portefeuilles sous-jacents. L’AVLreprendcesavantagessuccessorauxtoutenof- frantunesouplesseincomparable:possibilitédeloger des portefeuilles titres via desmandats de gestion de patrimoine, des fonds internes dédiés (FID), collectifs (FIC) ou spécialisés (FAS), ainsi que des fonds alter- natifsetdesproduitsstructurés.Cettecapacitédeper- sonnalisation en fait un outil incontournable pour les famillesinternationales,confrontéesàdesenjeuxcom- plexes de succession et demulti-juridiction. Conclusion En combinant sécurité renforcée, flexibilité d’in- vestissement, accès privilégié au financement et efficacité successorale, l’assurance-vie luxembour- geoise s’impose comme une enveloppe patrimo- niale de référence. Elle dépasse les limites structurelles de l’assurance-vie française, encore marquée par le poids des fonds intra-groupe et par un modèle 60/40 obsolète. Pour les familles exigeantes et les investisseurs internationaux à la recherche de diversification, de protection et de performance, l’assurance-vie luxembourgeoise offre un outil stratégique et pérenne avec d’énormes possibilités. Diana DIELS Luxembourg For Family Office (LFFO) https://luxembourgforfamilyoffice.lu/ Assurance-vie luxembourgeoise versus assurance-vie française Critères ȱ AVF ȱ (France) ȱ AVL ȱ (Luxembourg) ȱ Protection ȱ des ȱ avoirs ȱ Garantie ȱ plafonnée ȱ à ȱȱ 70 ȱ 000 ȱ € ȱ Triangle ȱ de ȱ sécurité, ȱ super Ȭ privilège ȱ sans ȱ plafond ȱ Risque ȱ de ȱ gel ȱ réglementaire ȱ Possible ȱ (Loi ȱ Sapin ȱ 2) ȱ Absent ȱ ; ȱ portabilité ȱ renforcée ȱ Architecture ȱ et ȱ univers ȱ d ȇ investissement ȱ ƿȱ 1 ȱ 000 ȱ fonds, ȱ 63 ȱ % ȱ intra Ȭ groupe ȱ >100 ȱ 000 ȱ fonds, ȱ multidevises, ȱ architecture ȱ ouverte ȱ Produits ȱ structurés ȱ Référencement ȱ lent ȱ (1–2 ȱ mois), ȱ coûts ȱ d ȇ intégration ȱ Intégration ȱ dès ȱ 50 ȱ 000 ȱ € ȱ le ȱ jour ȱ même ȱ Accès ȱ au ȱ financement ȱ Limité ȱ Crédit ȱ Lombard ȱ facilité ȱ Multidevise ȱ / ȱ Portabilité ȱ Principalement ȱ EUR ȱ Multidevises ȱ et ȱ portabilité ȱ internationale ȱ Profil ȱ cible ȱ Épargne ȱ domestique ȱ Familles ȱ et ȱ investisseurs ȱ internationaux ȱ exigeants ȱ Comparatif synthétiqueAVF /AVL