Outsourcing: FINMA Publishes a New Circular 2018/3 on Outsourcing for Banks and Insurance Companies

On 5 December 2017, the Swiss Financial Market Supervisory Authority FINMA published its new circular 2018/3 Outsourcing – Banks and Insurance Companies. In contrast to the current rules, the new circular not only covers banks and securities dealers but is also applicable to insurance companies. The main changes are a more flexible definition what constitutes outsourcing based on a case-by-case analysis factoring in the business model and risk profile of each institution, a more differentiated approach to intra-group outsourcing, and a focus on supervisory issues, leaving data protection and banking secrecy out of the scope of the FINMA circular. The new rules entered into force on 1 April 2018.

By Rashid Bahar / Martin Peyer (Reference: CapLaw-2018-16)


1)  Introduction

On 5 December 2017, the Swiss Financial Market Supervisory Authority FINMA published its new circular 2018/3 Outsourcing – Banks and Insurance Companies. The revised FINMA-Circular 2018/3 (Revised Circular), which entered into force on 1 April 2018, is applicable to banks and securities dealers and, in contrast to the current FINMA-Circular 2008/7, also covers insurance companies.

The current regulatory regime was overdue for a complete overhaul. The existing rules on outsourcing for banks entered into force in 1999 and were last revised in 2002, at a time when outsourcing was a nascent phenomenon. Since then, outsourcing became more prevalent, following technical developments and the increased focus on core competencies and cost cutting in the financial industry.

Accordingly, FINMA initiated a consultation process in December 2016, which prompted a strong debate within the industry. Almost a year later, FINMA has now published the Revised Circular, which aims to be more principle-based and, at the same time, ensures that the outsourcing does not prejudice clients and creditors of banks and insurance companies or jeopardize supervision by FINMA (see consultation report dated 19 September 2017, p. 8 ff.).

The main changes in the Revised Circular are (i) a harmonization of the requirements for banks, securities dealers and insurance companies, (ii) a more flexible definition of what constitutes outsourcing based on a case-by-case analysis factoring in the business model and risk profile of each institution, (iii) a requirement to hold an inventory of outsourced functions indicating the service provider (including subcontractors) and further changes regarding the organizational framework for outsourcing projects, (iv) a relief regarding the requirement to formally document that the regulatory auditor and FINMA can exercise and enforce its rights of inspection and auditing in connection with cross-border outsourcing and (v) a more differentiated approach to intra-group outsourcing.

Moreover, the Revised Circular focuses on supervisory matters and, consequently, no longer addresses the requirements on data protection and banking secrecy. This signals a more focused approach to dealing with outsourcing projects. However, it also means that financial institutions will no longer be able to turn to FINMA to obtain comfort on these issues, but will need to look for guidance from the Federal Data Protection and Information Commissioner (FDPIC) or cantonal prosecutors, who may not be willing to respond to requests or may be less attuned to outsourcing in the financial industry.

2) Scope

In contrast to the current FINMA-Circular 2008/7 on outsourcing which only applied to banks and securities dealers, the Revised Circular will also apply to insurance companies, including Swiss branches of foreign insurance companies. The Revised Circular, thus, covers both main sectors of the financial industry and subjects them to fundamentally the same regulatory framework, allowing for some exceptions due to differences in the supervisory concept.

Other supervised entities such as fund management companies, asset managers for funds and financial market infrastructures, however, continue to remain out of scope under the Revised Circular. This raises the question to what extent the principles set forth in the Revised Circular can and should apply to these other supervised entities. On the one hand, they are all subject to fundamentally similar regulatory requirements in terms of organization, with a few exceptions on the framework applicable to the delegation of functions by fund management companies and the specific rules on outsourcing that apply to financial markets. On the other hand, FINMA specifically did not include them in the scope of the Revised Circular.

The Revised Circular defines outsourcing as mandating a service provider to carry out independently and permanently an essential function. The definition does not hinge on whether the service affects an essential function in whole or only in part. A function is deemed essential, if compliance with the objectives and regulations of the financial market legislation significantly depends on it (see FINMA-Circular 2018/3, N 3 f.). This definition is, thus, potentially fairly large.

Whereas FINMA-Circular 2008/7 specified this term with a positive and negative list and the draft of the Revised Circular contained an illustrative list of essential functions (such as processing of payments, IT, risk management in the case of banks and securities dealers as well as claims settlement, financial accounting and asset management in the case of insurance companies), the final version of the Revised Circular does not specify any further what is an essential function. Therefore financial institutions will need to determine on a case-by-case basis – potentially after seeking a ruling from FINMA – whether a given activity constitutes outsourcing under the Revised Circular. Although FINMA’s consultation report clarifies that its practice does not change with respect to banks, the report does not provide much more guidance in this respect, but lists an important example: if an outsourcing provider gets access to mass client identifying data (CID) (and not only to a limited number of CID), the outsourcing is deemed essential (consultation report dated 21 September 2017, p. 15).

3) Restrictions on Outsourcing and Approval

Overall, the Revised Circular perpetuates the current liberal approach to outsourcing. The outsourcing of all essential functions remains permissible subject to limited exemptions. Only the core functions of the board of directors and executive management, as well as the decision to accept and terminate client relationships cannot be outsourced.

Further restrictions apply to banks, securities dealers and insurance companies of category 1 to 3, which must maintain their own risk control and compliance functions as an independent body, whereas other banks, securities dealers and insurance companies will only need to appoint one member of the executive management to oversee these areas (FINMA-Circular 2018/3, N 7 ff.).

This approach is also a significant relief for insurance companies, which until now could only outsource two of their three main functions, whereas insurance captives can even go a step further and delegate certain core competencies to specialized management companies or affiliates (FINMA-Circular 2018/3, N 10 ff.).

The Revised Circular perpetuates the current supervisory approach to outsourcing. Banks and securities dealers will continue to be able to outsource essential functions without seeking the approval of FINMA. By contrast, insurance companies will continue to need one, since the outsourcing of essential functions implies an amendment of the regulatory business plan which is subject to FINMA approval (see article 5 (2) in connection with 4 (2) (j) Insurance Supervisory Act).

4) Organizational Requirements

The Revised Circular sets out several organizational requirements relating to any outsourcing. First, the company has to keep an up-to-date inventory of the functions that have been outsourced, containing a description of the outsourced functions, the service provider (including subcontractors (if any)) and the recipient as well as the responsible unit within the outsourcing company (FINMA-Circular 2018/3, N 14).

Furthermore, the company must select the outsourcing provider based on its professional experience and ensure proper instruction and supervision of the outsourcing provider. The outsourcing company must also take into account a potential change of the service provider and consider the consequences of such a change when deciding about the outsourcing. To be considered as potential service provider for banks and insurance companies, the service provider must be able to properly perform the outsourced services. In addition, the outsourcing company must take adequate measures to ensure that the outsourced functions will be properly performed (FINMA-Circular 2018/3, N 16 ff.).

Finally, a written contract is required for outsourcing essential functions which provides the outsourcing company with the right to instruct and control the service provider, requires the approval of the outsourcing company before the service provider can involve subcontractors and ensures that outsourced functions can be audited at any time (FINMA-Circular 2018/3, N 32 ff.).

5) Intra-Group Outsourcing

Unlike the current FINMA-Circular 2008/7, the Revised Circular will no longer provide for blanket exemptions for intra-group outsourcing projects. At the same time, the Revised Circular does not go as far as the draft of the Revised Circular, which did not differentiate between intra-group outsourcing and outsourcing to external service providers. Instead, FINMA-Circular 2018/3, N 22 allows financial institutions to take into account their ties with affiliates when considering the requirements on selecting, instructing and controlling an outsourcing provider as well as the requirements that apply to the contractual documentation. In this way, the Revised Circular allows financial institutions to factor in the fact that some risks do not apply in an intra-group setting and that some regulatory requirements are not relevant in such a context or, at least, should be addressed differently (see consultation report dated 21 September 2017, p. 35 ff.).

This approach allows a more flexible approach to the regulation of intra-group outsourcing. At the same time, it also provides FINMA with more discretion to nevertheless apply the requirements applicable in external outsourcing to intra-group projects, if it considers that the circumstances of the specific instance require the financial institution to do so.

6) Cross-border Outsourcing

The outsourcing of essential functions to a foreign jurisdiction is permissible, if the financial institution can guarantee that it, its regulatory auditor and FINMA can exercise and enforce its rights of inspection and auditing (FINMA-Circular 2018/3, N 30). The Revised Circular no longer requires formal documentation that these requirements are satisfied through a legal opinion or otherwise (see FINMA-Circular 2008/7, N 50). In connection with cross-border outsourcing, the company must further ensure that outsourcing will not hinder a recovery or resolution in Switzerland and that consequently the access to data stored abroad for this purpose remains possible in Switzerland at all times (FINMA-Circular 2018/3, N 31).

Moreover, unlike the draft that was published in the consultation proceedings, the Revised Circular will not require banks and securities dealers to inform FINMA before they outsource functions involving a transfer of mass CID to foreign jurisdictions. However, banks will continue to be required to comply with the requirements set out in Annex 3 of FINMA-Circular 2008/21 Operational Risks – Banks when handling CID.

7) Responsibility and Auditing

The rules on the responsibility for outsourced functions and the auditing requirements remain unchanged in the Revised Circular with the exception of certain changes in the terminology.

Banks, securities dealers and insurance companies remain responsible in relation to FINMA for all functions that have been outsourced (FINMA-Circular 2018/3, N 23). Moreover, the outsourcing company must ensure that it, its regulatory auditor and FINMA will be able to monitor and assess compliance of the service provider with the regulatory requirements. More generally, the outsourcing must not hinder supervision by FINMA in particular in cases of cross-border outsourcing (FINMA-Circular 2018/3, N 26 ff.).

The outsourcing company, its regulatory auditor and FINMA must have a contractual right to inspect and audit all information relating to the outsourced function at any time without restriction. If the service provider is not supervised by FINMA, the company and the service provider must agree on a contractual obligation of the service provider to provide FINMA with all the information and documentation about the outsourced functions, which are necessary for FINMA’s supervisory activities.

Auditing of outsourced functions may be delegated to the service provider’s audit company if it is adequately qualified. In such case, the respective audit reports must be provided to FINMA on request (FINMA-Circular 2018/3, N 29).

8) Entry into Force and Phase-in

The Revised Circular entered into force on 1 April 2018. FINMA-Circular 2018/3, N 37 provides for a phasing-in period for existing outsourcing arrangements of banks and securities dealers which will be ‘grandfathered’ during a transition period of five years ending on 1 April 2023. Insurance companies will be subject to a different regime: new insurance companies will immediately be subject to the Revised Circular, whereas existing ones will need to comply with the new framework only if there is a change in their regulatory business plan regarding outsourcing (FINMA-Circular 2018/3, N 38).

9) Outlook

Overall, the Revised Circular changes significantly the regulatory requirements for outsourcing and calls for a review of existing outsourced services to determine whether they constitute outsourcing under the Revised Circular and consider how they intend to align them with the new rules during the phase-in phase.

The Revised Circular is also more focused on supervisory matters. By leaving banking secrecy and data protection out of the subject-matter of the Revised Circular, FINMA no longer needs to face the thorny questions these matters often raise in the context of outsourcing. This does not mean that they are no longer relevant. Quite to the contrary, the entry into force of the General Data Protection Regulation in the EU and the ongoing revision of the Data Protection Act are likely to impact significantly outsourced services. Among other things, the draft of the Data Protection Act foresees an obligation to keep a list of data processing activities (article 11 of the draft), a reporting obligation in the event of violations of data security (article 22 of the draft), modified requirements for the disclosure of data abroad (articles 13 ff. of the draft) and additional information obligations in connection with the processing of information (articles 17 ff. of the draft). In addition, a data protection impact assessment will need to be carried out in advance under certain conditions (article 20 of the draft). These requirements will create an additional compliance constraint for financial institutions, which will need to be addressed separately with the competent regulator.

Rashid Bahar (rashid.bahar@baerkarrer.ch)
Martin Peyer (martin.peyer@baerkarrer.ch)