On 5 December 2017, the Swiss Financial Market Supervisory Authority FINMA published its new circular 2018/3 'Outsourcing Banks and Insurance Companies'. The revised FINMACircular 2018/3 (the 'New Circular'), which will enter into force on 1 April 2018, is applicable to banks and securities dealers and, in contrast to the current FINMA-Circular 2008/7, also covers insurance companies.
The main changes are (i) a harmonization of the requirements for banks, securities dealers and insurance companies, (ii) a more plastic definition what constitutes outsourcing based on a case-by-case analysis factoring in the business model and risk profile of each institution, (iii) a requirement to hold an inventory of outsourced functions and further changes regarding the organisational framework for outsourcing projects, (iv) a more differentiated approach to intragroup outsourcing, and (v) a focus on supervisory issues, leaving data protection and banking secrecy out of the scope of the New Circular.
Overall, the New Circular continues to provide a favourable environment for outsourcing, provided that financial institutions are sufficiently staffed to ensure that they can continue to take care of the core functions of the board of directors and executive management.
The current rules on outsourcing for banks entered into force in 1999 and were last revised in 2002. Since then, outsourcing became more prevalent, following technical developments and the increased focus on core competences and cost cutting in the financial industry. The regulatory regime was therefore overdue for a complete overhaul.
Accordingly, FINMA initiated a consultation process in December 2016, which prompted a strong debate within the industry. Almost a year later, FINMA has now published the New Circular, which aims to be more principle-based and, at the same time, ensures that the outsourcing does not prejudice clients and creditors of banks and insurance companies or jeopardize supervision by FINMA.
The New Circular focuses on supervisory matters and, consequently, no longer addresses the requirements on data protection and banking secrecy. Therefore, financial institutions will no longer be able to turn to FINMA to obtain comfort on these issues, but will need to look to the Federal Data Protection and Information Commissioner (FDPIC) or cantonal prosecutors for guidance. In this context, financial institutions should closely monitor the ongoing revision of the Data Protection Act and, to the extent they are subject to it, the EU GDPR. These will pose their own challenges for banks and insurance companies and call for a separate review of existing outsourcing arrangements and internal procedures to ensure they comply with the revised legislation on data protection.
In contrast to the current FINMA-Circular 2008/7 on outsourcing, the New Circular will apply not only to banks and securities dealers but also to insurance companies, including Swiss branches of foreign insurance companies.
According to the New Circular, outsourcing is defined as mandating a service provider independently and permanently to carry out an essential function either wholly or in part. A function is deemed essential, if compliance with the objectives and regulations of the financial market legislation significantly depends on it. Whereas the draft of the New Circular contained an illustrative list of essential functions (such as processing of payments, IT, risk management in the case of banks and securities dealers as well as claims settlement, financial accounting and asset management in the case of insurance companies), this list has been stripped from the final version of the New Circular. Therefore financial institutions will need to determine on a case-by-case basis whether a given activity constitutes outsourcing under the New Circular.
Restrictions on Outsourcing and Approval
Overall, the New Circular perpetuates the current liberal approach to outsourcing. The outsourcing of all essential functions remains permissible subject to limited exemptions. Only the core functions of the board of directors and executive management, as well as the decision to accept and terminate client relationships cannot be outsourced. Further restrictions apply to category 1 to 3 banks and securities dealers, which must maintain their own risk control and compliance functions as an independent body, whereas other banks and securities will only need to appoint one member of the executive management for these areas.
This approach is also a significant relief for insurance companies, which until now could only outsource two of their three main functions, whereas insurance captives can even go a step further and delegate certain core competencies to specialized management companies or affiliates.
As was the case until now, banks and securities dealers do not require an approval from FINMA to outsource essential functions. By contrast, insurance companies will continue to need one, since the outsourcing of essential functions implies an amendment of the regulatory business plan which is subject to FINMA approval.
The New Circular sets out various organizational requirements relating to any outsourcing. First, the company has to keep an up-to-date inventory of the functions that have been outsourced. Furthermore, the company must select the outsourcing provider based on its professional experience and ensure proper instruction and supervision of the outsourcing provider. Moreover, a written contract is required for outsourcing essential functions which provides the outsourcing company the right to instruct and control the service provider, requires its approval for involving subcontractors and ensures that outsourced functions can be audited at any time.
Whereas the draft of the New Circular did not differentiate between external and intra-group outsourcing, the New Circular allows financial institutions to take into account their ties with affiliates when considering the requirements on selecting, instructing and controlling an outsourcing provider as well as the requirements that apply to the contractual documentation. In this way, the New Circular allows financial institutions to take into account the fact that some risks do not apply in an intra-group setting and that some regulatory requirements are not relevant in such a context or, at least, should be addressed differently.
The outsourcing of essential functions to a foreign jurisdiction is permissible, if the financial institution can guarantee that it, its regulatory auditor and FINMA can exercise and enforce its rights of inspection and auditing. The New Circular no longer requires formal documentation that these requirements are satisfied through a legal opinion or otherwise.
Moreover, unlike the draft that was published in the consultation proceedings, the New Circular will not require banks and securities dealers to inform FINMA before they outsource functions involving a transfer of mass client identifying data (CID) to foreign jurisdictions. However, banks will continue to be required to comply with the requirements set out in Annex 3 of FINMA-Circular 2008/21 'Operational Risks Banks' when handling CID.
Responsibility and Auditing
The rules on the responsibility for outsourced functions and the auditing requirements remain unchanged in the New Circular with the exception of certain changes in the terminology.
Banks, securities dealers and insurance companies remain responsible in relation to FINMA for all functions that have been outsourced. Moreover, the company must ensure that it, its regulatory auditor and FINMA will be able to monitor and assess compliance of the outsourcing provider with the regulatory requirements. The outsourcing of certain functions must not hinder supervision by FINMA in particular in cases of outbound outsourcing.
The New Circular will enter into force on 1 April 2018. Overall, it changes the regulatory requirements for outsourcing. As such, it calls for a review of existing agreements with outsourcing providers and may trigger changes in the IT infrastructure. However, the New Circular will be phased in slowly. Existing outsourcing arrangements of banks and securities dealers will be 'grandfathered' during a transition period of five years ending on 1 April 2023. Insurance companies will be subject to a different regime: new insurance companies will immediately be subject to the New Circular, whereas existing ones will need to comply with the new framework only if there is a change in their regulatory business plan.