The Swiss Financial Market Supervisory Authority (FINMA) revised its circular on outsourcing for banks and extended its scope of application to insurance companies ("revised Outsourcing Circular"). Banks and securities dealers must comply with the revised circular in any new and, within 5 years, all existing outsourcings of material functions. Insurance companies will be subject to the circular when applying for FINMA-approval of any new or amended business plans. The revised Outsourcing Circular enters into force on 1 April 2018.
Certain institutions supervised by FINMA have to comply with a particular set of rules regarding outsourcings. Under current regulatory practice, the respective rules vary significantly for the different categories of institutions. FINMA announced to concentrate and harmonize those rules in the revised Outsourcing Circular while maintaining its principle-based and technology-neutral approach to supervision.
In the course of the revision, FINMA published a draft revised Outsourcing Circular on 6 December 2016 and conducted a public consultation. On 5 December 2017, FINMA released the final version of the revised Outsourcing Circular containing some additional amendments based on the consultation process.
2. Key Amendments
Definition of material outsourcing
The revised Outsourcing Circular provides less guidance on the materiality of an outsourcing, as it removes the list of examples of outsourced activities deemed to be material and only states that any function with significant influence on compliance with the goals and requirements of the financial market laws is deemed a material outsourcing within its scope. FINMA's principle-based approach to materiality places more emphasis on financial institutions’ self-assessment responsibilities. Thus, the scope of the revised Outsourcing Circular becomes more open to interpretation.
Extension to insurance companies
The scope of the Outsourcing Circular was extended to insurance companies which so far were subject to separate rules under insurance supervision laws. As a result, the outsourcing requirements for banks, securities dealers and insurance companies were harmonized, with certain exceptions. For insurance companies, this means partial relief as the revised Outsourcing Circular will allow the simultaneous outsourcing of all three "core functions" of an insurance company (production, policy administration and claims handling). Thus, insurance companies will have more flexibility in outsourcing these core and also other important functions.
(Almost) equal treatment of intra-group and external outsourcings
Another key implication is that intra-group outsourcings will generally be treated in the same way as external outsourcings (as compared to the current regime where intra-group outsourcings benefit from certain exemptions). However, the intra-group affiliation between the outsourcer and the outsourcing service provider may be taken into account if it is evidenced that the risks typically associated with an outsourcing do not exist or that certain requirements are not relevant, or that they are otherwise regulated. This particular wording grants FINMA substantial discretion to take into account the individual circumstances at hand. Although it remains to be seen how this new approach will be implemented in practice, it is advisable to review intra-group outsourcings as regards their compliance with the new requirements.
Removal of references to banking and other professional secrecies and data protection
A further key change is that all references to banking and professional secrecy obligations and data protection law have been removed from the revised Outsourcing Circular. Thereby, FINMA intends a clear separation between civil law and supervisory law to avoid potential redundancies or discrepancies in relation to the various acts covering secrecy and data protection (see also our Newsflash on the revision of Swiss data protection law of September 2017).
This entails the removal of detailed rules on client information, which will constitute significant relief for banks and securities dealers going forward. They will no longer have to grant their clients an extraordinary termination right or notify them of an outsourcing if such measures are not required by data protection law (or other applicable acts or circulars).
Inventory of outsourced functions
The revised Outsourcing Circular requires that institutions maintain an up-to-date inventory of all their outsourced functions. Such inventory must include proper descriptions of the outsourced function, the name of the service provider and any subcontractors, the service recipient and the person or department responsible within the company.
This reflects current practice for insurance companies but is a new requirement for banks and securities dealers. According to FINMA, such an inventory is also required for the monitoring of operational risks and to provide clarity regarding the range of outsourced activities should an institution ever have to be financially reorganized.
Access to information required for financial reorganization or liquidation
If functions are outsourced abroad, all information required for a financial reorganization or liquidation must be accessible in Switzerland at all times. This new requirement may necessitate certain adjustments, in particular with regard to group- or company-wide IT systems.
Selection, instruction and supervision of service provider
Prior to the conclusion of an outsourcing service agreement, all institutions subject to the revised Outsourcing Circular will have to determine and document the requirements regarding service provision. In particular, this will involve an analysis of significant economical and operational risks and opportunities.
Service providers will have to be selected based on their professional skills as well as financial and personal resources while taking into account potential concentration risks when outsourcing multiple functions to the same service provider. The service provider must guarantee continuous service provision and an orderly remigration of outsourced functions.
3. Entry into force of new regime
The revised Outsourcing Circular will enter into force on 1 April 2018 and apply to all new outsourcing arrangements of banks and securities dealers after this date. Their existing outsourcing arrangements must be adapted to the new requirements within five years. For insurance companies, the revised Outsourcing Circular will apply to all first-time licensing and business plan approvals after 1 April 2018.
4. Key implementation steps
In the context of the revised Outsourcing Circular, banks, securities dealers and insurance companies should consider relevant implementation measures, such as:
- prepare detailed inventory and description of all outsourced functions;
- identify opportunities in relation to reliefs, such as removal of client information obligations (for banks and securities dealers);
- or possibilities to outsource all three former "core" functions simultaneously (for insurance companies);
- ensure the ability to gain access to all information necessary for a financial reorganization or liquidation in Switzerland at all times;
- review and adjust external and, in particular, intra-group outsourcings, including review and amendment, as applicable, of outsourcing agreements already in place.