What the new FINMA Circular 2018/3 means for Swiss banks and insurers
The revised Circular: Extended scope of applicability
On 5 December 2017, FINMA published the overhauled Outsourcing Circular 2018/3 “Outsourcing – Banks and Insurances” (Circular) which will replace the existing FINMA Outsourcing Circular 2008/7. The revised Circular, with its extended scope of applicability, will take effect on 1 April 2018.
Like the previous version, the new Circular targets banks and securities dealers. However, it will also extend to insurance companies domiciled in Switzerland and branches of foreign insurance companies required to apply for an operating licence or approval for individual elements of their business plan within Switzerland. Financial groups and conglomerates, on the other hand, will no longer fall within the scope of the Circular.
Outsourcing under the new Circular – key issues
FINMA has adjusted the Circular to reflect its principle-based approach. As the Circular is technology-neutral, financial institutions will be able to implement outsourcing requirements accounting for their specific business model and risk situation. Therefore, the Circular contains no specific rules with respect to cloud-based solutions, for example. This allows financial institutions to make independent decisions on any cloud implementation. Should outsourcing activities outside Switzerland result in higher risks, appropriate allowances must nevertheless be made for these higher risks.
Going forward, any function will be deemed material if adherence to the intent and provisions of financial market supervisory legislation significantly depends on such function. Also, rules regarding outsourcing of risk management and compliance functions have been clarified.
The new Circular specifically provides for an up-to-date inventory regarding outsourced functions. The inventory must describe the outsourced functions and list the names of service providers including sub-contractors, service recipients and the responsible body within the financial institution outsourcing the function.
With regard to the selection, instruction and control of service providers, potential interdependences and cluster risks must be taken into consideration. Furthermore, outsourced functions must be integrated into the internal control system of the financial institution and the outsourced function must be monitored and evaluated continuously. For these purposes, contractual rights of inspection, instruction and control of the service providers must be granted to the service recipient. Under the new Circular, the financial institution outsourcing certain functions, as well as its auditors and FINMA must be able to inspect and audit the outsourced function at any time, without restriction. Audit tasks may be delegated to the service provider’s external auditors if they have the technical capacity to perform such an audit.
With respect to intra-group outsourcing, FINMA now allows a principle-oriented treatment. Special rules for systemically important banks, as suggested in FINMA’s draft of the Circular, have been abolished. Also, the Circular no longer contains provisions on data protection and banking secrecy. Attachment 3 of FINMA Circular 2008/21 “Operational Risks – Banks”, however, will still be relevant in this respect.
Outsourcing outside Switzerland is permitted if the financial institution explicitly ensures that itself, its auditor and FINMA may duly exercise and enforce their inspection and audit rights. Prior notification requirement to FINMA as suggested in the draft Circular has been waived. Data access regarding restructuring and liquidation of the company in Switzerland must be ensured at all times in the case of outsourcing of functions abroad.
Time to adjust: Transitioning to the new regulations
The new provisions will immediately apply to banks’ and securities dealers’ outsourcing activities concluded or amended after the new Circular takes effect on 1 April 2018. A five-year period will apply, however, to banks’ and securities dealers’ outsourcing activities concluded before the new Circular takes effect. For insurance companies, the new provisions will immediately apply to first-time authorisations when the new Circular takes effect on 1 April 2018. Regarding approval of changes, the Circular applies from the date the business plan change is submitted for approval or FINMA is notified of the change.