Revised FINMA Outsourcing Circular
- Extended scope of application to insurance companies
- Intra-group outsourcing subject to full compliance with the circular
- More stringent rules to outsourcing abroad, selection, instruction and control
1. Complete revision of circular 2008/7
FINMA has revised the provisions of its circular 2008/7 "Outsourcing – Banks.” The current circular, 2017/xxx (the “Circular"), includes significant changes: it broadens how it applies to intra-group outsourcing and insurance companies; it strengthens the rules that apply to outsourcing abroad; and finally, it suggests maintaining an inventory of the outsourced services.
Consequently, outsourcing institutions will need to both thoroughly review and amend their existing outsourcing agreements to align them with the new Circular’s requirements.
2. Overview of key amendments
a. Insurance companies
A key amendment: the new Circular will apply to insurance companies based in Switzerland and branches of foreign insurance companies, which are subject to either an operating license or the approval of individual elements of their business plan in Switzerland.
b. Intra-group outsourcing
FINMA expectsintra-group outsourcing to be treated with the same caution and subjected to the same level of monitoring as external outsourcing. The key implication here is that all the requirements set out in the Circular will apply equally to intra-group outsourcing. This requirement duplication is a significant change compared to Circular 2008/7 where intra-group outsourcing was exempted from the application of certain principles.
c. Systematically important banks
Systematically important banks will have to comply with additional stringent rules when outsourcing critical services (i.e., services necessary for continuing system-relevant functions when insolvency threatens).
Institutions will have to maintain an outsourced services inventory that provides clarity regarding the range of outsourced activities and describes the outsourced services as well as name the service provider (including auxiliary persons), the service recipient, and the internally responsible body.
e. Data protection
The provisions on data protection and customer-focused requirements contained in circular 2008/7 were repealed to avoid duplication with the Federal Act on Data Protection ("DPA"). Further, the requirement has been removed that the individuals - whose data is transferred to a service provider - are previously informed about the outsourcing respectively about the transfer of their data. Hence, the new Circular omits any reference to any data protection law. Consequently, a profound understanding of the governing DPA is of utmost importance in view of a smooth outsourcing process.
As a side note: the DPA is being revised and is expected to come into force in 2019. The upcoming DPA will be influenced by the European General Data Protection Regulation (GDPR) of 27 April 2016 (No. 2016/679). Moreover, as of 25 May 2018, i.e., after a transitional period, Swiss companies must respect the provisions of the GDPR if data of EU clients are being processed or if they have a service provider seated in the EU process their data, e.g., special caution is required in the case of outsourcing to an EU-Cloud-Provider.
Already today, the processing of personal data must comply with strict rules as set out in art. 10a DPA. Furthermore, in the case of cross-border data transfer, additional safeguards are necessary if such personal data are transferred to a country that has no adequate data protection laws in force. Such safeguards are, for example, data transfer agreements or group-wide data protection policies (cf. art. 6 DPA); hence, to regulate this cross-border transfer, the outsourcing companies should conclude Intra Group Data Transfer Agreements to ensure group-wide responsibilities as well as the binding character of these data policies. Moreover, the instructing party must always ensure that the third party guarantees data security (art. 7 DPA).
f. Selection, instruction, and control of service providers
The new Circular has revised the rules governing the selection, instruction, and control of service providers to ensure that institutions take into account potential interdependences and cluster risks when selecting outsourcing partners.
Inter alia, the Circular suggests conducting a risk analysis an integrating the outsourced business into the institution's internal control system. Further, monitoring and evaluating will be performed on an ongoing basis, and the service provider will contractually grant the necessary rights of inspection, instruction, and control to the service recipient.
g. Audit and supervision
Requirements regarding audit and supervision remain unchanged but will be newly applicable in their entirety to intra-group outsourcing. In accordance with the Circular, the outsourcing company, its auditors, and FINMA must be able to inspect and audit the outsourced business area at any time, in its entirety and without restrictions. By contract, they must be given the full and unrestricted right of inspection and examination. Audit activities may be delegated to the service provider's external auditors provided that they are organized under Swiss law and possess the necessary technical competence to perform such an audit. The outsourcing may not hinder FINMA’s supervision, in particular if the business area is outsourced abroad.
h. Outsourcing abroad
Outsourcing abroad is conditional upon the explicit proof that the institution, its auditor, and FINMA may duly exercise and enforce their audit rights. In addition, the new Circular makes clear that outsourcing abroad of client identifying data shall be subject to prior notification to FINMA. Furthermore, data necessary for restructuring, resolution and liquidation will have to be accessible in Switzerland at all times.
3. Transitional provisions
The new provisions will immediately apply to outsourcing services being concluded or amended after the Circular's entry into force. Outsourcing services already existing at the time of the Circular’s entry into force shall be harmonized with the new requirements within a two-year period.
4. Entry into force
FINMA has postponed the initial implementation target date of 1 July 2017 to the first quarter of 2018.