FINMA publishes new outsourcing regulations for financial institutions in Switzerland
The Swiss Financial Market Supervisory Authority (FINMA) published on 5 December 2017 the new circular 2018/3 "Outsourcing – Banks and Insurance Companies". It will enter into force on April 1, 2018 and defines the new regulatory requirements to be met by banks, securities dealers and insurance companies in Switzerland when outsourcing material business functions to third-party service providers.
The new regulatory framework follows a principle-based approach and aims to be technology-neutral in order for in-scope financial institutions to be able to implement the outsourcing requirements in a way that takes into account their specific business models and risks.
The main changes compared to the current regime are the following:
- The new outsourcing circular does not only apply to Swiss banks and securities dealers and Swiss branches of foreign banks and securities dealers, but also covers insurance companies having their legal domicile in Switzerland as well as Swiss branches of foreign insurance companies.
- The criterion of materiality which is relevant for the determination of whether an outsourcing falls within the scope of the circular has been defined in an abstract manner. It is the responsibility of each in-scope entity to decide whether a function is material having regard to the specific business model of the entity in question. Under the new circular, a function is deemed to be "material" where – based on an assessment of the financial institution – compliance with the objectives and provisions of financial market supervision legislation significantly depends on it.
- The references to the requirements under current data protection and banking secrecy legislation are no longer included in the outsourcing circular. However, the relevant requirements will still apply to any outsourcing arrangements.
- In-scope financial institutions have to keep an up-to-date inventory of the outsourced functions. Keeping this inventory will impose an additional burden on financial institutions.
- Before the outsourcing takes place, the outsourcing company has to conduct a risk analysis with respect to the outsourcing.
- The new circular does not provide for any specific exceptions for intragroup outsourcing arrangements. With regard to certain regulatory requirements, affiliations within the group may, however, be taken into account, provided that in the intragroup context (i) the risks typically associated with an outsourcing demonstrably do not exist, (ii) the respective requirements are not relevant or (iii) the respective requirements are otherwise regulated.
- For outsourcings of functions to foreign service providers, the outsourcing company must no longer be able to demonstrate that its external auditor under bank and stock exchange laws and FINMA are able to assume and enforce their specific audit rights by producing a legal opinion or a confirmation from a competent foreign supervisory authority. However, each outsourcing company is still responsible for ensuring that itself, its auditors as well as FINMA are in a position to inspect and audit the outsourced function at any time.
- The former requirement to inform customers in case of outsourcings of customer data to a foreign service provider has been eliminated. Based on existing data protection and banking secrecy laws it may however still be necessary to inform customers about the fact that client identifying or personal data is disclosed to a third party.
For banks and securities dealers, a transition period of five years applies. During this period, in-scope entities have to amend existing outsourcing agreements and must make sure that they correspond to the new regulatory requirements. If a bank or a securities dealer concludes a new or amends an already-existing outsourcing agreement, the circular applies immediately after its entry into force. From April 1, 2018, new insurance companies will immediately be subject to the revised circular. Existing insurers are subject to the new rules only if there is a change in their regulatory business plan.