6 Febraury 2016
On 5 December 2017, FINMA published its new circular 2018/3 “Outsourcing – banks and insurers”. As of late, institutions themselves are responsible for the implementation; factually, this means that a market standard will be established as time goes by.
The previous FINMA circular 2008/7 “Outsourcing - Banks” was addressed exclusively at banks, whereby group-internal outsourcing relationships resulted in practical facilitations. In contrast, insurers were subject to an explicit requirement to submit their business plans including any outsourcing relationships.
This led to uncertainties in the application but also offered some opportunities for a risk-based design of the required internal outsourcing framework, which specifically also had to take into account adjustments to the financial institutions’ business model if the company entered into digitalization projects.
In view of the fact that regulations are increasingly based on principles, better account should be taken of the different business models and the risks associated with them.
FINMA’s conclusion is clear: the concept of principle-based rules and the institutions’ individual responsibility are to be further strengthened; ultimately, only few adjustments were made to the draft and the circular does not provide for a separate solution for banks and insurers.
Apart from establishing a conceptual framework for the supervision of outsourced services/functions, which contains the definition of terms such as materiality, risk appetite (affecting the intensity of the monitoring) or functions which may not be outsourced, there are also numerous other aspects, which an institution should also consider meticulously:
The reorganization of the outsourcing relationships should closely correlate with the bank’s business model and its strategic developments. It is imperative that the bank check its requirements in regard to its service quality, digitalization strategy and, based on that, define its target infrastructure (i.e. make or buy). Be sure to include intra-group outsourcing relationships in these considerations. Moreover, it is important to make use of synergies from other regulatory projects, for instance in the area of data protection.
For already licensed insurance companies, the circular will apply from the date on which a business plan change is submitted or communicated to FINMA for approval. The focus is therefore specifically on the preparation of internal policies for the approval of new outsourcing projects and, in the case of already existing outsourcing, the inventorization of outsourced tasks, the definition of responsibilities, the risk control and the possibility of in-sourcing again.
Every bank and every insurer will have to introduce a new or adjusted conceptual framework for the monitoring of outsourcing relationships. This will not happen at once. Moreover, the definition of a significant outsourcing relationship as per this circular could vary extremely from institution to institution. This is why the service provider should be in regular contact with its clients. The idea is to establish a new standard. The focus is on the control reports, which can change substantially in regard to content and scope. For the service provider, the challenge could be the speed with which it needs to implement these new aspects.
As digitalization progresses, institutions will increasingly use solutions offered by so-called fintech and regtech companies, including the use of cloud computing. For many financial institutions, this is “uncharted territory” and must therefore be taken into account in the conceptual framework. A good example in this aspect would be the orderly reintegration of previously outsourced services.