Outsourcing for Insurers and Banks | KPMG | CH
Outsourcing for Insurers and Banks in the Age of Digitalization

Outsourcing for Insurers and Banks

Outsourcing for Insurers and Banks

Outsourcing for Insurers and Banks in the Age of Digitalization

6 Febraury 2016

On 5 December 2017, FINMA published its new circular 2018/3 “Outsourcing – banks and insurers”. As of late, institutions themselves are responsible for the implementation; factually, this means that a market standard will be established as time goes by.

No separate solutions for banks and insurers

The previous FINMA circular 2008/7 “Outsourcing - Banks” was addressed exclusively at banks, whereby group-internal outsourcing relationships resulted in practical facilitations. In contrast, insurers were subject to an explicit requirement to submit their business plans including any outsourcing relationships.

This led to uncertainties in the application but also offered some opportunities for a risk-based design of the required internal outsourcing framework, which specifically also had to take into account adjustments to the financial institutions’ business model if the company entered into digitalization projects.

In view of the fact that regulations are increasingly based on principles, better account should be taken of the different business models and the risks associated with them.

FINMA’s conclusion is clear: the concept of principle-based rules and the institutions’ individual responsibility are to be further strengthened; ultimately, only few adjustments were made to the draft and the circular does not provide for a separate solution for banks and insurers.

So what are the challenges and what opportunities arise?

Apart from establishing a conceptual framework for the supervision of outsourced services/functions, which contains the definition of terms such as materiality, risk appetite (affecting the intensity of the monitoring) or functions which may not be outsourced, there are also numerous other aspects, which an institution should also consider meticulously:

  • Do the current outsourcing relationships still fit into our corporate strategy (costs/benefits)?
  • Are the current outsourcing relationships still needed in the age of digitalization? Do we maybe need other kinds of outsourcing relationships?
  • How do we handle outsourced services, for instance within the group, which do not or only partially meet the requirements of the circular?
  • How should we design the transitional phase between the time we use the current regulations and post-1 April 2018, when the new ones enter into force?
  • What happens if we, for example, do not fulfill the requirements in regard to data protection in an outsourced area? Could we then claim the five-year-long transitional period or the time up to the next business plan?
  • If we enter into new outsourcing relationships in 2018, do we already have to implement the exact requirements and duties in regard to organization, processes, ICS and monitoring?
  • What is the impact regarding requirements and duties for an orderly reintegration of outsourcing relationships from both an operational and commercial viewpoint?
  • How important is reputational risk in regard to outsourcing relationships and how do we handle these specifically?

Action points for banks

The reorganization of the outsourcing relationships should closely correlate with the bank’s business model and its strategic developments. It is imperative that the bank check its requirements in regard to its service quality, digitalization strategy and, based on that, define its target infrastructure (i.e. make or buy). Be sure to include intra-group outsourcing relationships in these considerations. Moreover, it is important to make use of synergies from other regulatory projects, for instance in the area of data protection.

Action points for insurers

For already licensed insurance companies, the circular will apply from the date on which a business plan change is submitted or communicated to FINMA for approval. The focus is therefore specifically on the preparation of internal policies for the approval of new outsourcing projects and, in the case of already existing outsourcing, the inventorization of outsourced tasks, the definition of responsibilities, the risk control and the possibility of in-sourcing again.

No common standard available yet

Every bank and every insurer will have to introduce a new or adjusted conceptual framework for the monitoring of outsourcing relationships. This will not happen at once. Moreover, the definition of a significant outsourcing relationship as per this circular could vary extremely from institution to institution. This is why the service provider should be in regular contact with its clients. The idea is to establish a new standard. The focus is on the control reports, which can change substantially in regard to content and scope. For the service provider, the challenge could be the speed with which it needs to implement these new aspects.

So what does the new outsourcing circular mean for service providers, fintech and regtech companies?

As digitalization progresses, institutions will increasingly use solutions offered by so-called fintech and regtech companies, including the use of cloud computing. For many financial institutions, this is “uncharted territory” and must therefore be taken into account in the conceptual framework. A good example in this aspect would be the orderly reintegration of previously outsourced services.

1000

Connect with us