As part of the implementation of the Financial Services Act (FinSA) and the Financial Institutions Act (FinIA), FINMA has revised several circulars, including Circular 2018/03 Outsourcing Banks & Insurers (the “Circular”). From 1 January 2021, the Circular will also apply to selected financial institutions under the FinIA, i.e. fund management companies, managers of collective assets as well as self-managed investment companies with variable capital (SICAV). With the extension of the Circular’s scope, FINMA has eliminated a longstanding regulatory uncertainty: In the past, the Outsourcing Circular was regularly applied analogously to fund management companies and asset managers in certain constellations – particularly in the context of a banking or insurance group.
The inclusion of the above financial institutions is a logical consequence and practical implementation of the level playing field that FinSA and FinIA have created regarding outsourcing. Previously, the requirements for delegation of material tasks (e.g. portfolio management) of fund management companies and managers of collective assets were outlined in the CISO-FINMA and not – formally – specified in the Outsourcing circular. With the entry into force of the FinIA, the delegation of tasks is uniformly and comprehensively regulated for all financial institutions, i.e. the same rules now apply for fund management companies, managers of collective investments, SICAVs and securities firms.
The extension of the scope of application thereby furthers an level playing field, promotes clarity and benefits the newly covered institutions, even if the implementation may mean a considerable additional effort. But why should this additional effort not be lamented, but rather welcomed?
It is all about accountability and control of risk
In recent years, outsourcing has become a clear focus of regulators around the world, including FINMA. With the introduction of the Circular in March 2018, a new standard was set for banks, securities dealers and insurers based in Switzerland. Under the revised Circular, the design of a compliant outsourcing organization is the responsibility of the outsourcing institution, with less concrete specifications by the regulator than under the previous Circular. This should not hide the fact that obligations have been substantially increased and tightened under the revised Circular. The mere fact that these obligations must, to a large extent, also be complied with in the case of intra-group outsourcing, has put further tasks on the regulatory working pile of many institutions.
Apart from the (re-)documentation work that needs to be done under the Circular (e.g. to perform a risk assessment when selecting a provider), the affected institutions are required to take an in-depth look at the risks of an outsourcing project and to critically scrutinize existing outsourcings. The latter must be documented in an up-to-date outsourcing inventory, a requirement new to those institutions previously not in the scope of the Circular. The inventory must notably contain a description of the outsourced functions, the provider (incl. any subcontractors) as well as the responsible function within the outsourcer. For financial institutions under the FinIA, the basic duty to manage such an inventory stems directly from the Financial Institutions Ordinance.
As part of the selection process, the possibilities and consequences of a change of outsourcing provider must be considered as well as the insourcing of the outsourced function(s) to the original financial institution. In this way a smooth and structured insourcing or change in provider is to be ensured, so as avoid any obstacles to the ongoing performance of services.
Beyond the provisions relating to the outsourcing agreements themselves, the Circular requires affected institutions to have the necessary organizational framework and governance structure for ensuring that the risks related to outsourcings are adequately considered and monitored throughout the entire outsourcing lifecycle. More than ever, the risks and benefits must be carefully weighed against each other. It must always be kept in mind that the responsibility for an outsourced activity or function remains with the outsourcing institution and cannot be delegated. It is, therefore, of upmost importance that any risk-taking in the area of outsourcing happens in a conscious manner.
The Circular has undergone revision to include fund management companies, managers of collective assets and SICAVs in its regulatory ambit. The amendments provide the industry with final clarity on the applicability of the Circular, as it has been applied by analogy beyond its formal scope; it also plays its part in furthering the level playing field that the FinSA and FinIA aim to achieve. For institutions previously untouched by the Circular it will be paramount to guarantee the required organizational setup and the integration of the necessary outsourcing considerations into the risk management and internal controls.
From 2021 onwards, the provisions of the new Circular will apply to all newly licensed fund management companies, managers of collective assets (or their Swiss branch offices respectively) and self-managed SICAVs as from the date the license is granted. Existing institutions will have to adhere to the new requirements when applying to a FINMA for a change in the licensing conditions or by 1 January 2022 at the latest.
Read more in our brochure: Supporting you in outsourcing of IT and Bank Backoffice (PDF)