The new FINMA circular 18/3 on Outsourcing

Changes and implications

FINMA has revised its circular 08/7 on Outsourcing for Banks and replaced it with the new version FINMA circular 18/3 Outsourcing for Banks and Insurance companies. Obviously, one of the main changes is the new applicability of the circular for insurance companies.

A draft version has been published by end of 2016. During the hearing period many banks, insurance companies and other stakeholders handed in their opinion and provided feedback to FINMA. FINMA has acknowledged relevance of many of these feedbacks and implemented some changes to the discussed topics. Main discussion points were the definition of materiality, conditions for outsourcing abroad, conditions for group-internal sourcings, specific requirements for system-relevant banks, outsourcing of compliance and risk functions, and transition time for existing outsourcing agreements.

Enactment date of the new circular is 1.4.2018. For existing outsourcings there is a transition period of five years, however, for new outsourcings the new circular will be immediately relevant.

The new circular does no longer consist of nine principles, but newly consists of eight main requirements. Some of these requirements match with old principles, others are new whilst some of the old principles have been omitted. The mapping table below provides a comprehensive overview of the principles:

Main changes to old version
There are multiple changes compared to the old version 08/7. Below, we summarise these changes:

  • The new circular is applicable for banks AND insurance companies.
  • The definition of materiality is more principle-based, there are no longer any examples within the circular.
  • The differentiation for group-internal outsourcing agreements is still included but is more principle-based in the new version. Financial institutions need to decide based on risks, whether certain requirements can be omitted or eased.
  • The principles regarding data protection and client orientation have been omitted. FINMA points out that relevant regulation is already given by data protection law and Appendix 3 of FINMA circular 08/21 (Handling of electronic Client Identifying Data [CID]). – Therefore, Data Protection law and requirements from Banking Secrecy remain relevant.
  • Financial institutions need to keep an inventory about all outsourced functions and services. The inventory needs to include sub-outsourcings, CID relevance and the responsible person for governance of the agreement at the financial institution.
  • The new circular provides guidance on whether it is allowed to outsource risk and compliance functions and tasks.

Main questions and how PwC can help
Obviously, there are material changes with the new version of the circular on outsourcing. There are important strategic decisions on which we may help you and your organisation.

Besides helping you to set up new outsourcing agreements and making your existing outsourcing agreements compliant, there are strategic decisions to be taken, like:

  • Can we source services from abroad and under what conditions? What requirements from Data Protection Law and other FINMA circulars need to be kept in mind?
  • Can we use cloud services for sourcing?
  • Are we allowed to have CID abroad or in the cloud and under what conditions?
  • What do we need to do in order to have our group-internal sourcing agreements be compliant?
  • Under what conditions are we able to outsource risk and compliance functions?
  • How can we protect our company from cyber risks and data stealing in a sourcing environment?
  • How can we accurately govern our suppliers?

Please contact our experts. We can advise you on your strategic decisions in the area of outsourcing and help you to make use of latest technology. Furthermore, we help you to set up audit-proven solutions for your sourcing agreements.


Jens Probst
PwC | Assurance Director
Office: +41 58 792 2959 | Mobile: +41 79 372 5788

Michèle Hess
PwC | Assurance Partner
Office: +41 58 792 4667 | Mobile: +41 79 878 0085

Yan Borboën
PwC | Assurance Partner
Office: +41 58 792 8459 | Mobile: +41 79 580 7353

Published by

Jens Probst

Jens Probst

Jens Probst
PwC Director, Risk Assurance FS
Birchstrasse 160
8050 Zurich
+41 58 792 29 59

Jens Probst is a Director in our Systems- and Process Assurance Team with more than 15 years experience in Banking IT and Back office Processes, Regulation and Transformation. He is specialised in Technology, Banking Back Office processes, Core Banking Systems, Outsourcing, Third Party Management, data enabled fact finding and decision making and Banking Regulation.

His main competencies are Core Banking Systems, Banking Law, IT and Business Process Outsourcing, Information Governance, Business Process Visualisation and Optimization, Transformation Assurance as well as Third Party Management and Assurance.