Changes and implications
FINMA has revised its circular 08/7 on Outsourcing for Banks and replaced it with the new version FINMA circular 18/3 Outsourcing for Banks and Insurance companies. Obviously, one of the main changes is the new applicability of the circular for insurance companies.
A draft version has been published by end of 2016. During the hearing period many banks, insurance companies and other stakeholders handed in their opinion and provided feedback to FINMA. FINMA has acknowledged relevance of many of these feedbacks and implemented some changes to the discussed topics. Main discussion points were the definition of materiality, conditions for outsourcing abroad, conditions for group-internal sourcings, specific requirements for system-relevant banks, outsourcing of compliance and risk functions, and transition time for existing outsourcing agreements.
Enactment date of the new circular is 1.4.2018. For existing outsourcings there is a transition period of five years, however, for new outsourcings the new circular will be immediately relevant.
The new circular does no longer consist of nine principles, but newly consists of eight main requirements. Some of these requirements match with old principles, others are new whilst some of the old principles have been omitted. The mapping table below provides a comprehensive overview of the principles:
Main changes to old version
There are multiple changes compared to the old version 08/7. Below, we summarise these changes:
- The new circular is applicable for banks AND insurance companies.
- The definition of materiality is more principle-based, there are no longer any examples within the circular.
- The differentiation for group-internal outsourcing agreements is still included but is more principle-based in the new version. Financial institutions need to decide based on risks, whether certain requirements can be omitted or eased.
- The principles regarding data protection and client orientation have been omitted. FINMA points out that relevant regulation is already given by data protection law and Appendix 3 of FINMA circular 08/21 (Handling of electronic Client Identifying Data [CID]). – Therefore, Data Protection law and requirements from Banking Secrecy remain relevant.
- Financial institutions need to keep an inventory about all outsourced functions and services. The inventory needs to include sub-outsourcings, CID relevance and the responsible person for governance of the agreement at the financial institution.
- The new circular provides guidance on whether it is allowed to outsource risk and compliance functions and tasks.
Main questions and how PwC can help
Obviously, there are material changes with the new version of the circular on outsourcing. There are important strategic decisions on which we may help you and your organisation.
Besides helping you to set up new outsourcing agreements and making your existing outsourcing agreements compliant, there are strategic decisions to be taken, like:
- Can we source services from abroad and under what conditions? What requirements from Data Protection Law and other FINMA circulars need to be kept in mind?
- Can we use cloud services for sourcing?
- Are we allowed to have CID abroad or in the cloud and under what conditions?
- What do we need to do in order to have our group-internal sourcing agreements be compliant?
- Under what conditions are we able to outsource risk and compliance functions?
- How can we protect our company from cyber risks and data stealing in a sourcing environment?
- How can we accurately govern our suppliers?
Please contact our experts. We can advise you on your strategic decisions in the area of outsourcing and help you to make use of latest technology. Furthermore, we help you to set up audit-proven solutions for your sourcing agreements.
PwC | Assurance Director
Office: +41 58 792 2959 | Mobile: +41 79 372 5788
PwC | Assurance Partner
Office: +41 58 792 4667 | Mobile: +41 79 878 0085
PwC | Assurance Partner
Office: +41 58 792 8459 | Mobile: +41 79 580 7353