The new FINMA circular 18/3 on Outsourcing

Changes and implications

Background
FINMA has revised its circular 08/7 on Outsourcing for Banks and replaced it with the new version FINMA circular 18/3 Outsourcing for Banks and Insurance companies. Obviously, one of the main changes is the new applicability of the circular for insurance companies.

A draft version has been published by end of 2016. During the hearing period many banks, insurance companies and other stakeholders handed in their opinion and provided feedback to FINMA. FINMA has acknowledged relevance of many of these feedbacks and implemented some changes to the discussed topics. Main discussion points were the definition of materiality, conditions for outsourcing abroad, conditions for group-internal sourcings, specific requirements for system-relevant banks, outsourcing of compliance and risk functions, and transition time for existing outsourcing agreements.

Enactment date of the new circular is 1.4.2018. For existing outsourcings there is a transition period of five years, however, for new outsourcings the new circular will be immediately relevant.

Overview
The new circular does no longer consist of nine principles, but newly consists of eight main requirements. Some of these requirements match with old principles, others are new whilst some of the old principles have been omitted. The mapping table below provides a comprehensive overview of the principles:

Main changes to old version
There are multiple changes compared to the old version 08/7. Below, we summarise these changes:

  • The new circular is applicable for banks AND insurance companies.
  • The definition of materiality is more principle-based, there are no longer any examples within the circular.
  • The differentiation for group-internal outsourcing agreements is still included but is more principle-based in the new version. Financial institutions need to decide based on risks, whether certain requirements can be omitted or eased.
  • The principles regarding data protection and client orientation have been omitted. FINMA points out that relevant regulation is already given by data protection law and Appendix 3 of FINMA circular 08/21 (Handling of electronic Client Identifying Data [CID]). – Therefore, Data Protection law and requirements from Banking Secrecy remain relevant.
  • Financial institutions need to keep an inventory about all outsourced functions and services. The inventory needs to include sub-outsourcings, CID relevance and the responsible person for governance of the agreement at the financial institution.
  • The new circular provides guidance on whether it is allowed to outsource risk and compliance functions and tasks.

Main questions and how PwC can help
Obviously, there are material changes with the new version of the circular on outsourcing. There are important strategic decisions on which we may help you and your organisation.

Besides helping you to set up new outsourcing agreements and making your existing outsourcing agreements compliant, there are strategic decisions to be taken, like:

  • Can we source services from abroad and under what conditions? What requirements from Data Protection Law and other FINMA circulars need to be kept in mind?
  • Can we use cloud services for sourcing?
  • Are we allowed to have CID abroad or in the cloud and under what conditions?
  • What do we need to do in order to have our group-internal sourcing agreements be compliant?
  • Under what conditions are we able to outsource risk and compliance functions?
  • How can we protect our company from cyber risks and data stealing in a sourcing environment?
  • How can we accurately govern our suppliers?

Please contact our experts. We can advise you on your strategic decisions in the area of outsourcing and help you to make use of latest technology. Furthermore, we help you to set up audit-proven solutions for your sourcing agreements.

Contacts

Jens Probst
PwC | Assurance Director
Office: +41 58 792 2959 | Mobile: +41 79 372 5788
Email: jens.probst@ch.pwc.com

Michèle Hess
PwC | Assurance Partner
Office: +41 58 792 4667 | Mobile: +41 79 878 0085
Email: michele.hess@ch.pwc.com

Yan Borboën
PwC | Assurance Partner
Office: +41 58 792 8459 | Mobile: +41 79 580 7353
Email: yan.borboen@ch.pwc.com

SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information

Contacts

Jens Probst
Director, Systems & Process
Assurance
+41 58 792 29 59
jens.probst@ch.pwc.com

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85
claudia.hoesli@ch.pwc.com

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33
marco.schurtenberger@ch.pwc.com

The opportunities opened up by video and online identification


The digitisation of processes is a key issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, on 18 March this year FINMA issued Circular 2016/7 ‘Video and Online Identification’. We have written a series of blogs addressing the December 2015 draft circular, the opinions expressed in the public consultation, and the risks of implementing video and online identification. In this last blog we’ll compare the final circular published in March with the draft. We’ll also be taking a look at other countries and showing where their practice differs significantly from Switzerland’s. And finally we’ll look at the opportunities that video and online identification creates.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure an equivalent level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public. This is why it has published Circular 2016/7 ‘Video and Online Identification’, describing the due diligence requirements for intermediaries onboarding clients via digital channels.

Read more about the opportunities here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in our previous articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

The security risks of video and online identification

The digitisation of processes is a core issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients. In the meantime the final version of the FINMA circular has been published. In our first blog at the beginning of February we presented the draft FINMA circular on video and online identification. In the second we looked at the opinions expressed in the public consultation. In this, our latest entry, we address the concrete challenges involved in video and online identification.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure the requisite level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public, and has accordingly published the FINMA circular 2016/7 on video and online identification on 17 March 2016. The circular describes the due diligence requirements for intermediaries onboarding clients via digital channels without gaps in the information process. This is an opportunity for the Swiss financial industry to put the digitisation of business processes into practice. Our aim is to show where the risks lie and advise on how to deal with them.

Read more about the security risks here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in the next articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

New FINMA circular on video and online identification – feedback from hearings

FINMA_Blog_Bild_ENThe digitisation of processes is a core issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients. In our first blog at the beginning of February we presented the draft FINMA circular on video and online identification.

Now in this second blog entry we’ll be looking at the publicly available opinions that were submitted to FINMA by the end of the consultation phase on 18 January 2016.

Read more about the new FINMA circular here.

Links to the FINMA consultation:
FINMA News
FINMA Documentation

Opinions published by authors:
Verein zur Qualitätssicherung von Finanzdienstleistungen
bob Finance AG
SWISS FINTECH
SwissBanking

Further blogs
In our next blog you´ll get to read about the opinions submitted during the consultation, the opportunities and risks for the Swiss financial market, and more key developments in this area.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts Jens ProbstChristian Hug or Marco Schurtenberger.

New FINMA circular on video and online identification


The digitisation of processes is a core issue for the Swiss financial industry. To create the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. Under its terms, FINMA can consider new technologies that provide the same level of security in terms of enforcing the due diligence requirements. FINMA also has to make this practice public. This is why it has drafted a circular on video and online identification.1 The draft describes the due diligence requirements that apply when onboarding clients via the internet. Those affected and other interested parties had until 18 January to comment on the draft. The definitive circular is scheduled to enter into force in March 2016.

Read more about the new FINMA circular here.

Further blogs
In our next blog you’ll get to read about the opinions submitted during the consultation, the opportunities and risks for the Swiss financial market, and more key developments in this area.

If you’re interested in this topic or have any questions connected with it, please feel free to contact our experts Jens Probst, Christian Hug or Marco Schurtenberger.

 1 Circular 2016/xx ‘Video and Online Identification’, due diligence requirements for acceptance of business relationships via the internet, FINMA, 21 December 2015