The most successful banks are able to benefit from outsourcing activities and at the same time manage the associated risks. Not all banks have been successful in managing risks from outsourced activities and in response FINMA, in its revised circular 2018/3, mandates minimum risk management requirements for outsourcing activities by banks, securities dealers and, for the first time, insurance companies domiciled in Switzerland as well as branch offices of foreign insurance companies. The revised FINMA Circular 2018/3 will come into force on 1 April 2018, although there are transitional arrangements for outsourcing arrangements already in place on that date.
This blog sets out the key regulatory requirements in the Circular.
The revised FINMA Curricular 2018/3 contains a number of regulatory requirements relating to the management of risks associated with outsourced activities.
These are summarised in the following five key points:
- Organisations must have in place robust internal processes for the management of outsourced activities, including the approval process, escalation routes and onboarding processes for new outsourced activities. The main risks associated with the outsourcing activity must be systematically identified, monitored and controlled.
- Risk assessments and control activities are required throughout the entire lifecycle of the outsourcing arrangement.
- An inventory of outsourced functions must be prepared and kept up to date at all times, to provide transparency.
- There is a requirement for contingency planning and an ability to in-source any outsourced activity at any time in the event of an emergency.
- Access to data held by a third party in the event of its restructuring, resolution and liquidation must be granted and maintained in Switzerland at all times.
Good practices for implementation
There are several basic requirements for successful implementation of the provisions of Circular 2018/3:
1. Define controls and risk management processes across the entire lifecycle of each outsourced activity. This should cover planning, evaluating and selecting, contracting and on-boarding third party providers, managing and monitoring them, and terminating or renewing the relationship. The internal approval process for outsourcing projects should be followed and it must be possible to conduct a full contract and compliance review at the service provider at any time and without any limitations. To ensure that risks are understood and suitably mitigated, controls must be integrated into the company’s existing internal control framework.
2. Maintain a comprehensive inventory of outsourced activities, which encompasses at a minimum the following details about all internal and external outsourced services:
- Details of the outsourced activity
- the name of the service provider (including any sub-contractors);
- the location; and the service recipient
- governance arrangements.
It is also recommended that potential risks with each outsourced activity should be highlighted, such as interdependency or cluster risks, together with how these risks have been classified, how they are in alignment with the company’s risk appetite, and what corrective actions have been undertaken to mitigate the identified risks.
3. Define clear roles in the third party risk management process and define a governance structure containing the following three elements:
- Framework Governance, which sets out the responsibility and accountability for overseeing the risk management framework and ensuring it delivers in line with the organisation’s strategy for third party risk management
- Operational Governance, which defines the various responsibilities (and escalation pathways for responsibility and accountability) in order to ensure compliance with the third party risk management processes and their operating effectiveness
- Third Party Governance (Ownership), which sets out the specific roles and responsibilities that individuals within the organisation have in relation to each specific outsourced service and third party.
Other considerations and complexities
Outsourcing to another country is admissible if the company can guarantee that its audit firm and FINMA can enforce the right to inspect and audit the outsourcing partner at any time. Furthermore, in the event of restructuring or liquidation of an outsourcing company in Switzerland, there must be assurance that access to all required information will be available in Switzerland at all times.
The revised FINMA Curricular 2018/3 also applies to intra-group outsourcing activities, which means that outsourcing activities to other parts of the group requires the same approach to monitoring and risk management as external outsourcing. This includes the requirement that internal service level agreements should be defined, approval processes in place, and a clear governance structure established.
A robust enterprise-wide Third Party Risk Framework helps companies to meet regulatory requirements and protects them against existing and future third party outsourcing risks. The Framework outlined below is integrated into the business and allows a robust, proportionate, proactive, and scalable way of managing risks associated with outsourcing activities.
Key implementation dates
To comply with the revised circular 2018/3, FINMA has granted a five-year transition period for banks and securities dealers, for outsourced activities that are already in place. From April 1, 2018, new insurance companies will be immediately subject to the requirements of the revised circular. Existing insurers are subject to the new rules only if there is a change in their regulatory business plan.
If you are conducting or considering a maturity assessment of your current risk management framework for outsourced activities, or if you would like to understand more about any of the individual components and requirements of the framework outlined above, please get in touch with us and speak to our experts.