Switzerland's financial regulator has revised the provisions of its circular called "2008/7 Outsourcing – Banks." This covers intra-group and cross-border outsourcing, data protection and a host of other things.

The new circular, which has not yet come into force, includes significant changes, broadening the way in which the rules apply to intra-group outsourcing and insurance companies. It is also going to strengthen the rules that apply to outsourcing abroad and it suggests that every bank ought to keep an inventory of the services it outsources.

Consequently, outsourcing institutions ought to review their existing outsourcing agreements thoroughly and amend them to align them with the new circular’s requirements. Let us look at the main amendments.

Insurance companies

The new circular will apply to insurance companies based in Switzerland and branches of foreign insurance companies, which are subject to either an operating licence or the approval of individual elements of their business plan in Switzerland.

Intra-group outsourcing

FINMA expects banks to treat intra-group outsourcing with the same caution and monitor it as closely as they monitor external outsourcing. The main implication here is that all the requirements set out in the circular will apply equally to intra-group outsourcing. This 'requirement duplication' is a significant change compared with Circular 2008/7, which exempted intra-group outsourcing from the application of certain principles.

Systematically important banks

These banks will have to comply with stringent new rules when outsourcing crucial services (i.e. services necessary for continuing system-relevant functions when insolvency threatens).

Inventory

Every institution will have to keep an inventory of outsourced services that is clear about the range of those activities and describes them. They should name the service provider (including auxiliary persons), the recipient of the services and the internally responsible body.

Data protection

The customer-focused requirements and provisions to do with data protection contained in circular 2008/7 have been repealed to avoid duplication with the Federal Act on Data Protection or DPA. Furthermore, the people whose data is transferred to a service provider need no longer be informed about the transfer of their data. This is why the new circular mentions no data protection law. Banks consequently ought to understand the governing DPA profoundly if they are to run a smooth outsourcing process.

Incidentally, the DPA is being revised and is expected to come into force in 2019. The new version will be influenced by the European General Data Protection Regulation (GDPR) of 27 April 2016. Moreover, as of 25 May 2018 (i.e. after a transitional period), Swiss companies must respect the provisions of the GDPR if hey are processing the data of EU clients or if they have a service provider seated in the EU that processes their data. Special caution is required in the case of outsourcing to an EU 'cloud provider.'

Already today, the processing of personal data must comply with strict rules as set out in article 10a DPA. Additional safeguards are necessary if the bank wants to transfer such personal data to a country that has no adequate data protection laws in force. Such safeguards might take the form of data transfer agreements or group-wide data protection policies (cf article 6 DPA) and their accompanying intra-group data transfer agreements to make matters binding. The instructing party, moreover, must always ensure that the third party guarantees data security (article 7 DPA).

The selection, instruction and control of service providers

The new circular is going to revise the rules governing the selection, instruction, and control of service providers to ensure that institutions take into account potential interdependences and cluster risks when selecting outsourcing partners.

Among other things, the circular suggests a risk analysis that integrates the outsourced business into the institution's internal control system.Monitoring and evaluation will happen continually and the service provider will contractually grant the necessary rights of inspection, instruction, and control to the recipient of the service.

Audit and supervision

Requirements regarding audit and supervision remain unchanged but will apply for the first time and in their entirety to intra-group outsourcing. In accordance with the circular, the outsourcing company, its auditors, and FINMA must be able to inspect and audit the outsourced business area in question at any time, in its entirety and without restrictions. Their rights to do so must be enshrined in contracts. The firm may delegate its audit activities to the service provider's external auditors as long as those auditors are 'organised' (incorporated) under Swiss law and possess the necessary technical competence to perform such an audit. The outsourcing may not hinder FINMA’s supervision, especially if the business area is outsourced abroad.

Outsourcing abroad

Outsourcing abroad is conditional upon the explicit proof that the institution, its auditor, and FINMA may duly exercise and enforce their audit rights. In addition, the new circular makes it clear that outsourcing of clients' identifying data abroad will only happen once FINMA has been notified of it. Furthermore, data necessary for restructuring, resolution and liquidation will have to be accessible in Switzerland at all times.

Transitional provisions

The new provisions will apply to outsourcing services "being concluded or amended" as soon as the circular comes into force. Outsourcing services that are already in place at the time of the circular’s entry into force will have two years to adjust to the new regime.

Entry into force

FINMA has postponed the initial implementation target date of 1 July 2017 to the first quarter of 2018.

* Lorenza Ferrari Hofer can be reached on +41 44 217 92 57 or at lorenza.ferrari@pestalozzilaw.com; Daniela Fritsch is on +41 44 217 92 99; Oliver Widmer is on +41 44 217 92 42 or at oliver.widmer@pestalozzilaw.com; and Aline K Bolli is on +41 44 217 93 59 or at aline.bolli@pestalozzilaw.com